NP002 - EUCC processes v2.0

Processes describing how to get a product certified and sustain its certified status under the EUCC for assurance level high at the Dutch NCCA.

📄 Document information

1. Introduction

1.1 Background and purpose

The European Common Criteria scheme (EUCC) is the first cybersecurity certification scheme developed under the Cybersecurity Act (CSA). This scheme aims to serve as a successor to the current existing national schemes operating under the SOGIS MRA (Senior Officials Group on Information Systems Security Mutual Recognition Agreement) and covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 standard.

The Dutch implementation of the CSA is regulated in Dutch law in the ‘Uitvoeringswet cyberbeveiligingsverordening’ (UITVW). In this law the role of NCCA is assigned to the Dutch Authority for Digital Infrastructure (RDI), which is part of the Ministry of Economic Affairs and Climate Policy. The UITVW expresses the Dutch government choice to use the ‘prior approval model’ as mentioned in article 56(6)a of the CSA as the only option for issuing certificates at the assurance level ‘high’.

This document provides details of the steps and activities that the parties involved shall take in the EUCC processes in which the RDI as NCCA has a role1. The EUCC processes are:

  1. The forecast process (further described in chapter 2);
  2. The certification process (further described in chapter 3);
  3. The assurance continuity process (further described in chapter 4);
  4. The vulnerability management and disclosure process (further described in chapter 5).

The forecast, the certification and assurance continuity processes are applicable for products and protection profiles where assurance level ‘High’ is claimed. Approval is necessary from the NCCA before a CAB is allowed to issue a certificate at this assurance level ‘High’. Note that a similar approach may also be applied to the certification of products and protection profiles where assurance level ‘Substantial’ is claimed. In this case the approval is not required, and the involvement of the NCCA in the certification process would be nil2.

Depending on the nature of the certification, the actual activities may differ and need to be tailored as described in the following chapters.

The vulnerability management and disclosure process is applicable for products certified at either the ‘Substantial’ or ‘High’ assurance level.

This document is aligned with the accreditation norms ISO/IEC 17025 & ISO/IEC 17065 and the related EUCC State-of-the-Art documents while also providing detailed guidance to the formal approval steps as specified in the UITVW. The overall goal is to ensure that the formal approval can be given efficiently based on a process that reduces risks for all stakeholders by having the following characteristics:

  • Quality - Approval based on verification that certification is meeting scheme requirements;
  • Predictability - assurance that certification is on the right track;
  • Responsiveness - small work packages/intermediate results are faster to review;
  • Timeliness - fast final approval based on intermediate results.

1.2 Information products

The following information products are identified in the EUCC processes:
Information product From To Description
Monthly forecast CAB NCCA A document containing the certification leads of a CAB. It is used by the NCCA operational manager for initial resource planning and allocation.
Forecast overview NCCA NCCA NCCA internal document compiled by the operational manager from the individual monthly forecasts.
EUCC notification CAB NCCA Official notification from a CAB to the NCCA that they wish to start the certification-process for a product or protection profile. It consists of a notification form, assessment plan and (draft) Security Target/ Protection Profile
Assessment plan CAB NCCA A document describing how the CAB will conduct the product assessment.
Notification Review Report NCCA NCCA NCCA internal report in which the NCCA keeps track of everything leading up to the rejection or acceptance of the assessment plan.
Acceptance of assessment plan NCCA CAB Official notification of acceptance of the assessment plan, after which the certification process can proceed to the certification monitoring phase.
Rejection of assessment plan NCCA CAB Official notification of rejection of the assessment plan.
Request for developer evidence CAB Sponsor A request from the CAB to the sponsor to provide the developer evidence necessary for assessment.
Developer evidence Sponsor CAB Evidence provided by the sponsor to the CAB for assessment.
Evaluator evidence CAB NCCA Reports or other material describing how the evaluator actions have been performed. This evidence is presented in the ERMs for internal review by the certifier and monitoring by the NCCA.
Evaluation Technical Report (ETR) CAB NCCA Report that combines and compiles all evaluator evidence from the product evaluation.
Meeting minutes CAB NCCA Report of an ERM that records all issues raised during the meeting, the decisions made and the conclusion.
Project actions list CAB CAB
NCCA
A list in which the CAB keeps track of all actions including their status related to the assessment as discussed during the ERMs. The final version will be provided to the NCCA as part of the request for approval.
Certifier Review Report CAB CAB
NCCA
Report in which the CAB keeps track of all its review activities leading up to its certification decision. Final version will be provided to the NCCA as part of the request for approval.
Certification Report (CR) CAB NCCA A document containing a high-level description of the product and the certification performed. This document will be published in conjunction with the certificate.
Draft certificate CAB NCCA A draft of the certificate that the CAB makes before formal approval for certification is given by the NCCA.
Request for approval CAB NCCA Request from the CAB to the NCCA to approve the issuance of an EUCC certificate.
Approval Review Report NCCA NCCA NCCA internal document in which the NCCA keeps track of everything leading up to its decision regarding the final approval.
Approval to issue certificate NCCA CAB Official notification sent by the NCCA to the CAB to approve the issuance of an EUCC certificate.
Rejection of approval NCCA CAB Official notification sent by the NCCA to the CAB to reject the issuance of an EUCC certificate.
Certification notification CAB Sponsor
NCCA
ENISA
Notification to the sponsor, NCCA and ENISA that a product has been certified under EUCC.
Protection Profile (PP) Sponsor CAB
NCCA
A document describing a set of security requirements for a class of products. I.e. it specifies the security needed in a IT product. This document can be the subject of a certification, or can be used by a product’s Security Target to claim compliance with.
Security Target (ST) Sponsor CAB
NCCA
A document describing a set of implementation-dependent security requirements for a product. I.e. it specifies the security provided in a specific IT product and forms the basis for a product assessment.
Security Target Lite (ST-Lite) Sponsor CAB
NCCA
A Security Target sanitised by the removal or paraphrasing of proprietary technical information.
Evaluation Technical Report for composite evaluations (ETRfC) CAB NCCA
CAB
A subset of an ETR that is intended for re-use in a composite certification process (by another CAB).
Site Technical Audit Report (STAR) CAB NCCA
CAB
A report describing the audit results of the development and production environment of the product that is intended for re-use in another product certification process (by another CAB).
Impact Analysis Report (IAR) Sponsor CAB
NCCA
A document describing changes to a certified product, used as input for assurance continuity.

All documents or other material (e.g., presentations) exchanged with the NCCA shall be in electronic form and in the English language. If the material contains proprietary or sensitive information, it should be submitted in encrypted form with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.

Please refer to the NCCA instruction NI001 - Information exchange for further guidelines on how documents or other material shall be exchanged with the NCCA. This applies to all instances in this document where the words “send to the NCCA” is used.

