Certification Benefits

1. Improve the competitiveness of Malaysian ICT products in a global ICT market
   The Common Criteria (CC) provides a benchmark for comparing and contrasting the security features implemented in ICT products. Malaysian ICT products can leverage the CC benchmark to compete effectively against similar categories of products on the global ICT market.
   
   
2. Enhance Malaysia's reputation as a provider of ICT security assurance services globally
   Being part of the Common Criteria Recognition Arrangement (CCRA) as certificate consumer participant, ultimately as a certificate authorising participant, enhances Malaysia's reputation in the provision of ICT security assurance services related to ICT product security evaluation.
   
   
3. Gain access to international markets for Malaysian ICT products
   Through its intended participation in the CCRA as a certificate authorising participant, Malaysian ICT products with ICT security certification will receive immediate recognition across the many participating countries to the arrangement.
   
   
4. Enhance the security of Malaysia's information infrastructure by making available a suite of independently security assured ICT products
   Independently security certified products offer increased assurance in their implemented security features over developer asserted security features. Deployment of these products in well managed Malaysia's information infrastructure will provide greater assurance in the protection of this infrastructure.
   
   
5. Enhance the security of Malaysian ICT products through rigorous independent security analysis
   The rigorous independent analysis of the security features of ICT security products is targeted at the discovery and correction of vulnerabilities. Vulnerabilities discovered during evaluation can be corrected by developers adding value to the certification process and the security of the product undergoing evaluation.

Services

Certification and Evaluation Services

The MyCC Scheme offers the following certification and evaluation services to customers:

1. Security evaluation and certification of ICT products and systems (called a Target of Evaluation (TOE))
   Impartial assessment of the security of a TOE against a set of functional and assurance claims using ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology).
   
   Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also prove that the TOE meets its security requirements at a defined level of assurance. This service provides customers confidence in the security functionality provided by a TOE.
   
   
2. Security evaluation and certification of CC Protection Profiles
   The Common Criteria allow consumer, especially in consumer groups and communities of interest, to express their security needs for a type of product in an unambiguous manner. This can be done by writing an implementation-independent structure document call a Protection Profile (PP).
   
   Evaluating a PP is required to demonstrate that the PP is sound and internally consistent. These properties are necessary for the PP to be suitable for use as the basis for writing a Security Target (ST) and guidance for the developers to develop a product or system that meet the consumers needs.
   
   This assessment uses ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology) and in conformance with MyCC Scheme Rules.
   
   Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also give a level of confidence that the PP solves the stated security problem. This service provides customers with validated security requirements to support selection and procurement of ICT products.
   
   
3. Maintenance of assurance for security certified ICT products and systems
   Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme.
   
   This service recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not to be repeated in all circumstances. This approach will minimise the redundancy in the security evaluation. There are two processes.
   
   Maintenance of assurance provides customers with a cost effective method of maintaining the same assurance level for a certified TOE after modification and update throughout its normal lifecycle.
   
   
4. Recognition of CCRA certificates for special purposes
   Services that facilitate the recognition of an ICT product that has been security certified externally to the MyCC Scheme under the CCRA. In some circumstances, Malaysian national security and/or procurement policy MAY:
   
   • Require additional assurance activities be undertaken for usage of a certified ICT product in certain applications; and/or
   • Qualification criteria for a certified ICT product to be marketed in Malaysia.

   
   This service provides customers with specific Malaysia national security requirements confidence that CC certified ICT products from other schemes meet these requirements.

Supporting Services

To support the delivery of certification and evaluation services, the MyCC Scheme deliver the following additional services:

1. Management of national and international interpretations of ISO/IEC 15408 (Common Criteria), ISO/IEC 18045 (Common Evaluation Methodology), MyCC Scheme rules (MyCC_P1) and associated MyCC Scheme publications;
2. Engagement with CCRA member countries and participation in the development and maintenance of the CCRA, ISO/IEC 15408 and ISO/ IEC 18045 on behalf of the Malaysian Government;
3. Operation and maintenance of management systems for the Malaysian Common Criteria Certification Body (MyCB);
4. Provision of support to third party assessors for the purpose of assessing compliance of the MyCC Scheme with CCRA requirements (Voluntary periodic assessment), accreditation of the MyCB to MS-ISO/IEC Guide 65 and accreditation of MySEFs to MS-ISO/IEC 17025;
5. Provision of CC Training and Development for MyCC Scheme Certifiers, MySEF Evaluators and customers;
6. Management of MyCC Scheme publications including the MyCC Scheme Certified Products Register (MyCPR) that lists MyCC Scheme certification and evaluation projects;
7. and Licensing and management of Malaysian Security Evaluation Facilities.

