Do you need Common Criteria (CC) or Federal Information Processing Standards (FIPS) 140 services?

These two programs appear similar at first glance. Both can cover encryption; both may be required for a US Government purchase; and both are done by commercial laboratories that are certified by the US and Canadian governments. However the focus of the CC and FIPS programs are different.

The CC Evaluation is a focused examination of the security claims of a system or product. This includes the strength of the claims and the design, as well as testing of the execution of the claims. FIPS 140 validation is often required when ecryption is used.

The primary document of a CC Evaluation is the Security Target (ST); it often follows a Protection Profile as the design requirements for a type of system or product. A CC Evaluation is typically required by the US Department of Defense for security equipment used to support a secure environment.

The FIPS 140-2 requirements are the result of the US and Canadian governments’ evaluation of the encryption marketplace, emphasizing standards compliance whenever possible. The main document of the FIPS 140-2 is the Security Policy. It focuses on providing the user with the procedures to place and operate the module in FIPS 140-2 mode, the encryption provided by the module, and the necessary maintenance procedures.

Please contact the Director of the CEAL (FIPS 140) ceal@cygnacom.com or Director of the SEL (CC) Lab selinfo@cygnacom.com for more information on testing security products.