MyCC: SCHEME BACKGROUND

About MyCC

Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards. It is important to have a scheme to ensure high standards of competence and impartiality are maintained, and that consistency is achieved.

MyCC Scheme evaluates and certifies the security functionality within ICT products against ISO/IEC 15408 standard which is known as Common Criteria (CC). The methodology use in the evaluation is also a recognised standard known as Common Evaluation Methodology (CEM) or ISO/IEC 18045.

Based on the Common Criteria Recognition Arrangement (CCRA) requirement, a scheme is managed by a sole Certification Body (CB). The Certification Body for the MyCC Scheme is known as Malaysian Common Criteria Certification Body (MyCB), a department within CyberSecurity Malaysia. MyCB is responsible for carrying out certification and overseeing the day-to-day management and operation of the scheme. MyCB is independent from the Evaluation Facilities.

This scheme also consists of an Evaluation Facility, besides the CB. The main responsibility is to carry out security evaluations against agreed standards in an independently accredited environment. The Evaluation Facility for the MyCC Scheme is known as Malaysian Security Evaluation Facility (MySEF). Currently there is one potential MySEF, a unit within Security Assurance Department in CyberSecurity Malaysia, that are qualified and currently in the process of obtaining the license from MyCB.

History

Malaysia is one of the main manufacturers for information, communication and technology (ICT) products for local and international market. To be accepted globally, these products need to fulfil certain requirements from other countries especially when these products need to be implemented in critical sectors.

Nowadays, the consumers are looking for an assurance that the security functions of the product are functioning as claimed by the developer. This can be achieved if the product is evaluated by an independent evaluation facility and certified by an independent certification body using the recognise standards.

Recognising the importance of security assurance of ICT products and systems, measures will be undertaken to provide security evaluation and certification programme based on international standards. Therefore, a research had been conducted by CyberSecurity Malaysia to identify the recognise standards and methodology that can be used in security evaluation and certification.

Common Criteria (CC) or ISO/IEC 15408 has been identified as a recognise standard for information technology security evaluation. While Common Evaluation Methodology (CEM) or ISO/IEC 18045 has been identified as recognise common methodology for information technology security evaluation.

To recognise the certificates that had been produced by countries that using CC and CEM, an arrangement had been established between these countries. This arrangement is called Common Criteria Recognition Arrangement (CCRA). Details of the arrangement can be found at Mutual Recognition and www.commoncriteriaportal.org

Malaysia through CyberSecurity Malaysia, an agency under KKD, has been accepted as CCRA Consuming Participant on 28 March 2007. To be recognised as CCRA Authorising Participant, a national scheme and its components need to be established. Thus, the development of the MyCC Scheme commenced in 2006 which is driven from 9th Malaysian Plan (2006-2010). The implementation is also supported by the 2005 National Cyber Security Policy (NCSP).

Further details on MyCC Scheme can be found in the MyCC Scheme publication.

1. Improve the competitiveness of Malaysian ICT products in a global ICT market
   The Common Criteria (CC) provides a benchmark for comparing and contrasting the security features implemented in ICT products. Malaysian ICT products can leverage the CC benchmark to compete effectively against similar categories of products on the global ICT market.
   
   
2. Enhance Malaysia's reputation as a provider of ICT security assurance services globally
   Being part of the Common Criteria Recognition Arrangement (CCRA) as certificate consumer participant, ultimately as a certificate authorising participant, enhances Malaysia's reputation in the provision of ICT security assurance services related to ICT product security evaluation.
   
   
3. Gain access to international markets for Malaysian ICT products
   Through its intended participation in the CCRA as a certificate authorising participant, Malaysian ICT products with ICT security certification will receive immediate recognition across the many participating countries to the arrangement.
   
   
4. Enhance the security of Malaysia's information infrastructure by making available a suite of independently security assured ICT products
   Independently security certified products offer increased assurance in their implemented security features over developer asserted security features. Deployment of these products in well managed Malaysia's information infrastructure will provide greater assurance in the protection of this infrastructure.
   