Further details on MyCC Scheme services can be found in the MyCC Scheme Requirement.

Roles and Responsibility

The structure of the MyCC Scheme is illustrated in the figure below:

MyCC Scheme Head:

• Own by CyberSecurity Malaysia.
• The CEO of CyberSecurity Malaysia acted as MyCC Scheme Head and responsible in:
  • Establishing and communicating the strategic direction for the MyCC Scheme.
  • Establishing the MyCC Scheme policy and rules.
  • Member of the MyCC Scheme Management Board and Certification Subcommittee.

MyCC Scheme Management Board:

• Composed of at least 5 Malaysian government and industry members.
• Independent from day-to-day management and operation of the MyCC Scheme.
• Provide strategic advice, guidance and recommendations in relation to the overall direction and policy of the MyCC Scheme.

MyCC Certification Subcommittee:

• Impartial group delegated by the MyCC Scheme Management Board to:
  • Certify an ICT product, system or protection profile evaluation completed by a licensed MySEF.
  • Maintain or extend a certification for an ICT product or system.
  • Withdraw certification for an ICT product, system or protection profile.

MyCC Scheme Manager:

• Instigate the MyCC Scheme policy;
• Manage the MyCBs department.
• Established relationship with licensed MySEFs.

MySEF Lab Manager:

• Manage the MySEFs department.
• Established relationship with licensed MyCB.
• An authorised MS-ISO/IEC 17025 signatory.

Senior MyCC Certifier:

• Ensuring the effective application of IT security evaluation criteria by both evaluators and certifiers.
• Ensuring the highest standards of competence and impartiality are maintained and consistency is achieved across all evaluation and certification activities.

Senior MySEF Evaluator:

• Ensuring the effective application of IT security evaluation criteria for evaluations conducted within the MySEF;
• The continuous application of the MySEF Management System to the conduct of evaluations within the MySEF
• Acting as an MS-ISO/IEC 17025 authorised signatory for evaluation work.

MyCC Certifier:

• Responsible for day-to-day evaluation projects under the direction of the Senior MySEF Evaluator and in compliance with the MySEF Management System.

MyCC CB Quality Manager:

• Responsible for the maintenance of the MyCB Management System.
• Conduct reviews of the application of the management system within MyCB.
• Provides outcomes of management system reviews to the MyCC Scheme Management Board in order to ensure impartiality of certification services.

MySEF Quality Manager:

• Responsible for maintenance of the MySEF Management System.
• Conduct reviews for the application of the management system within the MySEF.

MySEF Evaluator:

• Responsible for day-to-day evaluation projects under the direction of the Senior MySEF Evaluator and in compliance with the MySEF Management System.

About MyCPR

MyCC Scheme Certified Products Register (MyCPR)

MyCC Scheme Certified Products Register (MyCPR) is a list of certified ICT products, systems and Protection Profiles, those undergoing evaluation and those recognised from other CCRA certified authorising participants.

MyCPR function is to assist interested parties on matters relating to the selection and implementation of the certified ICT products and systems. However, information in the MyCPR is limited to the performance of those products against the assurance levels and standards specified in the Common Criteria (CC).

The evaluation results are published in the Certification Report which contains detailed information, including any clarification of the scope of the evaluation, and provides recommendations for the secure use of the product.

Consumers using the MyCPR should be aware that the evaluated portion of a product may not include all the security functionality of the product. Therefore, it is encouraged to download and understand the Security Target and Certification Report for evaluated products to assess its suitability to meet the security needs of the consumers’ organisation.

MyCPR consist of:

• List of Certified Products and Systems
• List of Products and Systems Under Evaluation
• List of Recognition of CCRA Certificates

Publication

MyCC Scheme publications are designed to provide guidance and step-by-step instructions for MyCC Scheme stakeholders. MyCC Scheme Publications is illustrated in the figure below:

Documents

• MyCC Scheme Requirement (MyCC_REQ)

Readers should contact the MyCC Scheme via the Contact Us detail if they have specific questions in relation to the information provided in MyCC Scheme publications or in relation to the MyCC Scheme Certified Products Register (MyCPR).

