The Proactive Face of Cybersecurity: Certification. Legislation and Market Response from the Perspective of ITSEF
DOI:
https://doi.org/10.26636/jtit.2025.FITCE2024.1984Keywords:
Common Criteria, cybersecurity certification, EUCC, ITSEF, testing laboratoryAbstract
The first European Cybersecurity Certification Scheme according to the Common Criteria (EUCC) specifies a number of additional requirements for Conformity Assessment Bodies (CABs) to be technically competent to provide evaluation and certification services. The NIT Testing Laboratory (ITSEF) has developed a roadmap to meet these requirements and obtain the status of an authorized ITSEF that can provide assessments of ICT products at the "high" assurance level. The roadmap consists of 3 parts: one organizational part concerning the management system and two technical parts concerning evaluations. The paper presents two action points: the innovative approach that NIT ITSEF has implemented regarding the integrated management system in the laboratory in order to achieve optimal cost-benefit ratios and the reliable and verifiable methodology for calculating the attack potential that NIT ITSEF has used to prove that the penetration tests developed and executed on the evaluated software product meet the requirements of AVA_VAN.5. The roadmap will fulfill all the requirements necessary to obtain the status of an authorized ITSEF in the EUCC program.
Downloads
References
[1] European Parliament and the Council, Regulation (EU) 2019/881 of the of April 17 2019, No. 526/2013 (Cybersecurity Act) (https://eur-lex.europa.eu/eli/reg/2019/881/oj).
View in Google Scholar
[2] Common Criteria for Information Technology Security Evaluation (CC:2022), Revision 1, November 2022 (https://www.commoncriteriaportal.org/index.cfm).
View in Google Scholar
[3] Common Methodology for Information Technology Security Evaluation (CEM:2022). Revision 1. Standard developed by the Agreement on the Recognition of Common Criteria Certificates in the field of IT Security (CCRA). November 2022 (https://www.commoncriteriaportal.org/files/ccfiles/CEM2022R1.pdf).
View in Google Scholar
[4] European Parliament and the Council Commision Implementing Regulation (EU) 2024/482 of 31.1.2024 (http://data.europa.eu/eli/reg_impl/2024/482/oj).
View in Google Scholar
[5] F. Bollman and K. Geyer, "Transition from National to the EUCC Scheme - BSI's Strategy for Supporting the Product Manufacturers and the ITSEFs during the Transition Phase", 2022 International Conference on the EU Cybersecurity Act, Brussels, Belgium, 2022 (https://eucyberact.org/wp-content/uploads/2022/05/S22a-GeyerK.pdf).
View in Google Scholar
[6] F. Bollman, K. Geyer, "Implementation of the EUCC Scheme in Germany: First Observations and the Way Forward", International Conference on Cyber-Security & Resilience Act, Brussels, Belgium, 2024.
View in Google Scholar
[7] W. Slegers, "Implementation of and Transition to EUCC", International Common Criteria Conference (ICCC'23), Washington DC, USA, 2023.
View in Google Scholar
[8] Draft Accreditation of CBs for the EUCC Scheme, Version 1.6a, 2024 (https://certification.enisa.europa.eu/publications/draft-accreditation-cbs-eucc_en).
View in Google Scholar
[9] Senior Officials Group - Information Systems Security, Mutual Recognition Arrangement (SOG-IS MRA), 2024 (https://www.sogis.eu/uk/mra_en.html).
View in Google Scholar
[10] Common Criteria Recognition Arrangement (CCRA) (https://www.commoncriteriaportal.org/).
View in Google Scholar
[11] J.M. Pulido, "2023 CC Certification Report", International Common Criteria Conference (ICCC'23), Washington DC, USA, 2023.
View in Google Scholar
[12] E. Andrukiewicz, "Unexpected Side Effect of the CSA - How CABs Could Demonstrate Their Competency in Information Security Area? ITSEF Use Case", International Common Criteria Conference (ICCC'21), 2021.
View in Google Scholar
[13] iTeh Standards, EN 419241-2:2019 - Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing.
View in Google Scholar
[14] ISO, "Methodology for IT Security Evaluation", ISO/IEC 18045:2022 (https://www.iso.org/standard/72889.html).
View in Google Scholar
[15] France's National Agency for the Security of Information Systems (ANSSI), "Procedure - Criteria for Evaluation in View of a First Level Security Certification", 2020.
View in Google Scholar
[16] FIRST, "Common Vulnerability Scoring System version 4.0: Specification Document", 2024 (https://www.first.org/cvss/v4.0/specification-document).
View in Google Scholar
[17] E. Andrukiewicz and P. Krawiec, "Use Case Related to the Software Product Evaluated with the Highest Attack Potential", International Common Criteria Conference (ICCC'22), Toledo, Spain, 2022.
View in Google Scholar
[18] Application of Attack Potential to Hardware Devices with Security Boxes Version 1.2, 2023 (https://certification.enisa.europa.eu/publications/application-attack-potential-hardware-devices-security-boxes_en).
View in Google Scholar
Additional Files
Published
Issue
Section
License
Copyright (c) 2025 Elżbieta Andrukiewicz, Piotr Krawiec
This work is licensed under a Creative Commons Attribution 4.0 International License.