   
5. Enhance the security of Malaysian ICT products through rigorous independent security analysis
   The rigorous independent analysis of the security features of ICT security products is targeted at the discovery and correction of vulnerabilities. Vulnerabilities discovered during evaluation can be corrected by developers adding value to the certification process and the security of the product undergoing evaluation.

Certification and Evaluation Services

The MyCC Scheme offers the following certification and evaluation services to customers:

1. Security evaluation and certification of ICT products and systems (called a Target of Evaluation (TOE))
   Impartial assessment of the security of a TOE against a set of functional and assurance claims using ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology).
   
   Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also prove that the TOE meets its security requirements at a defined level of assurance. This service provides customers confidence in the security functionality provided by a TOE.
   
   
2. Security evaluation and certification of CC Protection Profiles
   The Common Criteria allow consumer, especially in consumer groups and communities of interest, to express their security needs for a type of product in an unambiguous manner. This can be done by writing an implementation-independent structure document call a Protection Profile (PP).
   
   Evaluating a PP is required to demonstrate that the PP is sound and internally consistent. These properties are necessary for the PP to be suitable for use as the basis for writing a Security Target (ST) and guidance for the developers to develop a product or system that meet the consumers needs.
   
   This assessment uses ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology) and in conformance with MyCC Scheme Rules.
   
   Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also give a level of confidence that the PP solves the stated security problem. This service provides customers with validated security requirements to support selection and procurement of ICT products.
   
   
3. Maintenance of assurance for security certified ICT products and systems
   Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme.
   
   This service recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not to be repeated in all circumstances. This approach will minimise the redundancy in the security evaluation. There are two processes.
   
   Maintenance of assurance provides customers with a cost effective method of maintaining the same assurance level for a certified TOE after modification and update throughout its normal lifecycle.
   
   
4. Recognition of CCRA certificates for special purposes
   Services that facilitate the recognition of an ICT product that has been security certified externally to the MyCC Scheme under the CCRA. In some circumstances, Malaysian national security and/or procurement policy MAY:
   
   • Require additional assurance activities be undertaken for usage of a certified ICT product in certain applications; and/or
   • Qualification criteria for a certified ICT product to be marketed in Malaysia.

   
   This service provides customers with specific Malaysia national security requirements confidence that CC certified ICT products from other schemes meet these requirements.

Supporting Services

To support the delivery of certification and evaluation services, the MyCC Scheme deliver the following additional services:

1. Management of national and international interpretations of ISO/IEC 15408 (Common Criteria), ISO/IEC 18045 (Common Evaluation Methodology), MyCC Scheme rules (MyCC_P1) and associated MyCC Scheme publications;
2. Engagement with CCRA member countries and participation in the development and maintenance of the CCRA, ISO/IEC 15408 and ISO/ IEC 18045 on behalf of the Malaysian Government;
3. Operation and maintenance of management systems for the Malaysian Common Criteria Certification Body (MyCB);
4. Provision of support to third party assessors for the purpose of assessing compliance of the MyCC Scheme with CCRA requirements (Voluntary periodic assessment), accreditation of the MyCB to MS-ISO/IEC Guide 65 and accreditation of MySEFs to MS-ISO/IEC 17025;
5. Provision of CC Training and Development for MyCC Scheme Certifiers, MySEF Evaluators and customers;
6. Management of MyCC Scheme publications including the MyCC Scheme Certified Products Register (MyCPR) that lists MyCC Scheme certification and evaluation projects;
7. and Licensing and management of Malaysian Security Evaluation Facilities.

Further details on MyCC Scheme services can be found in the MyCC Scheme Requirement.

