Common Criteria for Information Technology Security Evaluation (CC) is an international agreement that provides a set of standards, testing processes, and documentation standards that is widely recognized as the leading standard for defined software security standards. The Canadian Centre for Cyber Security performs evaluations on common IT products and releases a report called “Common Criteria Certification.” This process allows for organizations to review an independently tested software evaluation without needing to set up and configure that IT product in their own environment first. Tripwire Enterprise v8.9.1 was recently evaluated and passed the assurance process to update our certification for this latest release version.
How the Certification Process Works
The Canadian Common Criteria Scheme provides a third-party commercial Common Criteria Evaluation Facility (CCEF) for determining the trustworthiness of Information Technology (IT) security products. These evaluations take place under the oversight of the Certification Body, which is managed by the Canadian Centre for Cyber Security.
A CCEF is a commercial facility that has been approved by the Certification Body to perform Common Criteria evaluations. A significant requirement for such approval is accreditation to the requirements of ISO/IEC 17025, the General Requirements for the Competence of Testing and Calibration Laboratories.
A Breakdown of the Certification Stages
As explained in a report published by the Government of Canada, the first stage is to identify and describe the Target of Evaluation (TOE) and the architecture around this. Next, the report summarizes data found from a security policy that is checked against evaluated products. This allows for the results of an Intrusion Detection System (IDS), Security Audit and User Data Protection and others to be checked against the TOE.
One or more individuals are subsequently assigned to manage the TOE and the security of the information it contains. The authorized administrators follow and abide by the instructions provided in the TOE documentation.
By awarding a Common Criteria certificate, the Certification Body asserts that the product complies with the security requirements specified in a security target, or a requirements specification document which defines the scope of the evaluation activities. The consumer of certified IT products should review the security target in addition to this certification report in order to gain an understanding of any assumptions made during the evaluation, the IT product’s intended environment, the evaluated security functionality and the testing and analysis conducted by the CCEF.
The certification report, certificate of product evaluation and security target are listed on the Certified Products list (CPL) for the Canadian CC Scheme and posted on the Common Criteria portal (the official website of the International Common Criteria Project).
The remaining steps of the evaluation of the Common Criteria Certification Report look at other things like assumptions/requirements for the expected user, the documentation of the solution, life cycle and the test activities performed with results. The test activities and results contain most of the information for the report.
Inside Tripwire’s Results
Below is a list of the security features that were highlighted by the Common Criteria Certification Security Target report for Tripwire Enterprise Version 8.9.1:
- Security Audit
- Cryptographic Support
- User Data Protection
- Identification and Authentication
- Security Function Management
- Protection of the Target of Evaluation Security Features
- Intrusion Detection
Why Is This Certification Important?
Tripwire Enterprise v8.9.1 is one of nine certified products listed in Common Criteria’s “Detection Devices and Systems” category. (Also sharing a spot in this list is Tripwire IP360 v9.0.1)
Megan Freshley explains in this blog that this latest certification shows how Tripwire is committed to helping its federal customers protect their critical data using integrity monitoring, security configuration management and advanced vulnerability management functionality.
Achieving the most current Common Criteria certification illustrates Tripwire’s continuing commitment to meet increasingly stringent U.S. national and international security standards and is assurance that we’re bringing the most secure products to market.
Need more information? Check out Tripwire Enterprise’s Certification report here.