Singapore’s Cybersecurity Strategy was launched by our Prime Minister at the Singapore International Cyber Week (or SICW) on 10 October 2016. It aims to establish a resilient and trusted cyber environment, underpinned by 4 pillars: First, to strengthen the resilience of our Critical Information Infrastructures (CIIs), Second, to mobilise businesses and the community to create a safer cyberspace, Third, to develop a vibrant Cybersecurity ecosystem comprising a skilled workforce, technologically-advanced companies and strong research collaborations. And last but not the least, given that cyber threats do not respect sovereign boundaries, we will step up efforts to forge strong international partnerships. This we hope will secure a better future for Singapore, as we move forward to become a smart nation.
In building a resilient infrastructure, we promote security-by-design, i.e. To incorporate security considerations upfront in the design stage of a system, not as an afterthought. Product assurance, whereby products are evaluated and certified based on international standards such as Common Criteria (CC), is part of this security by design strategy to reduce attack surface.
About the Common Criteria (CC)
The genesis of CC was developed through a collaboration among national security and standards organisations in Canada, France, Germany, the Netherlands, the United Kingdom and the United States as a common standard to replace their existing security evaluation criteria.
The CC is now recognised as the ISO/IEC 15408.The CC is adopted by members of the Common Criteria Recognition Arrangement (CCRA) in order to facilitate mutual recognition of evaluation and certification results. As a result, consumers can benefit from having a wider choice of CC certified IT products, and developers will benefit from having greater access to markets and understanding of the security requirements (described in the form of collaborative Protection Profiles).The CC harmonises the evaluation of IT products by defining a common set of security functions which product developers use to establish the security requirements of their IT products in a standardised language. The Common Methodology for IT Security Evaluation (CEM) (ISO/IEC 18045) is used for evaluating the product against the established security requirements, confirming that the product is capable of meeting these requirements with an appropriate level of assurance.
The Singapore Common Criteria Scheme (SCCS) is established to provide a cost effective regime for the info-communications industry to evaluate and certify their IT products against the CC standard in Singapore. The SCCS is owned and managed by the Cyber Security Agency (CSA) of Singapore.
More information about the CC and the list of certified products are available on the CC portal (http://www.commoncriteriaportal.org).
To be evaluated under the SCCS, products should preferably:
- claim conformance to a collaborative Protection Profile (cPP);
- claim conformance to a National Protection Profile published by CSA; or
- claim conformance to a Protection Profile endorsed/approved by CSA.
*Note: Products not claiming conformance to the above (i.e. ST only evaluations) may be accepted on a case-by-case basis. Please contact CSA for further guidance.
Common Criteria Users Forum (CCUF)
The CCUF (http://ccusersforum.org) provides a platform for discussion amongst the CC community. CSA strongly encourages parties who are interested in Common Criteria to sign up and participate in the discussions.
Please send any enquries to firstname.lastname@example.org.