1.3 Roles

The following roles are identified in the EUCC processes:
Role Responsible entity Description
Certificate issuer CAB Designated person within a CAB with the authority to issue certificates.
Certifications manager CAB Overall point-of-contact for the general operation of the CAB. Will submit the monthly forecasts and the certification notifications.
Certifier CAB Person from the CAB responsible for the review of the evaluation activities and generation of the certification report.
Evaluator CAB Person performing the evaluation activities and generation of the evaluator evidence and ETR.
Certification auditor NCCA Person responsible for the monitoring of the certification process comprising the activities of the certifier who has reviewed and assessed the activities of the evaluator.
Audit supervisor NCCA Person responsible for processing the monthly forecast and pre-allocating resources, preparing the official rejection or acceptance of the notification and providing the official rejection or acceptance of the certificate.
External expert CAB Person (internal to the RDI or from an external organisation) supporting the certification auditor providing technical expertise not possessed by the NCCA itself.
Sponsor role Sponsor The sponsor is the entity that wishes a product to be certified under EUCC and is responsible for providing all the necessary developer evidence. The sponsor will become the holder of the certificate. Usually the sponsor is the manufacturer or supplier of the product to be certified under EUCC.

2. Forecast process

The Forecast Process is asynchronous to the Certification Process and is intended to allow the NCCA to take the necessary preparation steps for upcoming EUCC notifications. Knowing beforehand the amount and type of EUCC notifications enables the NCCA to perform adequate resource planning and allocation such that the lead time of the Certification Process can be optimised.

Every CAB is expected to report to the NCCA on a monthly basis all certification leads for assurance-level high of which it expects with more than 70% certainty that they will lead to a notification within the next three months.

The Forecast Process only consists of one phase: the Forecast Phase.

Forecast process

2.1 Phase 0: Forecast Phase

Forecast phase

2.1.1 Step 0.1: Prepare and submit monthly forecast

Prepare and submit monthly forecasts
Action 0.1.1: Collect information internally and from related ITSEFs:
Responsible: CAB | Executed by: Certifications manager
  • Collect information about possible evaluation/certification leads
    • Request information on possible evaluation/certification leads for assurance-level high from internal account management or sales department.
    • Request information on possible evaluation/certification leads for assurance-level high from associated external ITSEFs (when applicable).

Note 1: This information has to be collected on a monthly basis. If the CAB makes use of external ITSEFs, then it may request this information every month from the ITSEFs, or procedurally demand from the ITSEF that they send this information structurally every month to them.

Note 2: A CAB is expected to report to the NCCA on a monthly basis all evaluation/certification leads for assurance-level high of which it expects with more than 70% certainty that they will lead to a notification within the next three months.

Action 0.1.2: Create monthly forecast:
Responsible: CAB | Executed by: Certifications manager
  • Compile monthly forecast
    • Download the monthly forecasting template from NCCA website.
    • Fill in the required fields using the collected information.

Note: In the case a sponsor approached multiple CABs/ITSEFs to perform an evaluation on their product, add all these requests to the forecasting template.

  • Submit monthly forecast to the NCCA
    • Send the monthly forecast to the NCCA on the first working day of the month.

Note 1: It is understood that the information is commercially sensitive. NCCA will only use this information for its resource planning.

Note 2: The monthly forecast may be submitted encrypted or unencrypted. If the CAB wishes to submit the monthly forecast encrypted it may do so with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.

2.1.2 Step 0.2: Collect monthly forecasts and create forecast overview

Collect monthly forecasts and create forecast overview
Action 0.2.1: Check for completeness:
Responsible: NCCA | Executed by: Audit supervisor
  • Receive the monthly forecast
    • Receive (and decrypt if required) the monthly forecast from every CAB.
    • Archive and register the monthly forecasts in the NCCA document management system.
  • Check the monthly forecasts for completeness
    • Check that all necessary information is contained in the monthly forecasts.
    • Notify a CAB in the case their monthly forecast is incomplete and request missing information.
  • Send confirmation
    • Send a message to the CABs that their monthly forecasts are well received.
Action 0.2.2: Compile forecast overview:
Responsible: NCCA | Executed by: Audit supervisor
  • Combine monthly forecasts
    • Transfer every entry from the monthly forecasts to the central NCCA forecast overview, while keeping the references to the CABs and ITSEFs.
    • Highlight the changes compared to the forecast from previous month.
Action 0.2.3: Determine resources:
Responsible: NCCA | Executed by: Audit supervisor
  • Determine monitoring type
    • Based on the following factors, determine whether there is a need for certification monitoring:
      • The importance-level of the product for the public or Dutch government (e.g. Netherlands passport).
      • If the product is of specific interest for RDI (Relations with areas of interest and research).
      • The level of experience of the CAB (including the ITSEF) with the type of product.
      • The level of experience of the sponsor/developer with the Common Criteria standard.
      • The past performance of the CAB (including the ITSEF).
      • The assessment type (new, re-certification, maintenance).
      • The expected duration of the evaluation/certification.
    • Include in the forecast overview if monitoring will be foreseen.
  • Pre-allocate resources
    • For every potential project pre-allocate a certification auditor based on availability and specific knowledge related to the type of product or previous experience with the product that will be evaluated.
    • Include the name of the pre-allocated certification auditor in the forecast overview.

Note 1: The pre-allocated certification auditor must be independent from, and not be involved in, the activities of the sponsor/developer and the CAB.

Note 2: There may be a need for additional expertise from outside the NCCA. This could be because the relevant expertise is not present within the NCCA, there are insufficient resources available or for other reasons. In such cases the certification auditor could be assisted by an external expert.

3. Certification process

The certification process comprises of the following three phases:

  1. The Notification Phase: in which the formal notification is submitted and processed, resulting in a formal approval or rejection by the NCCA;
  2. The Evaluation and Review Phase: in which the actual assessment is performed by the CAB and its (subcontracted) ITSEF. The phase normally ends in a formal request for approval from the CAB to the NCCA for the issuance of a certificate;
  3. The Certification Approval Phase: in which the concluding actions are performed, resulting in a formal approval or rejection by the NCCA and the actual issuance of an EUCC certificate.
Certification process

During the assessment of the notification, the NCCA will determine whether there will be NCCA monitoring throughout the evaluation and review phase or not. In the latter case it is expected by the NCCA that a timely approval to issue a certificate can be given without this monitoring.

3.1 Phase 1: Notification Phase

Notification phase

3.1.1 Step 1.1: Prepare for certification

This first step in the notification phase and the related actions are described for completeness and are solely intended as guidance to the sponsor.

Prepare for notification
Action 1.1.1: Determine certification object, scheme and assurance level:
Responsible: Sponsor | Executed by: Sponsor role
  • Determine object to be certified
    • The EUCC can only be used to certify products or protection profiles. If a sponsor wants to certify a process or service under the Cyber Security Act, determine which other EU scheme is relevant.
  • Determine assurance level
    • Determine the assurance level that is required for the evaluation based on the threat-level that the product needs to counter, intended use, marketing needs, etc.
Action 1.1.2: Create (draft) ST/PP and select/contract a CAB:

Responsible: Sponsor | Executed by: Sponsor role | In cooperation with: Optionally with a CC consultant or the envisaged CAB

  • Determine which CAB’s are accredited to perform the EUCC certification activities3
    • Determine which CAB’s are accredited to perform certification activities at the required assurance-level, and where relevant the technical domain. A list of CAB’s is available on the NCCA website.
    • Determine, based on own needs, requirements and preferences, which of the CAB’s is preferred to perform the EUCC certification activities.
  • Create a (draft) Security Target (ST) / Protection Profile (PP)
    • Create an initial version of the ST or PP that describes the TOE in sufficient details such that the logical and physical boundary is clearly defined. Also the Security Problem Definition and Objectives must be complete.

