Certification and Evaluation Services

The MyCC Scheme offers the following certification and evaluation services to customers:

• Security evaluation and certification of ICT products and systems (called a Target of Evaluation (TOE))

Impartial assessment of the security of a TOE against a set of functional and assurance claims using ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology).

Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also prove that the TOE meets its security requirements at a defined level of assurance. This service provides customers confidence in the security functionality provided by a TOE.

• Security evaluation and certification of CC Protection Profiles

The Common Criteria allow consumer, especially in consumer groups and communities of interest, to express their security needs for a type of product in an unambiguous manner. This can be done by writing an implementation-independent structure document call a Protection Profile (PP).

Evaluating a PP is required to demonstrate that the PP is sound and internally consistent. These properties are necessary for the PP to be suitable for use as the basis for writing a Security Target (ST) and guidance for the developers to develop a product or system that meet the consumers needs.

This assessment uses ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (Common Evaluation Methodology) and in conformance with MyCC Scheme Rules.

Certification provides independent confirmation of the evaluation results validity. Furthermore, it will also give a level of confidence that the PP solves the stated security problem. This service provides customers with validated security requirements to support selection and procurement of ICT products.

• Maintenance of assurance for security certified ICT products and systems

Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme.

This service recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not to be repeated in all circumstances. This approach will minimise the redundancy in the security evaluation. There are two processes.

Maintenance of assurance provides customers with a cost effective method of maintaining the same assurance level for a certified TOE after modification and update throughout its normal lifecycle.

• Recognition of CCRA certificates for special purposes

Services that facilitate the recognition of an ICT product that has been security certified externally to the MyCC Scheme under the CCRA. In some circumstances, Malaysian national security and/or procurement policy MAY:

• Require additional assurance activities be undertaken for usage of a certified ICT product in certain applications; and/or
• Qualification criteria for a certified ICT product to be marketed in Malaysia.

This service provides customers with specific Malaysia national security requirements confidence that CC certified ICT products from other schemes meet these requirements.

Supporting Services

To support the delivery of certification and evaluation services, the MyCC Scheme deliver the following additional services:

• Management of national and international interpretations of ISO/IEC 15408 (Common Criteria), ISO/IEC 18045 (Common Evaluation Methodology), MyCC Scheme rules (MyCC_P1) and associated MyCC Scheme publications;

• Engagement with CCRA member countries and participation in the development and maintenance of the CCRA, ISO/IEC 15408 and ISO/ IEC 18045 on behalf of the Malaysian Government;

• Operation and maintenance of management systems for the Malaysian Common Criteria Certification Body (MyCB);

• Provision of support to third party assessors for the purpose of assessing compliance of the MyCC Scheme with CCRA requirements (Voluntary periodic assessment), accreditation of the MyCB to MS-ISO/IEC Guide 65 and accreditation of MySEFs to MS-ISO/IEC 17025;

• Provision of CC Training and Development for MyCC Scheme Certifiers, MySEF Evaluators and customers;

• Management of MyCC Scheme publications including the MyCC Scheme Certified Products Register (MyCPR) that lists MyCC Scheme certification and evaluation projects; and

• Licensing and management of Malaysian Security Evaluation Facilities.

Further details on MyCC Scheme services can be found in the PRODUCT_SP: MyCC Scheme Policy.