Why MyCC Scheme?

• Consumer Assurance: Today's consumers demand assurance that the security functions of ICT products perform as claimed by developers. This is ensured through independent evaluation and certification based on recognized standards.
• Independent Evaluation: Products are evaluated by an independent facility and certified by an independent body using recognized standards such as Common Criteria (CC) (ISO/IEC 15408) and Common Evaluation Methodology (CEM) (ISO/IEC 18045).
• Global Standards Compliance: Recognizing the importance of security assurance, CyberSecurity Malaysia is a member of Common Criteria Recognition Arrangement (CCRA) and Common Criteria User Forum (CCUF). More information can be referred on the Common Criteria Portal and Common Criteria User Forum Portal

The MyCC Scheme is crucial for developers, manufacturers, and organizations aiming to certify their ICT products' security functionalities and gain global recognition for their commitment to security.

Common Criteria Recognition Arrangement (CCRA):

Malaysia has been accepted as CCRA Certificate Authorizing Member on 27 September 2011.

Common Criteria Recognition Arrangement (CCRA) was established in May 2000. The CCRA allows for mutual recognition of evaluation results, which creates value for ICT product vendors by allowing them to conduct an evaluation of their ICT product in one participating country and have the result recognised across all participating countries to the CCRA. There are 2 types of CCRA membership:

• Certificate Consuming Members – These participants to the arrangement recognise the results of evaluations and certificates of all Certificate Authorising Participants.
• Certificate Authorizing Members – These participants operate CCRA compliant Common Criteria certification schemes that produce certificates under the rules of the CCRA.

Certification Benefits

1. Global Competitiveness: Common Criteria (CC) sets a benchmark for ICT security features, allowing Malaysian ICT products to compete effectively in the global market.
2. Enhanced Reputation: Participation in the Common Criteria Recognition Arrangement (CCRA) boosts Malaysia’s global standing as a provider of ICT security assurance services.
3. International Market Access: Certification under CCRA grants Malaysian ICT products recognition in multiple participating countries, facilitating easier market entry.
4. Improved National Security: Using independently certified ICT products strengthens Malaysia’s information infrastructure by providing higher assurance in security features.
5. Rigorous Security Enhancement: Independent security analysis identifies and corrects vulnerabilities, improving the overall security of Malaysian ICT products.

Services under MyCC

The MyCC Scheme offers various services to assess and certify the security of ICT products and systems.

• Security Evaluation and Certification: This service evaluates ICT products against Common Criteria (CC) standards, providing an impartial assessment and certification upon successful completion. This increases trust in the product’s security features.
• Protection Profile (PP) Certification: The MyCC Scheme can evaluate and certify PP documents, which outline security requirements for specific product types. This helps ensure the PP is well-defined and suitable for developing secure products.
• Maintenance of Assurance: This voluntary service helps maintain the security assurance level of already certified products as they undergo changes throughout their lifecycle.
• CCRA Certificate Recognition: This service acknowledges CC certifications from other accredited schemes,potentially reducing the need for additional evaluations in Malaysia.

Supporting Services

The MyCC Scheme also provides various supporting services to ensure smooth operation and international recognition.These include managing interpretations of relevant standards, engaging with international communities, and offering training and management of resources.

Key Aspects of MyCC Scheme

Evaluation and Certification: The MyCC Scheme evaluates and certifies the security functionality of ICT products against the ISO/IEC 15408 standard, also known as Common Criteria (CC). The evaluations are conducted using the Common Evaluation Methodology (CEM), recognized as ISO/IEC 18045.

Certification Body: The MyCC Scheme is managed by the Malaysian Common Criteria Certification Body (MyCB), a department within CyberSecurity Malaysia. MyCB is responsible for carrying out certifications and overseeing the scheme’s day-to-day management and operation. Importantly, MyCB operates independently from the Evaluation Facilities to ensure impartiality.

Evaluation Facility: The scheme includes an Evaluation Facility responsible for conducting security evaluations in an independently accredited environment. The Malaysian Security Evaluation Facility (MySEF) is the designated Evaluation Facility for the MyCC Scheme. Licensed MySEF under MyCC Scheme can be referred here:

The structure of the MyCC Scheme is illustrated in the figure below:

MyCC Scheme Structure

MyCC Scheme Certified Products Register (MyCPR)

The MyCC Scheme Certified Products Register (MyCPR) is a comprehensive listing that includes certified ICT products, systems, and Protection Profiles. It also features products currently undergoing evaluation and those recognized from other CCRA certified authorizing participants.
MyCPR serves to aid stakeholders in selecting and implementing certified ICT products and systems. However, information in MyCPR is limited to the products’ performance against assurance levels and standards specified in the Common Criteria (CC).
Certification Reports, detailing evaluation results including scope clarifications and secure usage recommendations, accompany each listing. Consumers are advised that not all security functionalities may be evaluated. Therefore, downloading and understanding the Security Target and Certification Report are encouraged to assess product suitability for their organizational security needs.

