Singapore can now certify security products based on Common Criteria

Singapore has achieved the status of a Certificate Authorising Nation under the Common Criteria Recognition Arrangement (CCRA) in a move that could bolster the local cyber security industry.

Common Criteria (CC) is a technical standard used by governments and industry to evaluate and certify IT security products, while the CCRA is an international scheme for the mutual recognition of CC certificates across 30 nations, of which 18 issue certificates.

A CC certification body has been set up by the Cyber Security Agency of Singapore (CSA). It is responsible for ensuring that product evaluation undertaken by approved Common Criteria Testing Laboratories (CCTL) in Singapore conforms to strict security requirements before issuing a CC certificate.

Like most countries in Asia, Singapore’s cyber security market is being dominated by global suppliers, although there is a growing pool of local cyber security companies such as Infotect Security and ST Engineering Electronics.

With Singapore becoming a Certificate Authorising Nation, these cyber security firms no longer need to send their products overseas for certification. They can also expect lower costs and shorter time in attaining an internationally-recognised certification mark, according to the Infocomm and Media Development Authority (IMDA).

The IMDA said this will “facilitate the exportability of IT security products produced in Singapore and strengthens Singapore’s competitiveness in the global cyber security market”.

At the same time, Singapore will also be able to create more job opportunities for skilled cyber security professionals, and attract global evaluation and testing laboratories to anchor their operations in the city-state.

Germany’s T-Systems, for one, has already set up a CC evaluation lab in Singapore. As an approved CCTL, the new facility has purpose-built rooms for electrical, mechanical and software testing, which will be used to evaluate devices and systems according to seven evaluation assurance levels (EALs) that detail different levels of security requirements.

T-Systems said its Singapore lab will be able to evaluate and provide assurance of up to EAL4, in excess of the internationally recognised level of EAL2, while its labs in Germany will provide assurance to the maximum EAL7 category.

As part of efforts to support the local talent market, T-Systems has been hiring and training local graduates for its Singapore lab. The graduates are trained in the latest tools and techniques, and as part of T-Systems’ investment in their careers.

“With CSA and T-Systems working together, Singapore will be equipped with the competencies and infrastructure to offer solution providers a cost competitive, efficient and reliable means to obtain Common Criteria evaluation and certification,” said Arkadiusz Czopor, managing director for Asia South at T-Systems.

“This also further cements Singapore in the region as an international hub and will build upon the nation's reputation of implementing advanced technology that is safe and secure,” he added.

Singapore has been “consuming participant” under the CCRA since 2005, enabling it to participate in the scheme without the ability to certify. It was until mid-2016 when the CSA worked towards achieving the status of Certificate Authorising Nation.

Other authorising nations include UK, Germany, France, US, Canada, the Netherlands, Australia, New Zealand, Italy, Spain, Norway, Sweden, Japan, Turkey, India, South Korea and Malaysia.