The Singapore Common Criteria evaluation and certification Scheme (SCCS) was established in May 2005. It is a strategic initiative under the Singapore Infocomm Security Masterplan and iN2015 Masterplan to enhance cyber security, catalyse the trusted exploitation of IT for economic competitiveness and reinforce Singapore's reputation as a Trusted Hub. The Scheme is owned and overseen by the Infocomm Development Authority (IDA) of Singapore.

The SCCS provides a cost effective infrastructure for info-communications companies to evaluate and certify their security products against the Common Criteria (CC) standard (ISO/IEC 15408) in Singapore. The framework is based on the Common Criteria Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (CCRA).

The objectives of the SCCS are:

• To ensure that evaluations of IT products are performed to high and consistent standards, and are seen to contribute significantly to confidence in the security of these products;
• To improve the availability of evaluated, security-enhanced IT products and protection profiles;
• To eliminate the burden of duplicating evaluations of IT products and protection profiles in international markets; and
• To continuously improve the efficiency and cost-effectiveness of the evaluation and certification process for IT products and protection profiles.

Contact details:

IDA Certification Body
Resource Management & Standards Division
Infocomm Development Authority of Singapore (IDA)
10 Pasir Panjang Road
#10-01 Mapletree Business City
Singapore 117438
Republic of Singapore
Email: [email protected]

• Common Criteria
• Mutual Recognition
• Evaluation/Certification Overview
• Scheme Documents
• National Scheme Communication
• CC Testing Laboratory
• Evaluation List

Common Criteria

Common Criteria (abbreviated as CC) refers to Common Criteria for Information Technology Security Evaluation , which is a set of publicly available standards. They define a catalogue of criteria, which are meant to be the basis for expressing and evaluating IT security properties. The CC standard consists of three parts:

• Part 1: Introduction and general model
• Part 2: Security functional components
• Part 3: Security assurance components

The current version of CC are 3.1 Revision 3 and Revision 4, which are available for free download at the CC portal.

The CC standards have also been published as international standards ISO/IEC 15408-1, ISO/IEC 15408-2, and ISO/IEC 15408-3. In addition to these standards, ISO/IEC has published another document (currently as TR): "Guide for the production of Protection Profiles and Security Targets"; currently available version ISO/IEC 15446:2004.

Further information on CC, especially released and valid versions of the standards is available at the main portal www.commoncriteriaportal.org/cc/

CC Part 1 states " The CC does not address the evaluation methodology under which the criteria should be applied. This methodology is described in the Common Methodology for IT Security Evaluation", (short CEM). Application of the CEM is a requirement for the formal arrangement and international recognition of Common Criteria Certificates under the mutual recognition arrangement between participating countries. CEM is also published as international standard, - last available version is ISO/IEC 18045:2005.

In addition to the CEM, there are further supporting documents. "A supporting document is a document that specifies the use of the CC or CEM in a particular field or domain of technology. There are two types of supporting document: a) Mandatory Technical Document, and b) Guidance Document". Further information is available at www.commoncriteriaportal.org/supporting/

Mutual Recognition

Internationally, CCRA (Common Criteria Recognition Arrangement) is the basis for the mutual recognition of CC certificates for IT products and Protection Profiles among its many members. More information about the CCRA, its structure, its membership types as well as the current members is available at the main portal www.commoncriteriaportal.org/ccra/

Singapore has joined the CCRA as 'Certificate Consuming Participant' in 2005. In order to certify products and to become a 'Certificate Authorising Participant', which enables the international recognition of Common Criteria Certificates issued in Singapore, the SCCS was established. For the SCCS, IDA is providing the function of the Certification Body.

Singapore, as member of the CCRA, recognises Common Criteria certificates which have been authorised by Certificate Authorising Participants in accordance with the terms of the Arrangement (CCRA) and in accordance with the applicable laws and regulations of Singapore. Recognition refers to the acknowledgement that the evaluation and certification processes carried out by compliant CBs appear to have been carried out in a duly professional manner and meet all the conditions of the Arrangement (CCRA), and the intention to give all resulting CC certificates equal weight. Conditions for recognition under the CCRA are stated in Article 5 of the ‘Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security’ of May 2000. Product certificates issued under the CCRA by its members are listed on the official web-page http://www.commoncriteriaportal.org/products/ . Certified Protection Profiles are listed on http://www.commoncriteriaportal.org/pps/ .

Within Singapore, the IDA Certification Body and the Singapore Infocomm Technology Security Authority (SITSA) work together to align IT security evaluation schemes within the Singapore context, and in this respect the National IT Evaluation Scheme (NITES) states that "products, which are already Common Criteria certified will be able to reuse previous evaluation results (subjected to conditions stated in the Scheme publications), a means to accelerate the evaluation process without compromising security." Click here for more details on NITES .

Evaluation/Certification Overview

There are basically four roles to be filled for a complete certification (the first two may be filled by the same company); for more details, see the SCCS publications:

• Sponsor: A sponsor is the company or entity, which officially requests for a product or system to be evaluated and certified. The sponsor provides the financial means for the whole process.
• Developer: A developer is the company or entity, which creates the product or system. The developer provides all the technical support, documentation, material, evidence, etc. required for the evaluation. A developer may engage external consultancy for the evaluation project.
• CCTL: The CCTL is an independent third party, approved by the CB, which uses the inputs from the developer to perform the evaluation tasks. The CCTL creates intermediate reports as well as a final Evaluation Technical Report (ETR), and submits them to the Certification Body for assessment.
• CB: The Certification Body is the authority, which oversees the whole evaluation process. Upon successful evaluation by the CCTL and verification by the CB, the CB issues the official certificate and publishes a Certification Report.

It should be noted, that a (successful) evaluation and certification does not imply any endorsement, promotion, or recommendation of the product or system by the CB. Nor does it imply any responsibility whatsoever in case a product still contains faults or vulnerabilities. A certificate is the result of a pre-defined, impartial, repeatable process with a pre-determined level of investigation (in scope, rigor and depth) according to the claimed security functions and the achieved assurance level (EAL).

Scheme Documents ^{New - Dec 2012}

National Scheme Communication (NSC)

NSCs are official communications by the CB regarding guidelines and interpretations for SCCS. The target audience are evaluators and developers/sponsors. On the one side, they help to remove ambiguities in the application of the Scheme regulations or the actual evaluation and certification criteria. On the other side they may create new rules or provide interpretations and clarifications for existing publications in order to further standardise the evaluation and certification process.

A published NSC is either informational or binding. In contrast to an informational NSC, which is used to provide general or temporary information, a binding NSC implies that its application becomes mandatory for the affected area. A binding NSC becomes part of the official evaluation and certification criteria, and may affect both existing and new projects. There may exists unpublished, Scheme-internal NSC, which are only provided to CCTLs or other bodies in the need to know.

It is necessary (and common practice for Schemes within CCRA) to publish such national interpretations. Although they constitute additional requirements only under the national Scheme, unless specifically indicated, they apply to certification projects aiming for international recognition as well. This is different from Supporting Documents, which are valid for all Schemes under CCRA.

CC Testing Laboratory

Testing laboratories (in short CCTL, or also commonly referred to as ITSEF) are responsible for the evaluation tasks as defined within CC/CEM. To operate as CCTL under SCCS, a testing laboratory must be qualified and approved by the Certification Body. The following testing laboratory has been licensed to operate as CCTL:

Brightsight Asia Pacific Pte Ltd
Attn Lab Manager
111 North Bridge Road
#07-25 Peninsula Plaza
Singapore 179098
email: [email protected]

Evaluation Project List

The table above lists all projects currently under evaluation.