Revaluation standard for common criteria (CC) certification are expected to be eased in South Korea in the upcoming year. The South Korean Government will also provide consulting for new security companies.
According to the Ministry of Science and ICT (MSIT) on Tuesday, “CC Certification System Improvement Plan” based on above information is expected to be announced next month. The improvement plan will include specific plans that will solve issues that security companies currently face.
“We currently request revaluation of CC certification when security software (SW) is changed.” said Jung Jae-wook who is the head of the MSIT’s Cyber Attack Response Department. “We plan to ease the standard for revaluation so that security companies can obtain approvals for partial changes without having to obtain CC certifications again.”
Improvement in revaluation has been a long-cherished wish for the security industry. Because the current standard requires security companies to obtain a CC certification again even if they change little bit of their security software, there has been a huge burden for them in terms of finance and time.
Once the standard is eased, it will take only few weeks for security companies to obtain a CC certification again when it takes about a year at the moment. Also, they will be able to save anywhere between thousands and tens of thousands in costs. The South Korean Government is currently in talks with certification agencies, evaluation agencies, and the security industry in order to ease the revaluation process.
Regarding criticisms on how CC certification prevents new technologies such as cloud security from being developed, the MSIT and the National Intelligence Service (NIS) have been in talks to come up with solutions. The NIS has been looking into a new way for certifying SECaaS (Security as a Service).
Improving a Protection Profile (PP) to accommodate new security technologies is an issue related to requirements for national security. The NIS will receive opinions from the industry regarding how to improve requirements for national security through the MSIT and review such opinions.
A website that allows security companies to see processes of how their CC certifications are being evaluated by the five CC certification evaluation agencies, which are Korea System Assurance (KOSYAS), Korea Security Evaluation Laboratory (KSEL), Telecommunications Technology Association (TTA), Korea Information Security Technology (KOIST), and Korea Testing Certification (KTC), and how long each step is going to take will also be made. Such website will solve inconvenience of having to inquire each agency about evaluation process and estimated time and prevent one or few agencies from getting piles of applications for CC certification just like this year.
The improvement plan will also include a plan to extend the effective period for CC certification in South Korea from three years to five years. The South Korean Government acknowledges the effective period of a CC certification to be three years as CC certifications in South Korea are regarded as more vulnerable than international CC certifications, security companies have been pointing out that it actually works as a reverse discrimination against them as the effective period is different from that of international CC certifications. It is reported that the issue was received by an ombudsman of the Ministry of SMEs and Startups and that the South Korean Government is actually working on improving the issue.
A practice where public agencies require CC certifications across the board will be changed as well. There have been many cases where officials from public agencies require companies that are not subjected to obtaining CC certifications to obtain CC certifications in order to avoid any responsibility from cyber attacks. The NIS plans to establish clear guidelines by holding presentations for officials from public agencies.
Staff Reporter Oh, Dain | email@example.com