Malaysian Common Criteria Evaluation and Certification Scheme (MyCC Scheme) is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards.
MyCC Scheme evaluates and certifies the security functionality within ICT products against International standard:
ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security) also known as Common Criteria (CC) and;
ISO/IEC 18405 (Information technology -- Security techniques-- Methodology for IT security evaluation) also known as Common Evaluation Methodology (CEM).
Malaysian Common Criteria Certification Body (MyCB) is a department under CyberSecurity Malaysia. The primary responsibility is to carrying out certification and overseeing day-to-day operation of the MyCC Scheme.
MyCC Scheme mission is "to increase Malaysia's competitiveness in quality assurance of information security based on the Common Criteria (CC) standards and to build consumers' confidence towards Malaysian ICT products."
Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme and in conformance with MyCC Scheme Rules.
This service provides customers with a cost effective method of maintaining a level of confidence in the security provided by a TOE as it is updated. Details of the MyCC Scheme Maintenance of Assurance service can be found in MyCC_P1: MyCC Scheme Policy.
Common Criteria (CC) was created to harmonise criteria produced by a number of nations including the United States (TCSEC), European (ITSEC) and Canada (CTCPEC) for carrying out security evaluations, into a single set of common criteria.
The CC is now recognised as the ISO (International Organization for Standardization) standard, ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security), and regarded as the international benchmark for IT security evaluation criteria.
Common Criteria Recognition Arrangement (CCRA) is a formal international arrangement between a great numbers of countries. This mutual recognition ensures that certificates issue by one of the member states certification body is recognised by all member states.
This will helps vendors to cut their costs by having a single product or system evaluation which is recognisable by all participating nations. Common Criteria certifications from EAL1 to EAL4 are mutually recognised by all CCRA members. Further information about the CCRA can be found at http://www.commoncriteriaportal.org/theccra.html
The CCRA membership includes CC certificate producing and certificate consuming nations. All CCRA participants are listed on the CC portal with the name and contact details of each CC scheme, which can be found at http://www.commoncriteriaportal.org/members.html.
Common Criteria (CC) operates the concept of assurance levels which is called Evaluation Assurance Level (EAL). For CC, the levels are EAL1 to EAL7. These scales represent ascending levels of confidence that can be placed in the ICT product which corresponded with security objectives. The higher the EAL the greater the degree of rigour is applied in assessing whether the ICT product has met its security requirements.
The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner. The awarding of a Common Criteria evaluation certificate signifies that all necessary evaluation work has been performed to convince the evaluation authority that the TOE meets all the defined assurance requirements as grounds for confidence that an IT product or system meets its security objectives.
Assurance Continuity recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not be repeated in all circumstances. Assurance Continuity therefore defines an approach to minimising redundancy in IT Security evaluation, allowing a determination to be made as to whether independent evaluator actions need to be re-performed.
Common Criteria Portal contains current information regarding the official version of the CC, Common Evaluation Methodology (CEM), CCRA, certified products and Protection Profiles, interpretations and other supporting documents.