Simplified Security Criteria

The Simplified Security Criteria (SSC) establishes a national Scheme for Singapore, providing evaluation and certification of IT security requirements and their related products. SSC is an entry-level and cost-efficient scheme. It is in full alignment with the other schemes of the Security Product Assurance (SPA) programme of IDA. SSC addresses certain needs for the following parties:

  • Developer:
IT security product developers, which go for certification for the first time, may not have the resources and skills available to immediately undergo a higher-level scheme like the Common Criteria (CC). The SSC provides an easier management of the certification project, and would allow developers to enhance its capabilities and move  towards CC and other Schemes (national and international) overtime. It provides exposure to key components of the CC and a learning opportunity, and at the same time allows developers to obtain a nationally recognised certificate for their IT security products.
  • Consumer/Sponsor:
Consumers increasingly look for assurance through third party assessments. The SSC provides a basic level of confidence for sponsors through an entry-level and cost-efficient scheme.
  • Testing Laboratory:
The SSC qualifies laboratories for official CC evaluations under SCCS up to EAL 2. This thus provides opportunities for laboratories to scale up the relevant skills necessary for performing evaluations up to EAL 4 and create evidence for an ISO 17025 audit.

Contact details:

IDA Certification Body
Resource Management & Standards Division
Infocomm Development Authority of Singapore (IDA)
10 Pasir Panjang Road
#10-01 Mapletree Business City
Singapore 117438
Republic of Singapore
Email: [email protected]


Evaluation/Certification Overview

There are basically four roles to be filled for a complete certification (the first two may be filled by the same company); for more details, see the SCCS/SSC publications:

  • Sponsor: A sponsor is the company or entity, which officially requests for a product or system to be evaluated and certified. The sponsor provides the financial means for the whole process.
  • Developer: A developer is the company or entity, which creates the product or system. The developer provides all the technical support, documentation, material, evidence, etc. required for the evaluation. A developer may engage external consultancy for the evaluation project.
  • Testing Laboratory: The testing laboratory is an independent third party, approved by the CB, which uses the inputs from the developer to perform the evaluation tasks. The testing laboratory creates intermediate reports as well as a final Evaluation Technical Report (ETR), and submits them to the Certification Body for assessment.
  • CB: The Certification Body is the authority, which oversees the whole evaluation process. Upon successful evaluation by the test lab and verification by the CB, the CB issues the official certificate and publishes a Certification Report.

It should be noted, that a (successful) evaluation and certification does not imply any endorsement, promotion, or recommendation of the product or system by the CB. Nor does it imply any responsibility whatsoever in case a product still contains faults or vulnerabilities. A certificate is the result of a pre-defined, impartial, repeatable process with a pre-determined level of investigation (in scope, rigor and depth) according to the claimed security functions and the achieved assurance level (AL).

Scheme Documents New -Dec 2012

Publication Date Title
IDA CB SSCP1 July 2012 Overview of Scheme
IDA CB SSCP2 Dec 2012 Requirements for Approving a SSC Testing Laboratory (TLAB)
IDA CB SSCP3 Dec 2012 Information Technology Security Evaluation and Certification
IDA CB SSCP4 July 2012 SSC Evaluation Criteria
SSC-CAF July 2012 Certification Application Form

National Scheme Communication (NSC)

NSCs are official communications by the CB regarding guidelines and interpretations for SPA. The target audience are evaluators and developers/sponsors. On the one side, they help to remove ambiguities in the application of the Scheme regulations or the actual evaluation and certification criteria. On the other side they may create new rules or provide interpretations and clarifications for existing publications in order to further standardise the evaluation and certification process.

A published NSC is either informational or binding. In contrast to an informational NSC, which is used to provide general or temporary information, a binding NSC implies that its application becomes mandatory for the affected area. A binding NSC becomes part of the official evaluation and certification criteria, and may affect both existing and new projects. There may exists unpublished, Scheme-internal NSC, which are only provided to CCTLs or other bodies in the need to know.

Publication Date Title

NSC_0001

26/10/2010

Security Target Title Format

NSC_0002 18/01/2013 Monthly Project Status Report

Testing Laboratory

Testing laboratories are responsible for the evaluation tasks as defined within the Scheme. To operate as test lab under SSC, a testing laboratory must be qualified and approved by the Certification Body. The following testing laboratory has been licensed to operate as test lab:  Nil

Evaluation Project List

Project

Eval ID

Evaluation Type

Sponsor

Acceptance

Assurance Claim

NIL



Related Information

Was this information useful?

Was this information useful?
Was this information useful?


*
trust-sg