Note: drafting a ST or PP is a specialised task for which the sponsor may want to contract/hire a CC consultant or expert. This may be an independent consultant, but the envisaged CAB could also provide this consultancy service. However the CSA and EUCC impose restrictions on consulting services.

  • Consult envisaged CAB and reach an certification agreement
    • (Optionally) Submit the (draft) ST/PP to the envisaged CAB.
    • Consult the envisaged CAB to determine to what extend the CAB is able and willing to perform the certification activities based on the (draft) ST/PP and under which conditions.
    • Come to a contractual agreement with the CAB for performing the certification activities.

Note: If the CAB makes use of external ITSEFs, then the sponsor may also need to come to a contractual agreement with the ITSEF for performing the evaluation part of the certification activities.

3.1.2 Step 1.2: Prepare notification

Prepare notification
Action 1.2.1: Draft EUCC notification:
Responsible: CAB | Executed by: Certifications manager
  • Draft an EUCC notification form
    • Receive the (draft) ST/PP (if not already in possession).
    • Check that the (draft) ST/PP describes the TOE in sufficient details so that the logical and physical boundary is clearly defined. Also check the completeness of the Security Problem Definition and Objectives.
    • Download the NCCA template NT003 - EUCC notification form from the NCCA website.
    • Fill in the required fields.
  • Draft assessment plan
    • Draft an assessment plan describing the evaluation and certification activities based on the draft ST/PP and NCCA procedures. The assessment plan must address the following five items in clearly separated sections:
      • Appropriateness: Is the chosen assurance level appropriate and is the chosen level commensurate with the level of risk associated with the intended use of the ICT product?
      • Evaluation and certification approach: the CAB shall describe which entity will perform the evaluation activities in case of outsourcing. Also some background information regarding the product to be evaluated shall be provided. The evaluation and certification approach shall be based on the default set of ERMs (see introduction of chapter 3.2 and the NCCA instruction NI002 - Content and presentation of evaluation review meetings) where the content is tailored in accordance with the EAL. If the CAB wants to deviate from this default set or content, the deviation must be described and motivated. This also applies in case the CAB wants to use the alternative approach for ADV and ATE. When previous evaluation results (e.g. ETR for composite evaluations, STAR reports or otherwise) will be re-used this must be indicated and described how;
      • Applicable standard and additional evaluation methodology: The CAB shall identify the version and revision of the ISO/IEC 15408 or the CC and which additional evaluation methodology, besides ISO/IEC 18045 or the CEM, will be used. This additional evaluation methodology shall be in accordance with the EUCC scheme requirements, the product type, technical domain and State-of-the-Art documents;
      • Staff involved in consultancy, evaluation and certification: in this section, the CAB must identify the key-staff involved in the evaluation and certification activities, especially the persons that authorise the deliverables. The CAB must also identify and describe any consultancy services that have been provided to the sponsor and list the staff involved. This is of particular importance when the consultancy has involved writing documentation on behalf of the sponsor or in any (pre-) evaluation activities. Staff involved in consultancy may not perform evaluation or certification activities or mentor other employees during these activities;
      • Evaluation and certification schedule: this is the schedule for the delivery of all required evaluator evidence and the Evaluation Technical Report by the evaluators and the review thereof by the certifiers, including the ERMs. Also the planned date for the delivery of the Certification Report and the (draft) Certificate to the NCCA for approval must be indicated.

Note 1: The EUCC (in recital 3 and 5) requires the sponsor to provide a rationale for selecting the correct assurance level which the CAB shall review. This review must be included under the ‘appropriateness’ section in the assessment plan.

Note 2: While scheduling the ERMs, consideration must be given that the ERMs cannot be held without the NCCA approval for the suggested ERM dates in the assessment plan. In practice the first ERM should not be planned soon after the notification has been submitted as this increases the risk that the ERM will have to be rescheduled due to NCCA resource management and preparation. In general a 15 working days delay is needed after the formal approval has been issued by the NCCA (see Action 1.3.4: Issue formal decision on assessment plan).

  • Submit EUCC notification to sponsor
    • Send the EUCC notification form and assessment plan to the sponsor for verification and approval.
Action 1.2.2: Verify and approve EUCC notification:
Responsible: Sponsor | Executed by: Sponsor role
  • Receive the EUCC notification
    • Receive the EUCC notification form and assessment plan.
    • Check the EUCC notification form for correctness, and fill in the remaining open fields.
  • Approve EUCC notification form
    • Return the completed EUCC notification form and assessment plan to the CAB with a statement of approval.
Action 1.2.3: Submit EUCC notification:
Responsible: CAB | Executed by: Certifications manager
  • Receive the EUCC notification
    • Receive the EUCC notification form and assessment plan.
  • Submit the EUCC notification
    • Gather the (draft) ST/PP (already in possession of the CAB).
    • Sign the EUCC notification form, if not already done. 
    • Compose the EUCC notification:              
      • EUCC notification form;
      • Assessment plan;
      • (draft) ST/PP.  
    • Send the notification to the NCCA.

Note 1: The EUCC notification form and related documents may be submitted encrypted or unencrypted. If the CAB wishes to submit the documents encrypted it may do so with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.

The reception of the notification is a milestone for the NCCA after which the notification has to be processed within the legally defined terms.

3.1.3 Step 1.3: Assess notification

Assess notification
Action 1.3.1: Register EUCC notification:
Responsible: NCCA | Executed by: Audit supervisor
  • Receive the notification
    • Receive (and decrypt if required) the EUCC notification form, the assessment plan and the (draft) ST/PP.
    • Confirm the reception of the notification to the CAB.
    • Archive and register the notification in the NCCA document management system and create an audit file.
    • Check if the notification is on the forecast overview. If present, copy the certification information from the forecast overview to the audit file and update the forecast overview.
  • Determine monitoring type
    • Based on the following factors, verify if the envisioned monitoring decision from the forecast overview is still appropriate, or determine whether certification monitoring is needed:
      • The importance-level of the product for the public or the Dutch government (e.g. Netherlands passport).
      • If the product is of specific interest for RDI (Relations with areas of interest and research).
      • The level of experience of staff involved from the CAB (including the ITSEF) with the type of product.
      • The level of experience of the sponsor/developer with the Common Criteria standard.
      • The past performance of the CAB (including the ITSEF).
      • The assessment type (new, re-certification, maintenance).
      • The expected duration of the evaluation/certification.
    • Include or update if monitoring is foreseen in the audit file.
  • Appoint Certification Auditor
    • Verify if the envisioned certification auditor is still available. If not, select a certification auditor based on availability and specific knowledge related to the type of product or previous experience with the product that will be evaluated.
    • Inform the certification auditor that he/she is appointed to the certification process and if monitoring is foreseen.
    • Include or update the name of the certification auditor in the audit file.

