What is Common Criteria Certification?
Common Criteria for Information Technology Security Evaluation (or, Common Criteria, as it is more popularly known), is the international standard used to affirm a computer security software solution’s security certification. In other words, it helps provide assurance to users or potential buyers that what is touted in terms of specifications, implementation, and evaluation of a security product is true as claimed.
Software solutions that undergo the rigorous evaluation and certification process can deliver that “next level” trust that security-conscious organizations seek. The reasons for utilizing a solution with Common Criteria certification can vary. For example, government entities such as the Department of Defense are required to purchase from the NIAP Product Compliant list. Securing solutions with Common Criteria certification is one prudent aspect to consider when comparing choices in the marketplace.
Who Grants Common Criteria Certification and on What Basis?
Certification in Common Criteria is granted by the NIAP-CCEVS (National Information Assurance Partnership-Common Criteria Evaluation and Validation Scheme). This program is sponsored by and endorsed by the U.S. government to conduct security evaluations of commercial technology products.
The NIAP is a partnership between NIST (the National Institute of Standards and Technology) and the NSA (National Security Agency), both of which have broad and long-term cybersecurity experience and respect amongst industry and government entities requiring assurance for security software used.
The technical expertise within the NIAP combines to develop the stringent Common Criteria evaluation criteria for security. This expertise is respected around the world as the standard to meet. Products bearing Common Criteria certification are recognized globally as a testament of security features and capabilities.
What Software Attributes Does Common Criterial Address?
The Common Criteria evaluation examines a few primary attributes of cybersecurity products to ensure file or data protection, including security assurance, functionality, and the solution’s security architecture and design.
Additional considerations include looking at how access control is achieved so that only authorized users have rights and at authentication and authorization, to ensure that these methods adequately control access rights.
The security solution’s encryption features are also assessed, along with auditing and reporting functionality, which can help organizations needing to meet compliance specifications for how all file transfer activity is recorded. Other attributes under consideration for certification include:
- How well a solution protects privacy, such as PII (personally identifiable information) and other data privacy requirements
- How secure the solution’s channels are for information coming into and out of a network
- How well the software is maintained and updated
Why Common Criteria Certification Matters to Fortra
“At Fortra, we appreciate how thoroughly the Common Criteria certification process looks at a software solution’s approach to cybersecurity. The process helps give users the internationally recognized assurance they need that the solution they are interested in or are using has been developed, tested, and maintained to deliver the highest level of security,” said Chris Bailey, Senior Product Manager, MFT, Fortra.
“When it comes to protecting your organization’s most valuable, sensitive data and files, organizations should be looking for solutions that have met these rigorous standards that can be validated by outside entities, to provide the best assurance that stated security measures are actual,” said Bailey.
What is the Common Criteria Certification Process?
Organizations, such as Fortra, reach out to the NIAP to start the certification and evaluation process for their security solutions. The evaluations of software, such as Fortra’s GoAnywhere, are carried out by independently licensed third-party labs under National Security Agency authority.
Patience is a virtue when securing certification as the comprehensive process includes several stages undertaken for at least six months, and in many cases for more than a year. These steps include:
- Filing a Security Target description that includes support documents outline the software’s security features. It also includes an assessment of how the solution conforms to the Protection Profile of the Evaluation Assurance Level that is tested.
- Extensive deep code testing of the solution at a lab to determine if existing security requirements are met at the level that satisfies the software’s capability claims.
- Receiving certification after the evaluation state is completed and the software is certified as having met the Certificate of Authorizing Scheme for security products. It is at this point when a solution can be included on the NIAP Product Compliant List and receive its approved two-year certificate signed by both the NIAP and the NSA.
GoAnywhere MFT: The Only Common Criteria-Certified Secure File Transfer Solution
As the only Common Criteria-Certified secure file transfer solution in the marketplace, GoAnywhere meets the stringent data transport security requirements of the federal government. This air-tight solution can also help organizations outside this realm meet compliance regulations surrounding file transfer and data security. Organizations requiring secure file transfer solutions can trust that GoAnywhere will meet the parameters of the strictest testing and evaluation process that is recognized internationally by more than 31 countries.
