Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards. It is important to have a scheme to ensure high standards of competence and impartiality are maintained, and that consistency is achieved.
MyCC Scheme evaluates and certifies the security functionality within ICT products against ISO/IEC 15408 standard which is known as Common Criteria (CC). The methodology use in the evaluation is also a recognised standard known as Common Evaluation Methodology (CEM) or ISO/IEC 18045.
Based on the Common Criteria Recognition Arrangement (CCRA) requirement, a scheme is managed by a sole Certification Body (CB). The Certification Body for the MyCC Scheme is known as Malaysian Common Criteria Certification Body (MyCB), a department within CyberSecurity Malaysia. MyCB is responsible for carrying out certification and overseeing the day-to-day management and operation of the scheme. MyCB is independent from the Evaluation Facilities.
This scheme also consists of an Evaluation Facility, besides the CB. The main responsibility is to carry out security evaluations against agreed standards in an independently accredited environment. The Evaluation Facility for the MyCC Scheme is known as Malaysian Security Evaluation Facility (MySEF). Currently there is one potential MySEF, a unit within Security Assurance Department in CyberSecurity Malaysia, that are qualified and currently in the process of obtaining the license from MyCB.
Malaysia is one of the main manufacturers for information, communication and technology (ICT) products for local and international market. To be accepted globally, these products need to fulfil certain requirements from other countries especially when these products need to be implemented in critical sectors.
Nowadays, the consumers are looking for an assurance that the security functions of the product are functioning as claimed by the developer. This can be achieved if the product is evaluated by an independent evaluation facility and certified by an independent certification body using the recognise standards.
Recognising the importance of security assurance of ICT products and systems, measures will be undertaken to provide security evaluation and certification programme based on international standards. Therefore, a research had been conducted by CyberSecurity Malaysia to identify the recognise standards and methodology that can be used in security evaluation and certification.
Common Criteria (CC) or ISO/IEC 15408 has been identified as a recognise standard for information technology security evaluation. While Common Evaluation Methodology (CEM) or ISO/IEC 18045 has been identified as recognise common methodology for information technology security evaluation.
To recognise the certificates that had been produced by countries that using CC and CEM, an arrangement had been established between these countries. This arrangement is called Common Criteria Recognition Arrangement (CCRA). Details of the arrangement can be found at Mutual Recognition and www.commoncriteriaportal.org
Malaysia through CyberSecurity Malaysia, an agency under KKD, has been accepted as CCRA Consuming Participant on 28 March 2007. To be recognised as CCRA Authorising Participant, a national scheme and its components need to be established. Thus, the development of the MyCC Scheme commenced in 2006 which is driven from 9th Malaysian Plan (2006-2010). The implementation is also supported by the 2005 National Cyber Security Policy (NCSP).
Further details on MyCC Scheme can be found in the MyCC Scheme publication.