The structure of the MyCC Scheme is illustrated in the figure below:

MyCC Scheme Head:

• Own by CyberSecurity Malaysia.
• The CEO of CyberSecurity Malaysia acted as MyCC Scheme Head and responsible in:
  • Establishing and communicating the strategic direction for the MyCC Scheme.
  • Establishing the MyCC Scheme policy and rules.
  • Member of the MyCC Scheme Management Board and Certification Subcommittee.

MyCC Scheme Management Board:

• Composed of at least 5 Malaysian government and industry members.
• Independent from day-to-day management and operation of the MyCC Scheme.
• Provide strategic advice, guidance and recommendations in relation to the overall direction and policy of the MyCC Scheme.

MyCC Certification Subcommittee:

• Impartial group delegated by the MyCC Scheme Management Board to:
  • Certify an ICT product, system or protection profile evaluation completed by a licensed MySEF.
  • Maintain or extend a certification for an ICT product or system.
  • Withdraw certification for an ICT product, system or protection profile.

MyCC Scheme Manager:

• Instigate the MyCC Scheme policy;
• Manage the MyCBs department.
• Established relationship with licensed MySEFs.

MySEF Lab Manager:

• Manage the MySEFs department.
• Established relationship with licensed MyCB.
• An authorised MS-ISO/IEC 17025 signatory.

Senior MyCC Certifier:

• Ensuring the effective application of IT security evaluation criteria by both evaluators and certifiers.
• Ensuring the highest standards of competence and impartiality are maintained and consistency is achieved across all evaluation and certification activities.

Senior MySEF Evaluator:

• Ensuring the effective application of IT security evaluation criteria for evaluations conducted within the MySEF;
• The continuous application of the MySEF Management System to the conduct of evaluations within the MySEF
• Acting as an MS-ISO/IEC 17025 authorised signatory for evaluation work.

MyCC Certifier:

• Responsible for conducting of day-to-day certification projects under the direction of the MyCB Senior Certifier and in compliance with MyCB Management System.

MyCC CB Quality Manager:

• Responsible for the maintenance of the MyCB Management System.
• Conduct reviews of the application of the management system within MyCB.
• Provides outcomes of management system reviews to the MyCC Scheme Management Board in order to ensure impartiality of certification services.

MySEF Quality Manager:

• Responsible for maintenance of the MySEF Management System.
• Conduct reviews for the application of the management system within the MySEF.

MySEF Evaluator:

• Responsible for day-to-day evaluation projects under the direction of the Senior MySEF Evaluator and in compliance with the MySEF Management System.

MyCC Scheme Certified Products Register (MyCPR)

MyCC Scheme Certified Products Register (MyCPR) is a list of certified ICT products, systems and Protection Profiles, those undergoing evaluation and those recognised from other CCRA certified authorising participants.

MyCPR function is to assist interested parties on matters relating to the selection and implementation of the certified ICT products and systems. However, information in the MyCPR is limited to the performance of those products against the assurance levels and standards specified in the Common Criteria (CC).

The evaluation results are published in the Certification Report which contains detailed information, including any clarification of the scope of the evaluation, and provides recommendations for the secure use of the product.

Consumers using the MyCPR should be aware that the evaluated portion of a product may not include all the security functionality of the product. Therefore, it is encouraged to download and understand the Security Target and Certification Report for evaluated products to assess its suitability to meet the security needs of the consumers’ organisation.

MyCPR consist of:

• List of Certified Products and Systems
• List of Products and Systems Under Evaluation
• List of Recognition of CCRA Certificates

MyCC Scheme publications are designed to provide guidance and step-by-step instructions for MyCC Scheme stakeholders. MyCC Scheme Publications is illustrated in the figure below:

Documents

1. MyCC Scheme Requirement (MyCC_REQ)
2. ISCB Evaluation Facility Manual (ISCB_EFM)
3. MyCC Scheme Client Guideline (MYCC_CG)

Readers should contact the MyCC Scheme via the Contact Us detail if they have specific questions in relation to the information provided in MyCC Scheme publications or in relation to the MyCC Scheme Certified Products Register (MyCPR).

