Scheme Background

MyCC: Scheme Background

About MyCC

Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards. It is important to have a scheme to ensure high standards of competence and impartiality are maintained, and that consistency is achieved.

MyCC Scheme evaluates and certifies the security functionality within ICT products against ISO/IEC 15408 standard which is known as Common Criteria (CC). The methodology use in the evaluation is also a recognised standard known as Common Evaluation Methodology (CEM) or ISO/IEC 18045.

Based on the Common Criteria Recognition Arrangement (CCRA) requirement, a scheme is managed by a sole Certification Body (CB). The Certification Body for the MyCC Scheme is known as Malaysian Common Criteria Certification Body (MyCB), a department within CyberSecurity Malaysia. MyCB is responsible for carrying out certification and overseeing the day-to-day management and operation of the scheme. MyCB is independent from the Evaluation Facilities.

This scheme also consists of an Evaluation Facility, besides the CB. The main responsibility is to carry out security evaluations against agreed standards in an independently accredited environment. The Evaluation Facility for the MyCC Scheme is known as Malaysian Security Evaluation Facility (MySEF). Currently there is one potential MySEF, a unit within Security Assurance Department in CyberSecurity Malaysia, that are qualified and currently in the process of obtaining the license from MyCB.

History

Malaysia is one of the main manufacturers for information, communication and technology (ICT) products for local and international market. To be accepted globally, these products need to fulfil certain requirements from other countries especially when these products need to be implemented in critical sectors.

Nowadays, the consumers are looking for an assurance that the security functions of the product are functioning as claimed by the developer. This can be achieved if the product is evaluated by an independent evaluation facility and certified by an independent certification body using the recognise standards.

Recognising the importance of security assurance of ICT products and systems, measures will be undertaken to provide security evaluation and certification programme based on international standards. Therefore, a research had been conducted by CyberSecurity Malaysia to identify the recognise standards and methodology that can be used in security evaluation and certification.

Common Criteria (CC) or ISO/IEC 15408 has been identified as a recognise standard for information technology security evaluation. While Common Evaluation Methodology (CEM) or ISO/IEC 18045 has been identified as recognise common methodology for information technology security evaluation.

To recognise the certificates that had been produced by countries that using CC and CEM, an arrangement had been established between these countries. This arrangement is called Common Criteria Recognition Arrangement (CCRA). Details of the arrangement can be found at Mutual Recognition and www.commoncriteriaportal.org

Malaysia through CyberSecurity Malaysia, an agency under MOSTI, has been accepted as CCRA Consuming Participant on 28 March 2007. To be recognised as CCRA Authorising Participant, a national scheme and its components need to be established. Thus, the development of the MyCC Scheme commenced in 2006 which is driven from 9th Malaysian Plan (2006-2010). The implementation is also supported by the 2005 National Cyber Security Policy (NCSP).

Further details on MyCC Scheme can be found in the MyCC Scheme publication.

Certification Benefits

Improve the competitiveness of Malaysian ICT products in a global ICT market
The Common Criteria (CC) provides a benchmark for comparing and contrasting the security features implemented in ICT products. Malaysian ICT products can leverage the CC benchmark to compete effectively against similar categories of products on the global ICT market.
Enhance Malaysia's reputation as a provider of ICT security assurance services globally
Being part of the Common Criteria Recognition Arrangement (CCRA) as certificate consumer participant, ultimately as a certificate authorising participant, enhances Malaysia's reputation in the provision of ICT security assurance services related to ICT product security evaluation.
Gain access to international markets for Malaysian ICT products
Through its intended participation in the CCRA as a certificate authorising participant, Malaysian ICT products with ICT security certification will receive immediate recognition across the many participating countries to the arrangement.
Enhance the security of Malaysia's information infrastructure by making available a suite of independently security assured ICT products
Independently security certified products offer increased assurance in their implemented security features over developer asserted security features. Deployment of these products in well managed Malaysia's information infrastructure will provide greater assurance in the protection of this infrastructure.
Enhance the security of Malaysian ICT products through rigorous independent security analysis
The rigorous independent analysis of the security features of ICT security products is targeted at the discovery and correction of vulnerabilities. Vulnerabilities discovered during evaluation can be corrected by developers adding value to the certification process and the security of the product undergoing evaluation.

Services

Certification and Evaluation Services

The MyCC Scheme offers the following certification and evaluation services to customers:

Security evaluation and certification of ICT products and systems (called a Target of Evaluation (TOE))
Impartial assessment of the security of a TOE against a set of functional and assurance claims using ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology).

Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also prove that the TOE meets its security requirements at a defined level of assurance. This service provides customers confidence in the security functionality provided by a TOE.
Security evaluation and certification of CC Protection Profiles
The Common Criteria allow consumer, especially in consumer groups and communities of interest, to express their security needs for a type of product in an unambiguous manner. This can be done by writing an implementation-independent structure document call a Protection Profile (PP).

Evaluating a PP is required to demonstrate that the PP is sound and internally consistent. These properties are necessary for the PP to be suitable for use as the basis for writing a Security Target (ST) and guidance for the developers to develop a product or system that meet the consumers needs.

This assessment uses ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology) and in conformance with MyCC Scheme Rules.

Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also give a level of confidence that the PP solves the stated security problem. This service provides customers with validated security requirements to support selection and procurement of ICT products.
Maintenance of assurance for security certified ICT products and systems
Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme.

This service recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not to be repeated in all circumstances. This approach will minimise the redundancy in the security evaluation. There are two processes.

Maintenance of assurance provides customers with a cost effective method of maintaining the same assurance level for a certified TOE after modification and update throughout its normal lifecycle.
Recognition of CCRA certificates for special purposes
Services that facilitate the recognition of an ICT product that has been security certified externally to the MyCC Scheme under the CCRA. In some circumstances, Malaysian national security and/or procurement policy MAY:
- Require additional assurance activities be undertaken for usage of a certified ICT product in certain applications; and/or
- Qualification criteria for a certified ICT product to be marketed in Malaysia.
This service provides customers with specific Malaysia national security requirements confidence that CC certified ICT products from other schemes meet these requirements.

Supporting Services

To support the delivery of certification and evaluation services, the MyCC Scheme deliver the following additional services:

Management of national and international interpretations of ISO/IEC 15408 (Common Criteria), ISO/IEC 18045 (Common Evaluation Methodology), MyCC Scheme rules (MyCC_P1) and associated MyCC Scheme publications;
Engagement with CCRA member countries and participation in the development and maintenance of the CCRA, ISO/IEC 15408 and ISO/ IEC 18045 on behalf of the Malaysian Government;
Operation and maintenance of management systems for the Malaysian Common Criteria Certification Body (MyCB);
Provision of support to third party assessors for the purpose of assessing compliance of the MyCC Scheme with CCRA requirements (Voluntary periodic assessment), accreditation of the MyCB to MS-ISO/IEC Guide 65 and accreditation of MySEFs to MS-ISO/IEC 17025;
Provision of CC Training and Development for MyCC Scheme Certifiers, MySEF Evaluators and customers;
Management of MyCC Scheme publications including the MyCC Scheme Certified Products Register (MyCPR) that lists MyCC Scheme certification and evaluation projects;
and Licensing and management of Malaysian Security Evaluation Facilities.

Further details on MyCC Scheme services can be found in the MyCC Scheme Requirement.

Roles and Responsibility

The structure of the MyCC Scheme is illustrated in the figure below:

MyCC Scheme Head:

Own by CyberSecurity Malaysia.
The CEO of CyberSecurity Malaysia acted as MyCC Scheme Head and responsible in:
- Establishing and communicating the strategic direction for the MyCC Scheme.
- Establishing the MyCC Scheme policy and rules.
- Member of the MyCC Scheme Management Board and Certification Subcommittee.

MyCC Scheme Management Board:

Composed of at least 5 Malaysian government and industry members.
Independent from day-to-day management and operation of the MyCC Scheme.
Provide strategic advice, guidance and recommendations in relation to the overall direction and policy of the MyCC Scheme.

MyCC Certification Subcommittee:

Impartial group delegated by the MyCC Scheme Management Board to:
- Certify an ICT product, system or protection profile evaluation completed by a licensed MySEF.
- Maintain or extend a certification for an ICT product or system.
- Withdraw certification for an ICT product, system or protection profile.

MyCC Scheme Manager:

Instigate the MyCC Scheme policy;
Manage the MyCBs department.
Established relationship with licensed MySEFs.

MySEF Lab Manager:

Manage the MySEFs department.
Established relationship with licensed MyCB.
An authorised MS-ISO/IEC 17025 signatory.

Senior MyCC Certifier:

Ensuring the effective application of IT security evaluation criteria by both evaluators and certifiers.
Ensuring the highest standards of competence and impartiality are maintained and consistency is achieved across all evaluation and certification activities.

