Common Criteria Testing Laboratory
Encyclopedia
A Common Criteria Testing Laboratory (CCTL) is an information technology
(IT) computer security
testing laboratory that is accredited to conduct IT security evaluations for conformance to the Common Criteria
international standard.
In the United States
the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits CCTLs to meet National Information Assurance Partnership
(NIAP) Common Criteria Evaluation and Validation Scheme requirements and conduct IT security evaluations for conformance to the Common Criteria.
CCTLs enter into contractual agreements with sponsors to conduct security evaluations of IT products and Protection Profile
s which use the CCEVS, other NIAP approved test methods derived from the Common Criteria, Common Methodology and other technology based sources. CCTLs must observe the highest standards of impartiality, integrity and commercial confidentiality. CCTLs must operate within the guidelines established by the CCEVS.
To become a CCTL, a testing laboratory must go through a series of steps that involve both the NIAP Validation Body and NVLAP. NVLAP accreditation is the primary requirement for achieving CCTL status. Some scheme requirements that cannot be satisfied by NVLAP accreditation are addressed by the NIAP Validation Body. At present, there are only three scheme-specific requirements imposed by the Validation Body.
NIAP approved CCTLs must agree to the following:
To avoid unnecessary expense and delay in becoming a NIAP-approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the NIAP prior to entering the NVLAP process.
Additional laboratory-related information can be found in CCEVS publications:
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
testing laboratory that is accredited to conduct IT security evaluations for conformance to the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
international standard.
In the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits CCTLs to meet National Information Assurance Partnership
NIAP
The National Information Assurance Partnership is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency , and was originally a joint effort between NSA and the National...
(NIAP) Common Criteria Evaluation and Validation Scheme requirements and conduct IT security evaluations for conformance to the Common Criteria.
CCTL requirements
These laboratories must meet the following requirements:- NIST Handbook 150, NVLAP Procedures and General Requirements
- NIST Handbook 150-20, NVLAP Information Technology Security Testing — Common Criteria
- NIAP specific criteria for IT security evaluations and other NIAP defined requirements
CCTLs enter into contractual agreements with sponsors to conduct security evaluations of IT products and Protection Profile
Protection Profile
A Protection Profile is a document used as part of the certification process according to the Common Criteria . As the generic form of a Security Target , it is typically created by a user or user community and provides an implementation independent specification of information assurance security...
s which use the CCEVS, other NIAP approved test methods derived from the Common Criteria, Common Methodology and other technology based sources. CCTLs must observe the highest standards of impartiality, integrity and commercial confidentiality. CCTLs must operate within the guidelines established by the CCEVS.
To become a CCTL, a testing laboratory must go through a series of steps that involve both the NIAP Validation Body and NVLAP. NVLAP accreditation is the primary requirement for achieving CCTL status. Some scheme requirements that cannot be satisfied by NVLAP accreditation are addressed by the NIAP Validation Body. At present, there are only three scheme-specific requirements imposed by the Validation Body.
NIAP approved CCTLs must agree to the following:
- Located in the U.S. and be a legal entity, duly organized and incorporated, validly existing and in good standing under the laws of the state where the laboratory intends to do business
- Accept U.S. Government technical oversight and validation of evaluation-related activities in accordance with the policies and procedures established by the CCEVS
- Accept U.S. Government participants in selected Common Criteria evaluations.
CCTL accreditation
A testing laboratory becomes a CCTL when the laboratory is approved by the NIAP Validation Body and is listed on the Approved Laboratories List.To avoid unnecessary expense and delay in becoming a NIAP-approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the NIAP prior to entering the NVLAP process.
Additional laboratory-related information can be found in CCEVS publications:
- #1 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Organization, Management, and Concept of Operations and Scheme Publication
- #4 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Guidance to Common Criteria Testing Laboratories