Components of MyCPR:

• List of Certified Products and Systems
• List of Products and Systems Under Evaluation
• List of Recognition of CCRA Certificates

MyCC Publications:

MyCC Scheme publications are designed to provide guidance and step-by-step instructions for MyCC Scheme stakeholders. MyCC Scheme Publications is illustrated in the figure below:

Documents

1. MyCC Scheme Requirement (MyCC_REQ)
2. ISCB Evaluation Facility Manual (ISCB_EFM)
3. MyCC Scheme Client Guideline (MYCC_CG)

Readers should contact the MyCC Scheme via the Contact Us detail if they have specific questions in relation to the information provided in MyCC Scheme publications or in relation to the MyCC Scheme Certified Products Register (MyCPR).

MyCC Scheme Other Publications

1. Complaints and Appeals Procedure
2. MyCC Scheme Fee Structure
3. Interpretation
4. Terms & Conditions of MyCC and CC Certification and Service Marks

CCRA Publications

Common Criteria (CC)

• Part 1: Introduction and General Model
• Part 2: Security Functional Requirements
• Part 3: Security Assurance Requirements
• Part 4: Framework for the specification of evaluation methods and activities
• Part 5: Pre-defined packages of security requirements

Common Evaluation Methodology (CEM)

The official version of Common Criteria (CC) and CEM is version CC:2022 Revision 1. The previous versions can be found at https://www.commoncriteriaportal.org/cc/index.cfm

Other related CCRA supporting documents can be found at https://www.commoncriteriaportal.org/cc/index.cfm

Interpretation:

An interpretation is an expert technical judgement of the meaning or method of application of any technical aspect of the CCRA, CC, CEM, MyCC Scheme rules and MyCC Scheme publications. There are 2 classes of interpretations:

• National Interpretation – an interpretation of the CC, CEM or MyCC Scheme rules and MyCC Scheme publications that is applicable with the MyCC Scheme only.
• International Interpretation – an interpretation of the CC or CEM issued by the Common Criteria Management Board (CCMB) that is applicable to all CCRA participants.

MyCB shall be the authority for managing both interpretations. Request for interpretation (RI) can be accepted from any interested parties including Sponsors, Developer, Consumers, Evaluators and Certifiers using the RI form.

The MyCC Scheme national and international interpretations process comprises of four business functions:

• Register Interpretation – The function for formally receiving a request for interpretation for future consideration or a final interpretation from the CCMB.
• Review Interpretation Request – The function for conducting a technical review of an interpretation request, possibly through a technical review meeting of experts, with a decision or otherwise to publish a draft interpretation. The outcome being advised to the original requestor where necessary.
• Publish Draft of MyCC Scheme Interpretation – The function for publishing a draft interpretation for comment by interested parties.
• Finalise MyCC Scheme Interpretation – The function for finalising the interpretation, publishing it and making any updates to the MyCC Scheme documentation, and if necessary, escalating the interpretation to the CCMB. A CCMB interpretation is also published through this function.

National Interpretation

Currently, there is no national interpretations of CC, CEM, MyCC Scheme rules or MyCC Scheme publications.

International Interpretation

Please refer to https://www.commoncriteriaportal.org/index.cfm.

Our Clients

1. Trend Micro Incorporated.
2. Chelpis Quantum Tech Co. Ltd.
3. SecIron (Malaysia) Sdn. Bhd.
4. MicroEngine Networks Sdn Bhd
5. RSA Security LLC
6. LE Global Services Sdn. Bhd.
7. Swingvy Sdn. Bhd
8. Pernec Integrated Network Systems Sdn Bhd
9. Huawei Services (Hong Kong) Co. Limited
10. SecurePay Sdn. Bhd.

MyCC Scheme Fee

MyCB recover the costs for delivery of MyCC Scheme services through a service charge fees (excluding the SST) which includes:

• Certification fee – this fixed fee covers only for the certification process under MyCB where it does not include any cost that is separately agreed between MySEF and the Sponsor, or any incidental cost such as cost for site visit or training
• MySEF license new application and renewal fee – RM 25,000 (the fee includes the costs of MySEF new application / renew assessment and licensing agreement with MyCB)
• MySEF annual license fee - RM 5,000 (this is annually charge for three consequent year after the first year license)

These fees will contribute to funding the CCRA commitment and other supporting functions such as marketing or awareness initiatives.