Last update : 01/26/2011


When a Common Criteria evaluation is performed the evaluators will try to identify vulnerabilities in the product which allow exploits with an attack potential lower than required by the POI PP. If there are exploits which are possible, below the specified attack potential, then the product will fail the evaluation, unless changes are made which increase the difficulty of the attacks.

Where attacks are possible, but their difficulty results in an attack potential score higher than that required by the POI PP (known as residual vulnerabilities), then the product will pass the certification, and a CC certificate will be issued. The full Evaluation Technical Report, which is produced by the lab at the end of the evaluation, will document the various identified attacks, with their associated attack potentials.

The ETR for risk management, which will be produced by the evaluation lab, is provided in support of the final certificate, to enable certificate consumers to understand the details of the residual vulnerabilities - to inform future decisions which may decide, for example, length of validity of a certificate, or actions to be taken when a new attack method is identified. The aim is to provide the right level of information without unduly exposing the developer’s know-how.

The content of the ETR for risk management will be defined at a later stage during the pilot process.

Vulnerabilities will be identified in a product during the evaluation. An attack potential will be calculated for each vulnerability during the evaluation. Attacks where the attack potential is lower than the specified requirement will cause the device to fail.

Attacks where the attack potential is higher than required by the specification (POI PP) are considered to be residual vulnerabilities.

No - the ETR for Risk Management is merely an additional form of report from the evaluation - it does not impose any additional requirements on the product developer, nor on the evaluation, save for the requirement to produce the ETR for Risk Management itself.

This is an issue which will be addressed during the Pilot in discussion with the JTEMS and OSeC groups and also with the CC JIWG. It must be understood that Approval Bodies and markets are today very different from one another, which can lead to different risk analysis conclusions. Nevertheless, the shared approach of Approval Bodies involved in the OSeC pilots is to gain a common understanding of the assurance level provided by the CC process which should lead to aligned approval decisions.