MyCC Scheme Other Publications

• Disputes, Complaints and Appeals Procedure
• MyCC Scheme Fee Structure
• Interpretation
• Terms & Conditions of using MyCC & CCRA Certification Mark

CCRA Publications

Common Criteria (CC)

• Part 1: Introduction and General Model
• Part 2: Security Functional Requirements
• Part 3: Security Assurance Requirements
• Part 4: Framework for the specification of evaluation methods and activities
• Part 5: Pre-defined packages of security requirements

Common Evaluation Methodology (CEM)

The official version of Common Criteria (CC) and CEM is version 3.1. The previous versions can be found at http://www.commoncriteriaportal.org/cc

Other related CCRA supporting documents can be found at
http://www.commoncriteriaportal.org/cc

Disputes, Complaints & Appeals Procedure

Click here

MyCC Scheme Fee

MyCB recover the costs for delivery of MyCC Scheme services through a service charge fees which includes:

• Certification fee – this fixed fee covers only for the certification process under MyCB where it does not include any cost that is separately agreed between MySEF and the Sponsor, or any incidental cost such as cost for site visit or training

Evaluation Assurance Level	Certification Assurance Fees
EAL1	RM 16,000
EAL2	RM 16,000
EAL3	RM 31,000
EAL4	RM 31,000
EAL5	RM 74,000
EAL6	RM 74,000
EAL7	RM 74,000

• MySEF license new application and renewal fee – RM 25,000 (the fee includes the costs of MySEF new application / renew assessment and licensing agreement with MyCB)
• MySEF annual license fee - RM 5,000 (this is annually charge for three consequent year after the first year license)

These fees will contribute to funding the CCRA commitment and other supporting functions such as marketing or awareness initiatives.

Interpretation

An interpretation is an expert technical judgement of the meaning or method of application of any technical aspect of the CCRA, CC, CEM, MyCC Scheme rules and MyCC Scheme publications. There are 2 classes of interpretations:

• National Interpretation – an interpretation of the CC, CEM or MyCC Scheme rules and MyCC Scheme publications that is applicable with the MyCC Scheme only.
  
  
• International Interpretation – an interpretation of the CC or CEM issued by the Common Criteria Management Board (CCMB) that is applicable to all CCRA participants.

MyCB shall be the authority for managing both interpretations. Request for interpretation (RI) can be accepted from any interested parties including Sponsors, Developer, Consumers, Evaluators and Certifiers using the RI form.

The MyCC Scheme national and international interpretations process comprises of four business functions:

• Register Interpretation – The function for formally receiving a request for interpretation for future consideration or a final interpretation from the CCMB.
  
  
• Review Interpretation Request – The function for conducting a technical review of an interpretation request, possibly through a technical review meeting of experts, with a decision or otherwise to publish a draft interpretation. The outcome being advised to the original requestor where necessary.
  
  
• Publish Draft of MyCC Scheme Interpretation – The function for publishing a draft interpretation for comment by interested parties.
  
  
• Finalise MyCC Scheme Interpretation – The function for finalising the interpretation, publishing it and making any updates to the MyCC Scheme documentation, and if necessary, escalating the interpretation to the CCMB. A CCMB interpretation is also published through this function.

Further detail is provided in the MyCC Scheme Requirement

 

National Interpretation

Currently, there is no national interpretations of CC, CEM, MyCC Scheme rules or MyCC Scheme publications.

International Interpretation

Please refer to http://www.commoncriteriaportal.org/interpretations.html.

Common Criteria Recognition Arrangement (CCRA)

Malaysia has been accepted as CCRA Certificate Authorizing Member on 27 September 2011.

Common Criteria Recognition Arrangement (CCRA) was established in May 2000. The CCRA allows for mutual recognition of evaluation results, which creates value for ICT product vendors by allowing them to conduct an evaluation of their ICT product in one participating country and have the result recognised across all participating countries to the CCRA. There are 2 types of CCRA membership: 

• Certificate Consuming Members – These participants to the arrangement recognise the results of evaluations and certificates of all Certificate Authorising Participants.

• Certificate Authorizing Members – These participants operate CCRA compliant Common Criteria certification schemes that produce certificates under the rules of the CCRA.

Please visit https://www.commoncriteriaportal.org for the details.

Contact Us

Email us: This email address is being protected from spambots. You need JavaScript enabled to view it.