atsec information security

Common Criteria Certification in China: A comparison with the schemes of the CCRA

Helmut Kurth, Yan Liu, David Ochel and Fiona Pattinson
atsec information security

Zhang Li
China Information Technology Security Certification Center

Common Criteria Certification in China: A comparison with the schemes of the CCRA

The Common Criteria standards have evolved from the criteria defined by various nations such as Europe’s ITSEC, TCSEC (the Orange book), Canada’s CTCPEC and the U.S. Federal Criteria. They have been supported due to the recognition that a common set of criteria offers real advantages to co-operating users of assured IT products.

The Common Criteria standards are developed by the Common Criteria Development Board (CCDB), The nations represented on the development board have been joined by several other nations as signatories to the Common Criteria Recognition Arrangement (CCRA) [12], which allows for mutual recognition of certificates produced under schemes that are part of the arrangement (up to an evaluation assurance level of 4). It concentrates on the use of the Common Criteria and a Common Evaluation Methodology (CEM) as the basis for the arrangement. There are currently nine certificate-producing nations and thirteen certificate-consuming nations that participate in the arrangement.

Even for nations and other organizations that do not participate in the arrangement, the Common Criteria standards have been recognized as key, and have been approved by many more nations through international review and the publishing of the standards by the International Standards Organization as ISO/IEC 15408 (parts 1-3) and ISO/IEC 18045.

The Common Criteria standards may be used outside the arrangement agreed by the members of the Common Criteria Recognition Arrangement (CCRA) [12], one example is another recognition scheme that is enjoyed in the European region, SOGIS. A further example of a nation that has adopted the ISO/IEC version of the standards, but which has not joined the CCRA, is P.R. China. In this article, we explore the Chinese scheme, and hope to highlight some of the differences between this scheme and those of the CCRA - an example of a member of the CCRA [CC1].

In order to meet a requirement of the World Trade Organisation (WTO) [1], China developed a strategy for developing and globalizing their information infrastructure. In 1997, China began an information security certification scheme with the establishment of an official information security certification system.


Figure 1 shows the history and relationship of the Criteria within
ISO and the CCDB. (click to enlarge)

Most nations involved with information security certification enjoy the benefits of participation in the recognition arrangement, such as the recognition of certificates of product evaluations at EAL4 or below by different schemes that are represented within the arrangement.


Figure 2: The evaluation and validation schemes of the CCRA. (click to enlarge)

Certificate producing nations are those that have a national scheme for conducting evaluations, that is run in accordance with the provisions of the CCRA and are in July 2006: Australia; Canada; France;, Germany; Japan; Republic of Korea; The Netherlands; New Zealand; Norway; United Kingdom and United States of America.

Certificate consuming nations do not have a national scheme for conducting evaluations but have agreed to accept the certificates produced by the nations listed above. These nations are Austria; Czech Republic; Denmark; Finland; Greece; Hungary; India; Israel; UCSi from Italy; Republic of Singapore; Spain; Sweden and Turkey.

The evaluation and validation scheme in P.R. China

According to their web site [10] CNITSEC was originally established in 1997 and operated as the “ China Internet Security Certification Center ” since July 1998. In October 1998, the China State Bureau of Technical and Quality Supervision(CSBTQS) authorized it under the name of “China National Information Security Testing Evaluation and Certification Center ” (CNISTEC). In February 1999, CNITSEC and its testing laboratory were respectively approved by CNACP (China National Accreditation Council for Production) and CNACL (China National Accreditation Committee Laboratories).In the same year, CSBTQS issued the following policies: “China State IT Security Certification Management Committee Rules”, “China State IT Security Certification Management Regulations” and “China State IT Security Certification Mark and the First Certified IT Security Products Catalogue”.

In May 2001, the Certification Center was changed and its present name “ China Information Technology Security Certification Center ”,abbreviated as CNITSEC, was adopted.

As shown in Figure 3: The current Chinese scheme for Common Criteria assurance, the structure of the scheme is a three-tier system similar to that used under the CCRA schema, but more surveillance mechanisms exist among different levels during the whole procedure.


Figure 3: The Chinese scheme for Common Criteria assurance. (click to enlarge)

Level 1: ITSECRC
ITSECRC: China National Information Technology Security Certification Regulation Committee, is the government regulatory body overseeing CNITSEC and the industry directly.

The Chinese government is further strengthening and supporting ITSECRC by giving it the power to issue regulatory memorandums related to IT security certifications to a broader range of government branches including the Ministry of Public Safety, Ministry of Information Industry, Bureau of Quality Inspection, China’s secret service, and other agencies. The exceptions are the military system which has its own certification center and National Bureau of Secrecy (non-commercial encryption products).

