I Assure You, It’s All Fine: Giving Attention to the Meaningfulness of EUCC Cybersecurity Certificates (S21c)
The EU is focusing on increasing cyber security across the European Union with a combination of laws, standards and certification strategies. This three-facetted approach helps to steer, standardize and qualify security in a wide range of markets and technical areas. However, the value of such certification depends heavily on the scope of the certificates that are issued. This applies for any scheme that relies on an underlying standard for its requirements. When a certificate is issued it must add value; and for a user it must be easy to determine what the product or service, for which the certificate is issued, actually implements. For example in EUCC, the underlying ISO/IEC 15408 – CC2022 standard allows products to rely on the environment of the TOE for aspects of its security. The CC standard also does not put any rules on the use of claiming AVA_VAN.5. Due to the flexibility of the Security Target in EUCC, it becomes possible to certify a product, where security functionality is not claimed or it is left as an assumption for the environment. The EUCC_IR has implemented a number of limitations to the use of AVA_VAN.5 to specific technical domains or a State-of-the-Art PP, but other aspects may still lead to a certificate that does not add intrinsic value. This talk will explain what aspects the Dutch NCCA considers relevant to assess whether the ST specifies a product that will result in a meaningful certificate under EUCC such that a potential user will not be misled. Possible areas where the EUCC_IR and CSA could potentially be improved are also addressed.