MyCC Scheme Other Publications

• Disputes, Complaints and Appeals Procedure
• MyCC Scheme Fee Structure
• Interpretation
• Terms & Conditions of MyCC and CC Certification and Service Marks

CCRA Publications

Common Criteria (CC)

• Part 1: Introduction and General Model
• Part 2: Security Functional Requirements
• Part 3: Security Assurance Requirements
• Part 4: Framework for the specification of evaluation methods and activities
• Part 5: Pre-defined packages of security requirements

Common Evaluation Methodology (CEM)

The official version of Common Criteria (CC) and CEM is version 3.1. The previous versions can be found at http://www.commoncriteriaportal.org/cc

Other related CCRA supporting documents can be found at
http://www.commoncriteriaportal.org/cc

MyCB recover the costs for delivery of MyCC Scheme services through a service charge fees which includes:

• Certification fee – this fixed fee covers only for the certification process under MyCB where it does not include any cost that is separately agreed between MySEF and the Sponsor, or any incidental cost such as cost for site visit or training

• MySEF license new application and renewal fee – RM 25,000 (the fee includes the costs of MySEF new application / renew assessment and licensing agreement with MyCB)
• MySEF annual license fee - RM 5,000 (this is annually charge for three consequent year after the first year license)

These fees will contribute to funding the CCRA commitment and other supporting functions such as marketing or awareness initiatives.

An interpretation is an expert technical judgement of the meaning or method of application of any technical aspect of the CCRA, CC, CEM, MyCC Scheme rules and MyCC Scheme publications. There are 2 classes of interpretations:

• National Interpretation – an interpretation of the CC, CEM or MyCC Scheme rules and MyCC Scheme publications that is applicable with the MyCC Scheme only.
  
  
• International Interpretation – an interpretation of the CC or CEM issued by the Common Criteria Management Board (CCMB) that is applicable to all CCRA participants.

MyCB shall be the authority for managing both interpretations. Request for interpretation (RI) can be accepted from any interested parties including Sponsors, Developer, Consumers, Evaluators and Certifiers using the RI form.

The MyCC Scheme national and international interpretations process comprises of four business functions:

• Register Interpretation – The function for formally receiving a request for interpretation for future consideration or a final interpretation from the CCMB.
  
  
• Review Interpretation Request – The function for conducting a technical review of an interpretation request, possibly through a technical review meeting of experts, with a decision or otherwise to publish a draft interpretation. The outcome being advised to the original requestor where necessary.
  
  
• Publish Draft of MyCC Scheme Interpretation – The function for publishing a draft interpretation for comment by interested parties.
  
  
• Finalise MyCC Scheme Interpretation – The function for finalising the interpretation, publishing it and making any updates to the MyCC Scheme documentation, and if necessary, escalating the interpretation to the CCMB. A CCMB interpretation is also published through this function.

Further detail is provided in the MyCC Scheme Requirement

National Interpretation

Currently, there is no national interpretations of CC, CEM, MyCC Scheme rules or MyCC Scheme publications.

International Interpretation

Please refer to http://www.commoncriteriaportal.org/interpretations.html.

Malaysia has been accepted as CCRA Certificate Authorizing Member on 27 September 2011.

Common Criteria Recognition Arrangement (CCRA) was established in May 2000. The CCRA allows for mutual recognition of evaluation results, which creates value for ICT product vendors by allowing them to conduct an evaluation of their ICT product in one participating country and have the result recognised across all participating countries to the CCRA. There are 2 types of CCRA membership: 

• Certificate Consuming Members – These participants to the arrangement recognise the results of evaluations and certificates of all Certificate Authorising Participants.

• Certificate Authorizing Members – These participants operate CCRA compliant Common Criteria certification schemes that produce certificates under the rules of the CCRA.

Please visit https://www.commoncriteriaportal.org for the details.

Email us: This email address is being protected from spambots. You need JavaScript enabled to view it.