Note 1: The appointed certification auditor must be independent from, and not be involved in, the activities of the sponsor/developer and the CAB.

Note 2: There may be a need for additional expertise from outside the NCCA. This could be because the relevant expertise is not present within the NCCA, there are insufficient resources available or for other reasons. In such cases the certification auditor could be assisted by external expert(s).

Action 1.3.2: Check EUCC notification for completeness and correctness:
Responsible: NCCA | Executed by: Certification auditor
  • Create Notification Review Report
    • Create a Notification Review Report to document any discussions and comments related to the notification.

Note: The Notification Review Report is intended to collect findings on the notification documents, and forms the basis for the formal decision on the assessment plan.

  • Check the EUCC notification for completeness
    • Perform a high level check on the following items as a minimum:
      • Does the notification include a complete assessment plan and (draft) ST/PP?
      • Are all required fields in the notification form filled in?
      • Is the notification form signed by the CAB?
    • Notify CAB in case the application is incomplete and request missing information.
    • Update the Notification Review Report with findings.
  • Check the EUCC notification for correctness
    • Perform a high level check on the following items:
      • Scope of the CAB: Does the TOE fall within the accreditation scope of the CAB?
      • Authorisation of the CAB: Is the CAB authorised by the NCCA?
      • Authorisation of the ITSEF: Is the evaluation task performed by an authorised ITSEF?
    • Update the Notification Review Report with findings.
    • Continue with Action 1.3.4: Issue formal decision on assessment plan in case the application is incorrect or remains incomplete. This will lead to a rejection of the application and the termination of the certification process. Otherwise continue with Action 1.3.3: Review assessment plan and (draft) ST/PP.

Note: The checks on scope and authorisation will not take part in case the EUCC notification is part of an initial assessment that the CAB needs to perform as part of its initial accreditation and licensing process.

Action 1.3.3: Review assessment plan and (draft) ST/PP:
Responsible: NCCA | Executed by: Certification auditor | In cooperation with: Optionally with an external expert
  • Review assessment plan
    • Perform a detailed review of the assessment plan based on the Notification review guidance. Focus areas are:
      • Appropriateness: Is the chosen assurance level appropriate and is the chosen level commensurate with the level of risk associated with the intended use of the ICT product and does the CAB review confirms this?
      • Evaluation & certification approach: Does it describe which entity will perform the evaluation activities in case of outsourcing and does it provide sufficient background information regarding the product to be evaluated? Is the approach correctly based on the default set of ERMs (see introduction of chapter 3.2 and NCCA instruction NI002 - Content and presentation of evaluation review meetings) and are deviations and choices well motivated? Check if re-use of previous results is possible as described, i.e. check the validity of evaluation results in case of re-use for composite evaluations, site audit results and maintenance activities.
      • Applicable standard and additional evaluation methods: Are the standard and additional evaluation methods correctly identified and do they include all applicable methodology as required by the EUCC scheme?
      • Staff involved: Is key-staff identified? Are there any issues related to independence and competence expected?
      • Project planning: Do the dates of planned ERMs and the delivery of the final evaluation & certification reports (i.e. the request for approval) allow for reasonable time to address open issues.
    • Discuss any items that are unclear with the CAB to gain necessary clarification in order to finalise the review.
    • Update the Notification Review Report with findings.

Note: The EUCC (in recital 5) requires the sponsor to provide a rationale for selecting the correct assurance level which the CAB shall review. This review must be included under the ‘appropriateness’ section in the assessment plan.

  • Review (draft) ST/PP
    • Perform a detailed review of the (draft) ST/PP based on the Notification review guidance:
      • Clarity: Is the ST or PP clear and understandable, is the TOE scope with its logical and physical boundaries well defined?
      • Meaningfulness: Does the ST or PP comprise sufficient functionality to come to a meaningful certificate and does the security problem definition not contain any assumptions that unreasonably limit the usability expected by the end-user?
      • Assurance requirements: Check the assurance requirements contain the appropriate AVA_VAN and ADV_IND components and its dependencies. Also check if the appropriate ALC_FLR component is included to address the sponsor requirements described in EUCC Chapter V and VI.
    • Discuss any items that are unclear with the CAB to gain necessary clarification in order to finalise the review.
    • Update and finalise the Notification Review Report with findings.

Note: The EUCC (in article 7) requires security assurance requirements classes for vulnerability assessment and independent functional testing to be included in the evaluation. The EUCC in Chapter V and VI also has requirements related to vulnerability monitoring, management and disclosure for which the sponsor shall establish and maintain the necessary procedures. In the Netherlands these procedures need to be included in the evaluation.

Action 1.3.4: Issue formal decision on assessment plan:
Responsible: NCCA | Executed by: Audit supervisor
  • Validation of the Notification Review Report
    • Check if the Notification Review Report is complete, correct and consistent.
    • Sign off the Notification Review Report.
  • Draft a formal acceptance or rejection letter
    • Fill-in the applicable NCCA letter template.
    • Have the letter signed.

Note: The letter of acceptance will include the name of the certification auditor and where applicable the name of the external expert(s). Also if monitoring will be performed is indicated.

  • Submit the formal decision letter (acceptance or rejection) to the CAB
    • Send the letter to the CAB.

Note: The formal acceptance is based on the content of the provided assessment plan. This plan may need to change at a later stage and then requires a renewed acceptance by the NCCA. Changes of the assessment plan or deviations thereof may have consequences for the NCCA approval to issue a certificate. See also Step 2.5: Project monitoring.

The acceptance of the assessment plan is a milestone for the CAB after which the assessment can formally commence.

In case of rejection the certification process stops and a new submission of an EUCC notification is required.

3.2 Phase 2: Evaluation and Review Phase

The evaluation and review phase consists of an iteration of 3 activities, one for each of the Evaluation Review Meetings (ERMs) followed by a final reporting activity. By default there will be 3 ERMs in this phase, but this will be dependent on the evaluation approach as defined in the assessment plan during the notification phase.

The evaluator is responsible for delivering the evaluator evidence which records the results of the evaluation activities (ref. ISO/IEC 17065 section 7.4 / ISO/IEC 17025 chapter 7). These reports are reviewed by the CABs certifier (ref. ISO/IEC 17065 section 7.5) and the review comments are communicated to the evaluator in Certifier Review Reports (and discussed in an ERM). The CAB is responsible for recording minutes of the ERMs and tracking of the action items.

After the final ERM, when all Certifier Review Report comments have been addressed and any action items closed, the evaluation is concluded with the generation of the final Evaluation Technical Report (ETR) by the evaluator. The certifier shall use the final ETR to create a Certification Report (CR) and draft Certificate. At the conclusion of the evaluation and review phase these documents will then be submitted to the NCCA for approval.