Senior MySEF Evaluator:

Ensuring the effective application of IT security evaluation criteria for evaluations conducted within the MySEF;
The continuous application of the MySEF Management System to the conduct of evaluations within the MySEF
Acting as an MS-ISO/IEC 17025 authorised signatory for evaluation work.

MyCC Certifier:

Responsible for day-to-day evaluation projects under the direction of the Senior MySEF Evaluator and in compliance with the MySEF Management System.

MyCC CB Quality Manager:

Responsible for the maintenance of the MyCB Management System.
Conduct reviews of the application of the management system within MyCB.
Provides outcomes of management system reviews to the MyCC Scheme Management Board in order to ensure impartiality of certification services.

MySEF Quality Manager:

Responsible for maintenance of the MySEF Management System.
Conduct reviews for the application of the management system within the MySEF.

MySEF Evaluator:

Responsible for day-to-day evaluation projects under the direction of the Senior MySEF Evaluator and in compliance with the MySEF Management System.

About MyCPR

MyCC Scheme Certified Products Register (MyCPR)

MyCC Scheme Certified Products Register (MyCPR) is a list of certified ICT products, systems and Protection Profiles, those undergoing evaluation and those recognised from other CCRA certified authorising participants.

MyCPR function is to assist interested parties on matters relating to the selection and implementation of the certified ICT products and systems. However, information in the MyCPR is limited to the performance of those products against the assurance levels and standards specified in the Common Criteria (CC).

The evaluation results are published in the Certification Report which contains detailed information, including any clarification of the scope of the evaluation, and provides recommendations for the secure use of the product.

Consumers using the MyCPR should be aware that the evaluated portion of a product may not include all the security functionality of the product. Therefore, it is encouraged to download and understand the Security Target and Certification Report for evaluated products to assess its suitability to meet the security needs of the consumers’ organisation.

MyCPR consist of:

Publication

MyCC Scheme publications are designed to provide guidance and step-by-step instructions for MyCC Scheme stakeholders. MyCC Scheme Publications is illustrated in the figure below:

Documents

Readers should contact the MyCC Scheme via the Contact Us detail if they have specific questions in relation to the information provided in MyCC Scheme publications or in relation to the MyCC Scheme Certified Products Register (MyCPR).

MyCC Scheme Other Publications

CCRA Publications

Common Criteria (CC)

Common Evaluation Methodology (CEM)

The official version of Common Criteria (CC) and CEM is version 3.1. The previous versions can be found at http://www.commoncriteriaportal.org/cc

Other related CCRA supporting documents can be found at
http://www.commoncriteriaportal.org/cc

Disputes, Complaints & Appeals Procedure

MyCC Scheme Fee Structure

MyCB recovers costs for the delivery of MyCC Scheme services through a fee for service charging model which includes:

Certification fee – fixed fee (this fee covers only certification process where it does not include any cost that is agreed separately between MySEF and sponsor, site visit cost, training cost)

Evaluation Assurance Level	Certification Assurance Fees
EAL1	RM 16,000
EAL2	RM 16,000
EAL3	RM 31,000
EAL4	RM 31,000
EAL5	RM 74,000
EAL6	RM 74,000
EAL7	RM 74,000

Assurance maintenance fee – RM 3,500 (Incl GST)

MySEF license application fee – RM 25,000 (this fee covers the costs of MyCB assessment activities during the licensing process)
MySEF license renewal fee – RM 25,000 (First Year) and RM 5,000 (Annualy for three consequent years)

These fees contribute to funding CCRA commitment and other supporting functions such as marketing and awareness initiatives.

Interpretation

An interpretation is an expert technical judgement of the meaning or method of application of any technical aspect of the CCRA, CC, CEM, MyCC Scheme rules and MyCC Scheme publications. There are 2 classes of interpretations:

National Interpretation – an interpretation of the CC, CEM or MyCC Scheme rules and MyCC Scheme publications that is applicable with the MyCC Scheme only.
International Interpretation – an interpretation of the CC or CEM issued by the Common Criteria Management Board (CCMB) that is applicable to all CCRA participants.

MyCB shall be the authority for managing both interpretations. Request for interpretation (RI) can be accepted from any interested parties including Sponsors, Developer, Consumers, Evaluators and Certifiers using the RI form.

The MyCC Scheme national and international interpretations process comprises of four business functions:

Register Interpretation – The function for formally receiving a request for interpretation for future consideration or a final interpretation from the CCMB.
Review Interpretation Request – The function for conducting a technical review of an interpretation request, possibly through a technical review meeting of experts, with a decision or otherwise to publish a draft interpretation. The outcome being advised to the original requestor where necessary.
Publish Draft of MyCC Scheme Interpretation – The function for publishing a draft interpretation for comment by interested parties.
Finalise MyCC Scheme Interpretation – The function for finalising the interpretation, publishing it and making any updates to the MyCC Scheme documentation, and if necessary, escalating the interpretation to the CCMB. A CCMB interpretation is also published through this function.

