The Fox DataDiode has been awarded the highest possible certification of the Common Criteria scheme: EAL7+. It has undergone and passed the most rigorous testing of IT security aspects. The Common Criteria is widely regarded as the international golden standard for high assurance certifications.
A Common Criteria Security Target is the specification of the exact guarantees offered by the tested product. The Security Target also determines the level (rigor) of the Common Criteria evaluation. These Elevated Assurance Levels (EAL) range from 1 to 7.
The Fox DataDiode has been awarded multiple Common Criteria certifications against different Security Targets. Over time the Fox DataDiode has been certified against increasingly rigorous security targets. The current most important level is the EAL7+ level; the Fox DataDiode is the highest certified European security product.
The following Common Criteria evaluations have been awarded:
- 2010: EAL7+ (Dutch Scheme) – Security Target – Certificate – Certification Report
- 2010: EAL4+ (Norwegian Scheme) – Security Target
- 2009: EAL4+ (Dutch Scheme) – Security Target – Certificate – Certification Report
All Common Criteria Security Targets can be found at the Common Criteria Portal under Boundary Protection and Other Devices.
Common Criteria background
What are the Common Criteria?
The Common Criteria (CC) are an internationally agreed technical basis for evaluation and recognition of information technology (IT) security products. These products are evaluated by a competent and independent licensed laboratory against IT security claims made in formal supporting documents. If successful, the result is a certificate issued by one or more Certificate Authorization Schemes, recognised by all national and international Participants.
What countries participate in Common Criteria?
The current CC members are Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Korea, Malaysia, Netherlands, New Zealand, Norway, Pakistan, Singapore, Spain, Sweden, Turkey, United Kingdom, United States.
Evaluation Assurance Levels
The levels are the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic and EAL 7 being the most stringent.
What does the + in 7+ stand for?
Evaluation Assurance Levels can be “augmented” with requirements from a higher assurance level. In the case of the Fox DataDiode, the EAL 7+ stands for a complete evaluation based on all classes within the Common Criteria.
The Common Criteria Recognition Agreement (CCRA) in the field of IT security between its Participants contains an Arrangement stating it is mutually understood that the Participants recognize the certificates which have been authorised by any other certificate authorising Participant. This covers claims of compliance against any of the Common Criteria assurance components required for Evaluation Assurance Levels 1 through 4. Evaluations up to EAL 7 have an additional European agreement under SOGIS MRA for the following European countries: Finland, France, Germany, Greece, Italy, the Netherlands, Noway, Spain, Sweden, Switzerland and the UK.
In other words, the Fox DataDiode with EAL 7+, is recognized by (almost) all European nations up to and including Common Criteria EAL 7.