There are usually multiple iterations of the steps 2.1 – 2.3 according to the number of ERMs specified in the assessment plan. There are three ERMs defined for a typical EAL4 and higher evaluation (see NCCA instruction NI002 - Content and presentation of evaluation review meetings), but some of these meetings can be combined for evaluations claiming lower assurance level packages (outside the scope of this document) and for maintenance and re-certification tasks. The content to be discussed in each ERM is also specified in NCCA instruction NI002 - Content and presentation of evaluation review meetings and refined in the assessment plan. This will dictate what evaluator evidence is to be provided and what evaluation activities are to be performed by the evaluator in preparation for the ERM. Similarly, the agenda for each meeting is taken from the definition of the ERMs specified in the assessment plan.

In the case where there is NCCA monitoring foreseen throughout the evaluation and review phase, the certification auditor (NCCA) will be in copy of all meeting deliverables, but he may choose not to attend the ERMs. Being in copy shall not be the case when there is no NCCA monitoring, and only the request for approval including all associated documents will be delivered to the NCCA for approval (see output from Action 2.4.5: Submit request for approval). This means that when there is no NCCA monitoring, there will be no NCCA involvement during the evaluation and review phase other than Step 2.5: Project monitoring.

See also the NCCA instruction NI002 - Content and presentation of evaluation review meetings for an overview of the ERMs and the associated meeting deliverables.

Evaluation and review phase

3.2.1 Step 2.1: Assess developer evidence and generate meeting deliverables

Assess developer evidence and generate meeting deliverables
Action 2.1.1: Request developer evidence:
Responsible: CAB | Executed by: Evaluator
  • Define necessary developer evidence
    • The content to be discussed in each ERM is specified in the assessment plan and will dictate what developer evidence is to be provided by the sponsor. This developer evidence is related to the relevant developer action elements from the chosen assurance package and associated security assurance requirements from the Common Criteria standard (ISO/IEC 15408) and all other necessary information that is required by the EUCC scheme. These will form the input for the evaluation activities that are to be performed by the evaluator in preparation for the ERM.
  • Submit request for the needed developer evidence
    • Send the request to the sponsor to provide the necessary developer evidence.
Action 2.1.2: Evaluate developer evidence:
Responsible: CAB | Executed by: Evaluator
  • Receive evidence from sponsor
    • Record evidence received in accordance with the applicable evaluation procedures.
  • Evaluate evidence
    • Perform evaluation activities for the applicable ERM (as defined in the assessment plan) in accordance with the evaluation methodology specified in the CEM and any associated methodology specified in the assessment plan.
    • Record findings and verdicts in the evaluator evidence as defined for the relevant ERM.
    • Address actions from the project actions list (e.g. items raised in previous ERMs), providing a disposition of how the action has been addressed.
Action 2.1.3: Validate evaluator evidence:
Responsible: CAB | Executed by: Evaluator
  • Finalise the evaluator evidence
    • Check that the evaluator evidence contain the necessary information.
  • Verify all evaluator evidence
    • Approve and authorize all evaluator evidence before submitting for formal CAB review.
  • Submit all evaluator evidence
    • Send the evaluator evidence and updated project action list to the CAB/certifier for formal review.
Action 2.1.4: Review evaluator evidence:
Responsible: CAB | Executed by: Certifier
  • Receive completed package of evaluator evidence from the CAB/evaluator.
    • Check the package is complete in accordance with the list of deliverables specified in the assessment plan.
  • Review evaluator evidence.
    • Review the evaluator findings and conclusions reported in the evaluator evidence and record any comments/notes for discussion in a Certifier Review Report.
    • Review disposition of action items and updates made to evaluator evidence to address actions (if any) from the project actions list.
  • Preparation of Evaluation Review Meeting
    • Once the certifier is confident that the evaluation activities relevant for the ERM have been completed successfully, the ERM data/time/location can be confirmed by the certifier.
    • The CAB organises a meeting at a mutually agreed location. The sponsor/developer is encouraged, but not required, to attend the meeting. The NCCA endeavours to attend most meetings. Other parties are only allowed to attend if sponsor and CAB agree.
    • Send the complete package of evaluator evidence including the project actions list and Certifier Review Report to the NCCA & optionally to the sponsor.
    • Confirm and invite the NCCA and optionally the sponsor to the ERM.

Note 1: The meeting deliverables are to be sent to the NCCA/certification auditor at least 5 working days before the meeting is scheduled to be held.

Note 2: The meeting deliverables and invitation are optionally sent to the sponsor depending on the agreement between the CAB and sponsor.

Note 3: The ERMs shall be held as a physical only meeting on a location in the Netherlands.

3.2.2 Step 2.2: Prepare developer evidence

Prepare developer evidence
Action 2.2.1: Collect and submit developer evidence:
Responsible: Sponsor | Executed by: Sponsor role
  • Create developer evidence
    • Collect all necessary information that is relevant for the chosen assurance level and associated security assurance requirements as defined by the Common Criteria standard (ISO/IEC 15408) and requested by the CAB.
    • Collect all other necessary information that is required by the EUCC scheme.
  • Compile and provide developer evidence to the CAB
    • Supply the developer evidence to the CAB for evaluation.

Note: Developer evidence can take many forms, including documents, e-mails or physical access to the development site. The form in which the developer evidence is supplied to the CAB needs to be mutually agreed. The CAB may for example agree to get access to the information on the premises of the manufacturer or provider.

3.2.3 Step 2.3: Conduct evaluation review meeting 1, 2 and 3

Conduct evaluation review meeting 1,2 and 3
Action 2.3.1: Confirm ERM date and participation:
Responsible: NCCA | Executed by: Certification auditor
  • Receive meeting deliverables
    • Receive (and decrypt if required) the meeting deliverables from the CAB.
    • Archive and store the meeting deliverables in the NCCA document management system.
  • Check for completeness
    • Check meeting deliverables for completeness.
  • Confirm participation
    • Determine if the ERM needs to be attended based on the content of the meeting deliverables.
    • Send a message to the CAB indicating the participation and where appropriate request any missing information in the meeting deliverables.
Action 2.3.2: Confirm ERM date and participation (this action is optional based on agreements made between CAB and sponsor):
Responsible: Sponsor | Executed by: Sponsor role
  • Receive meeting deliverables
    • Receive (and decrypt if required) the meeting deliverables from the CAB.
  • Confirm participation
    • Determine if the ERM needs to be attended.
    • Send a message to the CAB indicating the participation.
Action 2.3.3: Perform Evaluation Review Meeting:
Responsible: CAB | Executed by: Certifier | In cooperation with: Evaluator (Note: both NCCA and sponsor may attend)
  • ERM will be held
    • The certifier chairs the meeting using the agenda defined by the assessment plan.
    • The ERM deliverables are presented by the evaluator, according to the following guidance:
      • The certifier may question the evaluator on any or all of the items to ascertain that the evaluation was performed correctly and completely.
      • If there are any missing items in the ERM deliverables, or items that are not clear, these will be corrected during the meeting, by amending the ERM deliverables where possible and annotating them where amending would take too much time.
      • In exceptional cases the certifier may, in agreement with the certification auditor (if present), decide that presentation of (parts of) ERM deliverables is skipped as they are deemed to be self-explanatory.
    • The meeting can have four possible outcomes:
      • All ERM deliverables were either correct or successfully amended/annotated during the meeting. In this case all of these deliverables are provisionally approved.
      • One or more deliverables could not be successfully amended/annotated, but the certifier determines that this can be further handled by email. In this case, the other deliverables are provisionally approved, and after an email process, where the remaining deliverables are amended/annotated will also be provisionally approved.
      • One or more deliverables could not be successfully amended/annotated and cannot be handled by email, but the certifier determines that this can be rescheduled to the next ERM. In this case, the other deliverables are provisionally approved, and the remaining deliverables are rescheduled (for the final ERM this outcome is not possible and will lead to outcome 4).
      • One or more deliverables could not be successfully amended/annotated and the certifier determines that this cannot be handled by email or rescheduling. In this case, the ERM is nullified, and must be repeated once the evaluator has remedied the not-approved deliverables.

Note: ERM deliverables can only be provisionally approved as subsequent ERMs may invalidate the verdicts due to new information found. The final formal approval takes place in Step 2.4: Generate final evaluation & certification reports.

Action 2.3.4: Draft meeting minutes:
Responsible: CAB | Executed by: Certifier or evaluator
  • Create meeting minutes
    • Either the certifier or the evaluator will draft meeting minutes to record all issues raised during the meeting, the decisions made and the conclusion. The meeting minutes shall contain the following topics:
      • The date, duration, location and attendees of the meeting;
      • All evaluator evidence including the Certifier Review Report that has been delivered for discussion at the ERM shall be listed by name and version;
      • Intermediate conclusions or verdicts and decisions made in regard to a specific deliverable shall be recorded (i.e. amended/annotated during meeting, further handling by email or renewed discussion of the issue at a rescheduled meeting);
      • All revised evaluator evidence including the Certifier Review Report coming out of the ERM shall be listed by name and version. Ideally, outputs of a meeting, should be attachments to the meeting minutes;
      • The final conclusion of the meeting (see the 4 possible outcomes of a meeting as described in previous step);
      • A reference to the (updated) project action list arising from the meeting.
    • Either the certifier or the evaluator will create (or update) the project actions list based on the actions that were agreed upon during the ERM. This project actions list shall meet the following requirements:
      • Every action is uniquely identified in order to trace the action;
      • When an action relates to a evaluator evidence, the action should refer to the specific deliverable, including its version and location within that deliverable (e.g. section number, slide number);
      • Every action should be self-explanatory, not relying on (undocumented) discussion in the meeting for clarity;
      • When an action is closed, the action item should clearly state how the actions was closed, e.g. by reference to the specific deliverable from the evaluator evidence in where the action was closed;
      • Per action item it shall be noted whether and when the certifier has approved its closure.
    • Send the meeting minutes and the updated project actions list to the meeting participants for confirmation (and in case of no NCCA participation: to the NCCA for information).
    • Revise the meeting minutes and project actions list based on comments received.

Note 1: No full meeting minutes are required to record every aspect of discussion, but rather these minutes serve as a record summary of issues discussed, the verdicts and conclusions made during the meeting.

Note 2: The meeting minutes and updated project actions list needs to be provided within 3 working days after the meeting.

3.2.4 Step 2.4: Generate final evaluation & certification reports

Generate final evaluation & certification reports
Action 2.4.1: Create final evaluator evidence:
Responsible: CAB | Executed by: Evaluator
  • Finalise all evaluator evidence
    • If not already done so for the final ERM, generate the Evaluation Technical Report (ETR) to collate all evaluator evidence and provide a conclusion of the overall verdict of the evaluation findings. Also generate a ETRfC, STAR and analysis of the ST-Lite, as applicable in accordance with the assessment plan.
    • Revise any evaluator evidence necessary to close action items from the project action list, documenting a disposition of how they have been addressed.
  • Verify all final evaluator evidence
    • Once all verdicts are Pass and the evaluator considers all action items addressed, the final package of evaluator evidence (including ETR and other documents) needs approval and authorization before submitting for formal CAB review.
  • Submit all final evaluator evidence
    • Send the final package of evaluator evidence, along with the project actions list, and a copy of the final ST (and ST-Lite, if applicable) to the certifier for formal review.
Action 2.4.2: Review final evaluator evidence:
Responsible: CAB | Executed by: Certifier
  • Receive final package of evaluator evidence, the project actions list, and final ST (and ST-Lite if applicable) from the evaluator
    • Ensure documents received are recorded in accordance with the ISO/IEC 17065.
  • Review final package of evaluator evidence
    • Determine whether all open action items from the project actions list have been addressed, and confirm closure or record items still not satisfactorily addressed in a Certifier Review Report.
    • Review all finalised evaluator evidence, ETR and other documents, and record any comment in a Certifier Review Report. The review must ensure that the evaluator conclusions are consistent with the evidence adduced and that the accepted evaluation criteria and evaluation methods have been correctly applied.
    • Check the final ST (and ST-Lite if applicable) for consistency with the final package of evaluator evidence and ensure that all ASE related comments are addressed.
  • Deliver Certifier Review Report to the evaluator and the certification auditor along with the associated package of evaluator evidence
    • If there are comments that require an update of the evaluator evidence, the Certifier Review Report is sent directly to the evaluator for the comments to be addressed and in copy to the certification auditor. This would require an iteration of Action 2.4.1: Create final evaluator evidence and Action 2.4.2: Review final evaluator evidence.
  • Close Review Reports
    • Once the certifier has confirmed all comments recorded in the Certifier Review Report have been closed, it can be closed with a formal acceptance of the evaluation work.
Action 2.4.3: Generate certification report:
Responsible: CAB | Executed by: Certifier
  • Generate certification report
    • Create a draft version of the Certification Report.
    • Check consistency with the mandatory EUCC content and format requirements of certification reports (ref. EUCC Annex V).
  • Create certificate
    • Create draft version of the Certificate.
    • Check consistency with the mandatory EUCC content and format requirements of certificates (ref. EUCC Annex VII and VIII).
    • Check EUCC validity requirements (ref. EUCC article 12), and update the certificate validity as appropriate.
  • Send draft certification report and certificate for review
    • Submit the draft Certification Report and draft certificate for review and acceptance to the evaluator (and in copy to the sponsor).
Action 2.4.4: Review certification report:
Responsible: CAB | Executed by: Evaluator | In cooperation with: Sponsor
  • Receive draft certification report and draft certificate
    • Receive the draft Certification Report and draft certificate from the certifier.
  • Assess draft certification report and draft certificate
    • Check the draft certification report for:
      • Correctness with the ST/PP and ETR, and any other inconsistencies
      • Proprietary information that is unsuitable for publication
    • Check the draft certificate for correctness with the ST/PP and ETR, and any other inconsistencies
    • Consult with the sponsor and accept the draft certification report and draft certificate.
  • Send review comments and/or acceptance to the certifier
    • The evaluator sends the review comments and/or acceptance to the certifier after consulting the sponsor.
Action 2.4.5: Submit request for approval:
Responsible: CAB | Executed by: Certifier
  • Finalise certification report
    • Receive comments and/or acceptance from the evaluator (and sponsor).
    • Update certification report and certificate based on received comments.
  • Decide on certification
    • In accordance with ISO/IEC 17065 the CAB needs to take a formal decision on certification based on the evaluation results and the review thereof.
  • Draft request for approval
  • Submit request
    • Gather the following documents:
      • The final ETR, including the underlying evaluator evidence (and the ETRfC and STAR if applicable)
      • The final ST (and ST-Lite if applicable)
      • The link to the sponsor’s website containing the supplementary cybersecurity information referred to in article 55 of the CSA
      • The Certifier Review Report(s) including the project actions list with the agreed dispositions
      • The certification report
      • The draft certificate
    • Send the request for approval form and the documents mentioned above to the NCCA.

The reception of the request for approval is a milestone for the NCCA after which the request has to be processed with the legally defined terms.

3.2.5 Step 2.5: Project monitoring

Certification is in general a process that continues for some weeks, if not months. The assessment plan on which the NCCA based its initial approval may therefore be subject to changes and these changes may require a renewed approval.

Also the certification process may be terminated prematurely on request of either the sponsor or the CAB. The NCCA may also terminate the certification process under certain conditions in which case the approval of the assessment plan is withdrawn by a revocation decision.

The above two activities are combined into an asynchronous step that can be executed independent of the other steps and are further described below.

Changes in the approved assessment plan

An assessment plan forms the baseline for the evaluation and certification work and the approval by the NCCA. As it is agreed upon by all involved parties it cannot be changed or executed in a different way by a single party. Possible changes that might have an impact can be categorised as follows:

  • Re-scheduling of milestones; these include both deliverables and review meetings: The assigned certification auditor (and if applicable external experts) expects to review meeting deliverables and attend ERMs based on the agreed planning. Time is reserved in their agenda which is difficult to re-allocate if deliverables are not submitted at the agreed date. The same is also true for the delivery date of the request for approval with its associated documents and any re-scheduling of meetings;
  • TOE scope changes: the (draft) ST/PP is reviewed during the notification phase, and is accepted as having a valid TOE scope by the approval of the assessment plan by the NCCA. Changes to the TOE scope mostly have an impact on the certification and evaluation work already performed and could in extreme cases even result in inappropriate removal of security features or inappropriate additions of assumptions;
  • Evaluation scope/approach changes: changes to the evaluation scope (e.g. more or less development sites to be audited), additional/different deliverables, or when additional review meetings are needed, will always have an impact on the evaluation and certification work and the approval of the assessment plan by the NCCA;
  • Certification project staffing assignment changes: the certification auditor only accepts deliverables that are authorized by the persons listed in the assessment plan.

All type of changes, including the rationale for the change, must be reported without undue delay so that their impact against the formal approval of assessment plan can be determined. Changes need to be communicated initially via e-mail. The impact is assessed by the NCCA as the assessment plan is used to verify that the evaluation and certification work has been conducted according to the assessment plan. This verification is part of the assessment of the CABs request to issue a certificate (see Action 3.1.3: Review ETR, CR and certificate). Based on its assessment, the NCCA may require the CAB to make an update of assessment plan so that an formal approval of it can be re-issued.

Changes in certification staffing (resulting in a change of point of contact at the CAB) and rescheduling of a ERM and meeting deliverables have to be communicated at the latest 5 working days before it was planned for the meeting deliverables to be sent to the NCCA/certification auditor. Preferably this change is communicated in combination with a proposal for a new delivery and meeting date. The NCCA/certification auditor will assess the change and where necessary seek agreement on a new delivery and meeting date. These type of changes generally do not require an update of the assessment plan.

An update to the assessment plan will generally be required when there is a change to the TOE scope or evaluation scope/approach. However it is not always the case that all certification scope/approach changes require an update to the assessment plan. For example, a change to discuss the ALC site audit checklist in ERM1 rather than ERM2 is a change in certification approach, but this change is considered minor and could be agreed by the NCCA through an e-mail.

Termination of the certification process

In most cases a certification is executed in accordance with the assessment plan and the delivery schedule mentioned, even though slight changes in the planned dates might occur.

However, if during a certification process there are no evaluation and certification activities for more than 6 months, the NCCA may decide to terminate the process so that resources are no longer allocated. In case of a monitored certification, the 6 months period will be calculated from the agreed date of the first upcoming ERM. When the certification is not monitored, the 6 Months will be calculated from the agreed delivery date of the request for approval.

In exceptional cases also the CAB may decide that they do not want to continue the certification. In this situation the NCCA must officially be informed of such request to terminate the certification process and the rationale for it.

In either case the NCCA will document its decision in a Termination Justification Report. Based on this a formal termination decision will be send after which the NCCA will close the project in the NCCA document management system.

3.3 Phase 3: Certification Approval Phase

Certification approval phase

3.3.1 Step 3.1: Assess request for approval

Assess request for approval
Action 3.1.1: Register request for approval:
Responsible: NCCA | Executed by: Certification auditor
  • Receive the request for approval
    • Receive (and decrypt if required) the request for approval form, and:
      • The final ETR, including the underlying evaluator evidence (and the ETRfC and STAR if applicable)
      • The final ST (and ST-Lite if applicable)
      • The link to the sponsor’s website containing the supplementary cybersecurity information referred to in article 55 of the CSA
      • The Certifier Review Report(s) including an overview of the disposition of action items
      • The certification report
      • The draft certificate
    • Archive and register the request for approval and associated documents in the NCCA document management system.
    • Confirm the reception of the request for approval to the CAB.
Action 3.1.2: Check request for approval for completeness and correctness:
Responsible: NCCA | Executed by: Certification auditor
  • Create Approval Review Report
    • Create an Approval Review Report to document any discussions and comments related to the notification.

Note: The Approval Review Report is intended to collect findings on the request for approval document, and forms the basis for the formal approval or rejection to issue a certificate.

  • Check the request for approval for completeness
    • Perform a high level check on the following items as a minimum:
      • Does the request for approval include all required documents?
      • Are all required fields in the request for approval form filled in?
      • Is the request for approval form signed by the CAB?
      • Is the accreditation of the CAB still valid (i.e. not suspended or revoked)?
      • Is the CAB still authorised?
    • Notify CAB in case the request for approval is incomplete and request missing information.
    • Update the Approval Review Report with findings.
    • Continue with Action 3.1.4: Issue formal approval or rejection to issue certificate in case the request for approval remains incomplete. This will lead to a rejection to issue a certificate. Otherwise continue with Action 3.1.3: Review ETR, CR and certificate.
Action 3.1.3: Review ETR, CR and certificate:
Responsible: NCCA | Executed by: Certification auditor | In cooperation with: Optionally with an external expert
  • Inform external expert
    • If an external expert is involved, provide the external expert with the request for approval and associated documents.
  • Review the Certifier Review Report(s) and overview of the disposition of action items
    • Perform a detailed review of the Certifier Review Report(s) and overview of the disposition of action items based on the Approval review checklist and the knowledge gained while attending the ERMs (if applicable). Focus areas are:
      • Determination that the certifier did a thorough review of the final ETR, including the underlying evaluator evidence and the ETRfC and STAR if applicable. Check that the certifier has verified the:
        • Correct application of the evaluation methodology;
        • Correctness of the completed evaluator checklist;
        • Consistency in version numbers of the final ETR, including the underlying evaluator evidence and the ETRfC and STAR if applicable, the product evaluated, including the ST (and ST-Lite if applicable) and its guidance documentation.
      • Closure and correct disposition of the action items.
    • Discuss any items that are unclear with the CAB to gain necessary clarification in order to finalise the review.
    • Update the Approval Review Report with findings.
  • Review the certification report and draft certificate
    • Perform a detailed review of the certification report and draft certificate based on the Approval review checklist. Focus areas are:
      • Consistency with the ETR, including version numbers.
      • Consistency with the mandatory content and format requirements of EUCC scheme certificates and certification reports.
    • Discuss any items that are unclear with the CAB to gain necessary clarification in order to finalise the review.
    • Update the Approval Review Report with findings.
  • Review the executed evaluation and certification process
    • Check that the evaluation and certification process was executed in conformance with the approved assessment plan.
    • Update and finalise the Approval Review Report with findings.
Action 3.1.4: Issue formal approval or rejection to issue certificate:
Responsible: NCCA | Executed by: Audit supervisor
  • Validation of the Approval Review Report
    • Check if the Approval Review Report is complete, correct and consistent.
    • Sign off the Approval Review Report.
  • Draft a formal approval or rejection letter
    • Fill-in the applicable NCCA letter template.
    • Have the applicable letter signed.
  • Submit the formal approval or rejection letter to the CAB
    • Send the letter to the CAB.

The approval to issue a certificate is a milestone for the CAB after which the certificate can be formally issued.

In case of rejection the certification process stops and the CAB is not allowed to issue an EUCC certificate. A new submission of a corrected Request for Approval is required to restart the process.

3.3.2 Step 3.2: Issue certificate

Issue certificate
Action 3.2.1: Finalise and sign certificate:
Responsible: CAB | Executed by: Certifier/Certifications manager
  • Receive approval to issue certificate
    • Record approval in accordance with the applicable certification procedure.
  • Pre-notify ENISA
    • Request ENISA for a specific EUCC mark and label, including a QR-code to be placed on the certificate.

Note: ENISA will develop a procedure for the release of the EUCC mark and label, including the QR code. This most likely will involve the CAB to provide a XML file containing information derived from the Certification Report.

  • Update certificate
    • Update the certificate with the EUCC mark and label.
  • Sign certificate
    • Have the certificate signed by an authorised person.
Action 3.2.2: Update directory of certified products:
Responsible: CAB | Executed by: Certifier/Certifications manager
  • Register certification
    • Add the certification to the directory of certified products.
    • Publish the certification on the CAB’s website (when appropriate).
  • Close certification files
    • Finish certification project and archive all files in accordance with applicable certification procedures.

Note: In accordance with EUCC (article 40), all records shall be securely and accessibly stored for a period of at least five (5) years after the withdrawal of the certificate.

Action 3.2.3: Notify on certificate issuance:
Responsible: CAB | Executed by: Certifier/Certifications manager
  • Notify Sponsor
    • Inform sponsor that the certificate has been issued.
    • Send certificate in electronic form to the sponsor. A paper version may additionally be provided.
  • Notify NCCA
    • Inform NCCA that the certificate has been issued.
    • Send certificate, certification report and final ST(ST-Lite)/PP in PDF-form to the NCCA.
  • Notify ENISA
    • Inform ENISA that the certificate has been issued.
    • Send certificate, certification report and final ST(ST-Lite)/PP in PDF-form to ENISA in accordance to their prescribes procedures.

3.3.3 Step 3.3: Conclude approval process

Conclude approval process
Action 3.3.1: Conclude approval process:
Responsible: NCCA | Executed by: Certification Auditor
  • Receive certificate and related documents
    • Receive the certificate, certification report and final ST(ST-Lite)/PP.
    • Archive and register the documents in the NCCA document management system.
  • Publish certification on CCRA website4
    • Publish the certificate, certification report and final ST(ST-Lite)/PP on the commoncriteriaportal.org website.
      • Login to the member section of the CCRA website
      • Go to CCRA area
      • Add certification record and complete web entry.
    • Notify sponsor and CAB that the certification has been published on the CCRA website.
  • Close audit file
    • Close the project in the NCCA document management system.

4. Assurance continuity process

This chapter is work in progress and will be updated in the near future. The text below may serve as a guideline on how the maintenance process will be implemented. In any case the requirements from both EUCC Annex IV “Assurance Continuity and certificate review” and the CCRA supporting document “Assurance Continuity: CCRA Requirements” apply whereby the EUCC requirements take precedence.

In accordance with EUCC Annex IV “Assurance Continuity and certificate review” the sponsor can apply for a review of the certificate in in the following cases:

  • the EUCC certificate is due to expire within nine months;
  • there has been a change either in the certified TOE or in another factor which could impact its security functionality;
  • the sponsor demands that the vulnerability assessment is carried out again in order to reconfirm the EUCC certificate’s assurance associated with the TOE’s resistance against present cyberattacks.

The CAB that issued the certificate will then perform maintenance activities related to the following:

  • a re-assessment if an unchanged certified ICT product still meets its security requirements;
  • an evaluation of the impacts of changes to a certified ICT product on its certification;
  • if included in the certification, the application of patches in accordance with an assessed patch management process;
  • if included, the review of the certificate holder’s lifecycle management or production processes.

The following procedure applies:

  • The sponsor submits an application form to the CAB with the request to perform the necessary activities to update the certificate. This step is similar to Step 1.1: Prepare for certification;
  • In case the sponsor applies for an evaluation of the impacts of changes to a certified ICT product on its certification, the CAB assesses the IAR in consultation with the original ITSEF and decides whether a maintenance process can be followed or that re-certification is necessary;
  • The NCCA template NT003 - EUCC notification form shall refer to an Impact Analysis Report (IAR) as defined in the CCRA supporting document “Assurance Continuity: CCRA Requirements”;

Remarks:

  • In case of re-certification the standard procedure defined in Phase 2: Evaluation and Review Phase is applied. Depending on the nature of the alterations, it is possible that items from the earlier certification (of the ‘same’ TOE) are re-used. The details of the certification process and the options for re-use shall described in the assessment plan.

5. The vulnerability management and disclosure process

This chapter is work in progress and will be updated in the near future. In any case the requirements from EUCC Chapter VI “Vulnerability management and disclosure” apply.