Further detail is provided in the MyCC Scheme Requirement

National Interpretation

Currently, there is no national interpretations of CC, CEM, MyCC Scheme rules or MyCC Scheme publications.

International Interpretation

Please refer to http://www.commoncriteriaportal.org/interpretations.html.

Common Criteria Recognition Arrangement (CCRA)

Malaysia has been accepted as CCRA Certificate Authorizing Member on 27 September 2011.

Common Criteria Recognition Arrangement (CCRA) was established in May 2000. The CCRA allows for mutual recognition of evaluation results, which creates value for ICT product vendors by allowing them to conduct an evaluation of their ICT product in one participating country and have the result recognised across all participating countries to the CCRA. There are 2 types of CCRA membership:

Certificate Consuming Members – These participants to the arrangement recognise the results of evaluations and certificates of all Certificate Authorising Participants.

Certificate Authorizing Members – These participants operate CCRA compliant Common Criteria certification schemes that produce certificates under the rules of the CCRA.

Please visit https://www.commoncriteriaportal.org for the details.

Licensed MySEF

Malaysian Security Evaluation Facility (MySEF)

Malaysian Security Evaluation Facilities (MySEFs) are responsible to carry out evaluations and independent from the developers of the ICT products or Protection Profiles evaluated. MySEFs conduct security evaluations against international standard ISO/IEC 15408 or Common Criteria (CC) using ISO/IEC 18405 or Common Evaluation Methodology (CEM) in an independently accredited environment based on MS ISO/IEC 17025 within the MyCC Scheme rules.

Any organisation wishing to become a MySEF is required to apply to MyCB. The details of the licensing application, operation and management can be found in MyCC Scheme Requirement (MYCC_REQ) and MyCC Scheme Evaluation Facility Manual (ISCB_EFM).

Organisation that have fulfilled the requirements in Section 4.6.5 of the MyCC Scheme Policy (MyCC_P1) and Section 2 of the MyCC Scheme Evaluation Facility Manual (MyCC_P3), will be granted license to operate as MySEF under the MyCC Scheme.

List of Licensed MySEF - ISO/IEC 17025 Accredited

MySEF	Address and Contact No.	Contact Person
CyberSecurity Malaysia MySEF	CyberSecurity Malaysia, Level 7 Tower 1, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor Darul Ehsan, Malaysia. Phone : +603 8800 7999 Fax : +603 8008 7000 Email : This email address is being protected from spambots. You need JavaScript enabled to view it. URL : http://www.cybersecurity.my/en/our_services/mysef/main/detail/2658/index.html	Norahana Salimin
BAE Systems Applied Intelligence MySEF	Level 28, Menara Binjai, 2 Jalan Binjai, Kuala Lumpur, 50450, Malaysia Phone : 603 2191 3014 Fax : 603 2191 3101 Email : This email address is being protected from spambots. You need JavaScript enabled to view it. URL : http://www.baesystems.com/ai	Mithra Ravendran
Securelytics SEF	A-19-06, Tower A, ATRIA SOFO SUITES, Jalan SS 22/23, 47400, Damansara Jaya, Petaling Jaya Selangor, MALAYSIA Phone : +6012 366 7865 Email : This email address is being protected from spambots. You need JavaScript enabled to view it. URL : http://www.securelytics.my/common-criteria/	Muzamir Mohamad
Cybertronics Lab	Across Verticals Sdn. Bhd. Unit C-5-15, Centrum Oasis Corporate Park No. 2, Jalan PJU 1a/2 Ara Damansara 47301 Petaling Jaya, Selangor Phone: +60-3 - 7627 4060 Fax: +60-3 - 7627 4070 Email: This email address is being protected from spambots. You need JavaScript enabled to view it. URL: www.acrossverticals.com	Saurabh Sarawat
TÜV AUSTRIA Cybersecurity Lab Sdn. Bhd.	A-11-01, Empire Office Tower, Jalan SS 16/1, 47500 Subang Jaya, Selangor, Malaysia Phone: 603-5879 7744 Fax: +603-5879 7784 Email: This email address is being protected from spambots. You need JavaScript enabled to view it. URL: www.tuv-cybersecurity.com	Tiger Teng