Publications

Common Criteria Certification for Cloud Services: A New Era in Security Evaluation

23/04/2025

    Historical Context and the Need for Change 

    Common Criteria (CC) has traditionally focused on evaluating the security features of IT products, primarily hardware and software. This approach, while effective for standalone products, left a significant gap in the evaluation of cloud services and Software as a Service (SaaS) solutions. The rapid growth of cloud computing and the increasing reliance on these services in critical infrastructure and national security systems necessitated a reevaluation of the CC framework. 

    Global Approach to Cloud Service Evaluation

    Different countries have taken various approaches to address the challenge of evaluating cloud services under the Common Criteria framework and other national cybersecurity schemes. Historically, the main efforts to ensure the cybersecurity of cloud services were targeted at the infrastructure level (like ISO 27017, Germany/BSI (C5), SecnumCloud in France or ENS in Spain).  

    The software ‘product’ was either not evaluated or the in-premise version was used to conduct the evaluation. With the popularization of cloud-native products like SaaS, the approach has become obsolete. Different initiatives were developed to find more comprehensive solutions to this problem. 

    European Union: Adaptation of National Schemes

    In Europe, different national agencies have adapted existing methodologies to tackle the evaluation of cloud services. E.g. STIC evaluations on Spain or CSPN in France with a more practical approach aimed at securing the cloud services, not only the infrastructure. 

    This approach still had some limitations as Javier Tallón, director at jtsec Applus+, presented at the International Common Criteria Conference in Washington D.C. “Experiences evaluating cloud services and products”. 

    United States: NIAP and the NIAP Policy Letter #32

    In the United States, the National Information Assurance Partnership (NIAP) has taken a significant step forward in adapting Common Criteria (CC) evaluations for cloud services with the publication of NIAP Policy Letter #32 on February 1, 2025. This policy marks a crucial shift in NIAP's approach, moving beyond the traditional focus on "products" to include "Services" and Cloud-based Software as a Service (SaaS) evaluations. 

    Key aspects of NIAP Policy Letter #32 about CC Cloud services include: 

    • Terminology shift: The use of the term "Service" and Cloud-based SaaS evaluations is a notable shift in terminology, suggesting NIAP’s position is starting to evolve and incorporate a modernized approach to CC. 
    • Suitability Review: Labs must now perform a Suitability Review, identifying all Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) likely to require Technical Queries (TQs). This list must be provided as part of the Check-In package, potentially introducing risks to vendors due to the time required to resolve TQs before kickoff. 
    • Mutual Authentication: Mutual Authentication was typically a selectable requirement but is now mandated by Policy Letter #32. NIAP has clarified that where mutual authentication is currently available in an SFR, it is expected that it should be implemented as such. As Protection Profiles are updated to include cloud use cases, they will also likely be updated to include this requirement and should be on the radar of vendors to support this in the future. 
    • FedRAMP Authorization: Where NIAP has required FIPS and CAVP certifications for cryptographic functions per Policy 5, NIAP will now require FedRAMP Authorizations for a cloud-based TOE operating environment (the Cloud Service Provider's environment or Cloud service offering). While this is a step in the right direction for the recognition and reuse of other relevant certifications, it does pose a challenge for other Schemes that have an equivalent cloud authorization framework like FedRAMP in the USA such as Germany/BSI (C5), France/ANSSI (SecNumCloud) or Spain/CCN (STIC). Having mutual recognition on this could be a step forward to reuse efforts in the community.   
    • Platform Requirements: Depending on the TOE, there is a likelihood that it will rely on the platform to implement certain functionality. In this scenario, Policy Letter 32 requires that the platform be on the NIAP Product Compliant List (PCL). This may pose a risk if the platform is an operating system (OS) since there is not a wide variety of OS's being evaluated or currently on the PCL. The evaluation of an OS could also take long enough that the evaluated version becomes outdated before it becomes listed on the PCL. Additionally, if the service is cloud-native, that might not even be feasible.  
    • Third-party Components: Vendors also need to be prepared to supply a list of all third-party components identified by name, version, and build number, effectively an SBOM. This could pose a risk to some vendors that do not already have mature processes and capabilities in place to enumerate this information. Doing this manually could take a significant amount of time and resources, ultimately putting the evaluation timeline at risk if not addressed prior to Check-In. 
    • Open questions for laboratories: For Common Criteria laboratories, there are still questions on what this policy will mean for testing environments and staffing. What requirements will there be on building and maintaining cloud-based testing environments, and what relationships will labs need to have with cloud service providers to facilitate this? Will current lab staff need to enhance cloud technology-specific skillsets? If conducting remote testing to a vendor-controlled cloud environment, what additional access and evidence will need to be collected to satisfy NIAP remote testing requirements? 
    • Flexibility for Deviations: "Any request for a deviation from any part of this policy must be submitted to the NIAP Director in writing as early as possible in the evaluation and will be resolved on a case-by-case basis." NIAP is clearly approaching this with a degree of caution and appears to be open to working with vendors and labs to accommodate TOE-specific circumstances as they gather more data to inform stronger policies for cloud evaluations going forward. 

    Experience of Lightship Security with Microsoft Cloud Service Evaluation 

    Lightship Security, an Applus+ Laboratories company, has been involved in a pilot project led by NIAP to conduct a Common Criteria evaluation of Microsoft Intune a cloud based product. Intune focuses on mobile device management (MDM) and mobile application management (MAM). 

    Key Takeaways from Microsoft Intune Common Criteria Evaluation

    • During the evaluation, several Technical Queries were submitted, with some resulting in Technical Decisions being issued. In other cases, alternative testing methods or evidence types were approved for specific SFRs or SARs. 
    • NIAP has acknowledged that some issues raised during this evaluation require further analysis and discussion before meaningful resolutions can be made. 
    • The Mobile Device Management (MDM) Protection Profile included language around cloud environments, which helped contextualize certain assumptions and environmental components. However, the lack of specific cloud-related SFRs and evaluation activities introduced complexities in meeting exact conformance requirements. 

    Active Participation in the Common Criteria in the Cloud Technical Community (CCitC) 

    Lightship Security experts have been active participants in the Common Criteria in the Cloud Technical Community (CCitC), which is playing a crucial role in developing guidance for cloud evaluations. The CCitC published its first Public Release of the Guidance for Cloud Evaluations on February 6th, 2024. This community has received supporting Position Statements from Canada, USA, and Australia for their efforts in producing guidance for Protection Profile authors, schemes, labs, and vendors on CC evaluations in the cloud. On February 5th, 2025, the document was updated (v.1.1), incorporating feedback from the German Scheme, and work is underway on the next version to incorporate feedback from the Australian Scheme.   

    Both NIAP and Microsoft have been active participants in this Technical Community and are expected to share "lessons learned" from the Microsoft Intune evaluation in the future. 

    Conclusions and What to Expect Next 

    The evolution of Common Criteria evaluations to include cloud services marks a significant milestone in the field of cybersecurity. As various countries and organizations continue to develop and refine their methodologies, the collaboration between international bodies and technical communities will be crucial in establishing comprehensive and adaptable security assessments.  

    Applus+ Laboratories has led the evaluations of cloud services in the last few years. Our Spanish labs have conducted more than 100 CCN/STIC evaluations on cloud services. 

    The experiences and insights gained from pilot projects like the Microsoft Intune evaluation and similar projects will pave the way for more robust and effective certification processes, ensuring that cloud services meet the highest standards of security and reliability. 

    There are still a lot of challenges to be solved, and Applus+ Laboratories is committed to supporting the industry on this. 

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel