The BSI seeks to inform users and members of the German certification scheme about current topics.

BSI offers certifications according to the latest Common Criteria standard (CC:2022)

The certification of IT products makes an important contribution to increasing the level of cyber security in Germany. The Federal Office for Information Security (BSI) has been offering certifications according to the latest Common Criteria standard since 2023. The new version of the standard expands the possibility of defining requirements in more detail. To this end, new concepts such as "multi-assurance", extended modularization or the possibility of "composition of assurance" are introduced, which are described in detail in the new standard.
The BSI expressly recommends that manufacturers of IT products use the new standard in order to be prepared for the future European certification scheme EUCC in addition to technical aspects. In addition to the further development of the standards, the BSI certification body therefore places a strong focus on lean and efficient processes in the certification procedure.
The new version of these criteria was adopted by the International Organization for Standardization (ISO) (ISO/IEC 15408-X:2022 and ISO/IEC 18045:2022) and subsequently adapted and published in the Common Criteria Recognition Agreement (CCRA) (CC:2022 Release 1 and CEM:2022 Release 1). This now enables the BSI to offer certification procedures in accordance with the new standard. At the same time, these newly issued certificates are also covered by the CCRA and SOGIS-MRA recognition agreements. Revised CC application forms can be found here.
The previous version of the standard can still be used for a limited period of time. Details on the internationally agreed transitional regulations can be found here.
In preparation for the new standard, the BSI has further developed its CC training and has already integrated the new features.

Statement on the SOG-IS MRA in relation to the updated CCRA (July 2015)

The German Common Criteria Certification Scheme of the Federal Office for Information Security (BSI) has adopted the principles for the application of collaborative protection profiles (cPPs) in the European and German context against the background of the updated CCRA. International mutual recognition of certificates under the conditions of the CCRA is on the one hand linked to conformity to CPPs or extends to Evaluation Assurance Level (EAL) 1 to 2. Members of the SOG IS-MRA recognise certificates up to and including EAL 4 or higher in specific technical domains.

The role of the SOG-IS MRA in the context of the EU

Competent national authorities cooperate within the SOG-IS MRA on a European level. SOG-IS MRA is therefore the contact for all stakeholders, including the European Commission. Through this circle, a neutral and objective platform is created that enables the current evaluation assurance challenges to be met in a pragmatic, results-oriented way. In particular, the SOG-IS MRA endorses the recommended protection profiles, which are in the interest of all members and can be made mandatory by the EU. These are harmonised by all members through a confirmation process and sustainably strengthen trust in a digital economy and a digital society.

Certification with high assurance

Security of IT products is fundamental for the trust of citizens, business and public administration in the digital society. In particular, protecting the confidentiality of data on the Internet is a concern in the EU. Several EU laws currently require certification of products with high assurance. The supporting protection profiles are developed by European standardisation organisations or other institutions, published as SOG-IS MRA recommended and applied by SOG-IS MRA members.
While the CCRA aims to make evaluations fully comparable and repeatable, the SOG-IS MRA recognises that especially to achieve high assurance levels, an evaluation is more elaborate and needs to make greater use of the evaluators' knowledge and skills. This expertise and experience within specific product categories or technical domains is established in collaboration with industry in technical working groups and is regularly and conscientiously cross-checked among SOG-IS MRA members through technical supervision.
In contrast to the CCRA, the SOG-IS MRA allows for the mutual recognition of a wider range of assurance levels, enabling medium or even high assurance to be achieved if necessary. The SOG-IS MRA is therefore beneficial to international trade not only for EU industry but also for non-EU manufacturers.

Summary

The BSI will itself use international collaborative protection profiles if they meet the requirements of specific national stakeholders or the European community (public administration, markets and industry). This may explicitly include the need for additional security functionality or customisation in terms of higher assurance.
Under the updated CCRA, product certificates can only be issued under a cPP to the exact extent of these PPs. This follows from Annex K.3 of the CCRA. This means that a CCRA product certificate cannot claim additional security functionalities or higher assurance than described by the cPP. In these cases, the BSI issues two certificates based on an evaluation procedure for a product. One is the CCRA certificate compliant with the cPP, the second, supplementary, is a SOG-IS MRA certificate covering the additional security requirements.
For evaluations that do not conform to a cPP, the BSI will continue to issue certificates above EAL 2 where appropriate and recognise those up to EAL 4 or higher in defined technical domains, as before in accordance with the SOG-IS MRA. These certificates are mutually recognised by the CCRA nations up to EAL 2. In the event of the need for higher assurance levels due to regulatory security requirements or similarly strong reasons, the BSI also issues certificates beyond mutual international recognition.