In the U.S., the equivalent of this role is a combination of the management Committee named in the CCRA which ensures the quality of the national schemes by performing periodic assessments (as defined in Annex D and Annex G.3 of the CCRA) and other tasks defined in Annex “H” of the CCRA, On a National level other national management is defined, for example in the U.S. the CCEVS is part of NIAP, which (as of now) is part of the Information Assurance department within NSA and NSA is part of the Dept. of Defense (DoD). In addition the accreditation of labs in the US is a joint effort of NVLAP (which is part of NIST, which itself belongs to the Dept. of Commerce (DoC) and NIAP.

Level 2: CNITSEC
CNITSEC: China Information Technology Security Certification Center

http://www.itsec.gov.cn/
CNITSEC has the Government's authority to fulfil China’s national IT security certification responsibilities. In accordance with the Chinese laws of product quality certification and IT security management, CNITSEC operates and maintains the national evaluation and certification scheme for IT Security.

CNITSEC has the main functions as following:

  • test, evaluation and certification for information security product and technology;
  • evaluation and certification for information systems security;
  • evaluation and certification for the qualification of IT service providers;
  • evaluation and certification for information security professionals.

CNITSEC was originally established in 1997 and operated as the “China Internet Security Certification Center” in July 1998. In Oct. 1998, the China State Bureau of Technical and Quality Supervision (CSBTQS) authorized it by the name of “China National Information Security Testing Evaluation and Certification Center ” (CNISTEC). And in Feb. 1999, CNITSEC and its testing laboratory were respectively approved by CNACP (China National Accreditation Council for Production) and CNACL (China National Accreditation Committee Laboratories). In the same year, CSBTQS issued the following policies: “China State IT Security Certification Management Committee Rules,” “China State IT Security Certification Management Regulations,” and “China State IT Security Certification Mark and the First Certified IT Security Products Catalogue.” And in May 2001, the Certification Center changed to its current name, “China Information Technology Security Certification Center,” abbreviated as CNITSEC.

As the development of information globalization has progressed, all the developed countries in the world have established their respective evaluation and certification schemes for IT security. After entry to the WTO, China will gradually establish an evaluation and certification scheme covering the whole country and the major industries.

CNITSEC is responsible for certificating the IT security products, information systems, IT security service providers, and security professionals who have passed the evaluation.

Level 3:
At the third level are the accredited test and evaluation labs or centers, which are authorized by CNITSEC and have the ability to carry out evaluation All the third-level authorities must be accredited by CNAL. CNAL is a member of ILAC, The International Laboratory Accreditation Cooperation (http://www.ilac.org/), which has a mutual recognition arrangement with 52 other laboratory accreditation agencies including the U.S. NVLAP (National Voluntary Laboratory Accreditation Program).

There are several CNITSEC accredited test and evaluation sub-centers (labs) throughout the P.R. China:

  • China Information Technology Security Certification Center Shanghai Test and Evaluation Center.
  • China Information Technology Security Certification Center Computer Test and Evaluation Center.
  • China Information Technology Security Certification Center Central China Test and Evaluation Center.
  • China Information Technology Security Certification Center Northeast Test and Evaluation Center.
  • China Information Technology Security Certification Center Shenzhen Test and Evaluation Center.
  • China Information Technology Security Certification Center Southwest Test and Evaluation Center.
  • China Information Technology Security Certification Center Yunnan Test and Evaluation Center.
  • China Information Technology Security Certification Center Chongqing Test and Evaluation Center.
  • China Information Technology Security Certification Center Test and Evaluation Technology Lab.
  • China Information Technology Security Certification Center Mutual Operation test and evaluation Center.
  • China Information Technology Security Certification Center Identification & Authentication Products and Technology Test and Evaluation Center.
  • China Information Technology Security Certification Center Shandong Test and Evaluation Center.
  • China Information Technology Security Certification Center Northwest Test and Evaluation Center.
  • China Information Technology Security Certification Center Henan Test and Evaluation Center.
  • China Information Technology Security Certification Center Hebei Test and Evaluation Center.
RESOURCES:
- CC Evaluations
- FIPS 140-2
- ISO/IEC 27001
- PCI
- PIV
- SCAP
- Algorithm Testing

FAQs
Requests for Quotes
PCI SERVICES
atsec is accredited as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV).
CERTIFICATIONS
Please take a look at our certifications and accreditations
PUBLICATIONS
atsec employees' expertise is in demand: we are members of international boards, speakers on conferences, and authors of books and articles. [more]
JOBS
We are currently looking for new colleagues in US and Europe. [more]
Legal notice ->
Site map ->
   
atsec information security | info@atsec.com