Singapore Common Criteria Scheme
Launched by Prime Minister Lee Hsien Loong at the Singapore International Cyber Week in 2021, Singapore’s Cybersecurity Strategy outlines how we will strengthen the resilience of Singapore’s cybersecurity. The Strategy is underpinned by three strategic pillars and two foundational enabler, namely Build Resilient Infrastructure; Enable a Safer Cyberspace; and Enhance International Cyber Cooperation; Develop a Vibrant Cybersecurity Ecosystem; and Grow a Robust Cyber Talent Pipeline respectively.
To ensure a resilient infrastructure, cybersecurity must be an important consideration when companies design their systems and networks. Establishing cybersecurity measures early will benefit companies by protecting them from the reputational and financial risks posed by cyber threats. This Security-by-Design approach is more cost-effective than trying to implement measures after systems have been already designed and put in place. Product assurance, whereby products are evaluated and certified based on international standards such as Common Criteria (CC), is part of the Security-by-Design approach to reduce attack surface.
About the Common Criteria (CC)
The genesis of CC was developed through a collaboration among national security and standards organisations in Canada, France, Germany, the Netherlands, the United Kingdom and the United States as a common standard to replace their existing security evaluation criteria.
The CC is now recognised as the ISO/IEC 15408.The CC is adopted by members of the Common Criteria Recognition Arrangement (CCRA) in order to facilitate mutual recognition of evaluation and certification results. As a result, consumers can benefit from having a wider choice of CC certified IT products, and developers will benefit from having greater access to markets and understanding of the security requirements (described in the form of collaborative Protection Profiles).The CC harmonises the evaluation of IT products by defining a common set of security functions which product developers use to establish the security requirements of their IT products in a standardised language. The Common Methodology for IT Security Evaluation (CEM) (ISO/IEC 18045) is used for evaluating the product against the established security requirements, confirming that the product is capable of meeting these requirements with an appropriate level of assurance.
The Singapore Common Criteria Scheme (SCCS) is established to provide a cost effective regime for the info-communications industry to evaluate and certify their IT products against the CC standard in Singapore. The SCCS is owned and managed by the Cyber Security Agency of Singapore (CSA).
More information about the CC and the list of certified products are available on the CC portal (https://www.commoncriteriaportal.org).
Acceptance Criteria
To be evaluated under the SCCS, products should preferably:
- claim conformance to a collaborative Protection Profile (cPP);
- claim conformance to a National Protection Profile published by CSA; or
- claim conformance to a Protection Profile endorsed/approved by CSA.
*Note: Products not claiming conformance to the above (i.e. ST only evaluations) may be accepted on a case-by-case basis. Please contact CSA for further guidance.
Common Criteria Users Forum (CCUF)
The CCUF ( https://ccusersforum.org) provides a platform for discussion amongst the CC community. CSA strongly encourages parties who are interested in Common Criteria to sign up and participate in the discussions.
Enquiries
For more details on the different certification schemes for cybersecurity products by CSA, download the Cybersecurity Certification Guide.
Please send any enquiries to sccs@csa.gov.sg.