It is widely known that BlackBerry solutions have received the most certifications and approvals of any smartphone platform. In 2007, BlackBerry became the first mobile platform to obtain Common Criteria certification for BlackBerry OS 4.1 and BlackBerry Enterprise Server 4.1. All subsequent iterations of the BlackBerry OS and BlackBerry Enterprise Servers have maintained the certification since then. In this blog post, I’d like to discuss what the Common Criteria certification means to BlackBerry and how the standard is evolving right now. It will provide a good pointer to how Common Criteria fits into our future accreditation plans with BlackBerry 10.
(As of February 2015, BlackBerry holds 70+ security certifications and approvals from governments.)
What is Common Criteria?
The International Common Criteria for Information Technology Security Evaluation or “Common Criteria” is an international standard (ISO/IEC 15408) developed for evaluating information security products. Common Criteria provides a framework where developers can specify the security attributes of their products, which are then evaluated by independent laboratories to determine if they actually meet the claims. The results are verified by the government body responsible for issuing the Common Criteria certification. This allows Common Criteria certifications to provide assurance that the process of specification (product design), implementation (development, manufacturing) and evaluation (testing) of a product has been conducted in a standard manner. Common Criteria certification for a product is usually given a rating between 1 and 7. This rating is known as Evaluation Assurance Level (EAL). A higher assurance level reflects added assurance requirements that must be met to achieve the certification. The EAL does not measure the security of the system itself, but states at what level the system was tested.
Common Criteria is an international certification that has been adopted by over 25 complying countries. This allows customers from around the world to confidently purchase Common Criteria certified products. The Common Criteria Portal provides more information on how the certification and mutual recognition arrangements work. In the past, products certified at EAL 4 or below were mutually recognized by all participants. In recent years, EAL 2 has been set as the mutual recognition level for participating countries.
How does Common Criteria help make BlackBerry products trusted?
Various security-conscious customers, like financial institutions and governments, require Common Criteria certification as a determining factor in their purchasing decisions. Having such a certification not only highlights the security of our products, but also assures customers of our commitment to robust and secure processes in design, development, testing and manufacturing. The full list of BlackBerry products that have received certification is available on the Common Criteria Portal. BlackBerry has been heavily involved with the Common Criteria community as well, participating and contributing to the yearly conferences and influencing the direction of the standards as an industry leader.
Evolution of Common Criteria
In the last few years, mutual recognition standards for Common Criteria have gone through a state of evolution. In the past, each vendor was free to create their own security claims and evaluate the product against these claims. While this process of evaluation was effective in testing security features of a product, comparing a product against a similar one was difficult as there may not be common security claims between the two.
Recently, the Common Criteria community has been moving toward a new vision for the future. More information about this is available on their website. Under this new vision, there is a move towards creating a consistent set of security requirements that will apply to a certain category of products. Under this plan, Technical Communities consisting of multiple stakeholders (certifying bodies, labs, vendors) will create a commonly agreed Protection Profile (PP) for a particular category (for example, mobile devices). Any vendor who wishes to achieve Common Criteria certification for a product in this category will need to comply with the requirements outlined in the PP and evaluated in a consistent manner. This approach provides a few advantages:
- It promotes consistency in evaluation approaches across the participating nations
- The technical communities bring together multiple subject matter experts to create a PP that comprehensively addresses the security needs
- Evaluations can be performed more efficiently to keep up with the rapid pace of technological advances in the industry
- Customers benefit from a balanced comparison between two competing products certified under the same PP
BlackBerry remains committed to Common Criteria certification for its products. We are currently working with a number of certifying bodies, external labs and vendors to create PPs that will form the basis of evaluation for mobile devices. There are two PPs that are being developed: one for mobile device platforms, and another one for Mobile Device Management (MDM) solutions. The creation of these PPs will pave the way for BlackBerry 10 and BlackBerry Enterprise Service 10 to be Common Criteria certified, continuing our rich legacy of security assurances.
Is Common Criteria certification considered when purchasing IT equipment at your company? How does your company use such certifications? Share with us in the comments below.