In the sequence of pictures, the interaction of all participants and the steps of the process are displayed and briefly explained. A detailed process flow can be found in the schematic documents.
Participants
image / video1 / 12
Four entities are involved in the NESAS CCS-GI certification process: the equipment vendor who wants to sell its product to a mobile network operator, the audit team, the test laboratory recognized for the certification process, and the certification body.
Product and processes
image / video2 / 12
During the certification process, not only the product itself is evaluated but also the development and life cycle processes at the vendor, according to which the product was developed and will be maintained in the future. There are four phases for the process: a preparation phase, an auditing phase, an evaluation phase and a certification phase.
Certification application
image / video3 / 12
Preparation phase: If a equipment vendor wishes to undergo a product certification, they need a testing laboratory to carry out the product evaluation. Subsequently, the manufacturer may submit an application for a German IT security certificate for an IT product according to NESAS CCS-GI (LINK), in which the selected testing laboratory must already be designated. The certification body checks the application and then startes the certification procedure.
Selection audit team
image / video4 / 12
Audit phase: The audit phase begins with the selection of the audit team by the certification body and notification to the equipment vendor. The audit team will then contact the equipment vendor and coordinate the further steps.
Audit
image / video5 / 12
Audit phase: The audit team then conducts the audit of the product development and life cycle processes. The audit takes place at the beginning on the basis of documentation provided by the equipment vendor and will be continued through a multi-day audit at an exemplary location of the equipment vendor.
Audit report
image / video6 / 12
Audit phase: As a result of the audit, the audit team prepares an audit report. All results are recorded in this report. In addition, the audit report contains information for the device manufacturer on how it can prove to third parties that it complies with the audited processes for a specific product. This evidence is determined by the audit team during the audit. The certification body accompanies the audit process and accepts the audit report at the end of the phase.
Preperation of evidances
image / video7 / 12
With the help of the audit report, in the next step, the manufacturer has the possibility to produce all the evidence required in the audit report towards third parties to comply with its processes for a specific product to be certified in order to proceed with the evaluation phase.
Preparation for product evaluation
image / video8 / 12
Evaluation phase: At the beginning of the phase, the equipment vendor provides the test laboratory with the product to be evaluated, the audit report and the generated evidences that it has adhered to its audited processes for the product provided.
Product evaluation
image / video9 / 12
Evaluation phase: The test laboratory shall then carry out the product evaluation and verify that the evidence provided for the audit complies with the requirements specified by the auditor in the audit report. The test laboratory shall draw up an evaluation report with all the results, which is verified and accepted by the certification body. During the evaluation, the certification body is available for clarification requirements and for a consistent interpretation of test instructions.
Certification report
image / video10 / 12
Certification phase: After completion of the evaluation, a certification decision is made by the certification body on the basis of the audit report and evaluation report. A certification report is prepared. This summarizes and supplements the results of the audit and evaluation. It also contains information and conditions imposed by the certification body.
Issuing of certificate
image / video11 / 12
Certification phase: Furthermore, a certificate is issued to the equipment vendor.
Product commercialisation
image / video12 / 12
This enables the equipment vendor to provide its customers with a product that has been granted an IT security certificate in accordance with NESAS CCS-GI.
As shown in the sequence of pictures, the procedure comprises two testing activities. First, the software development and life cycle processes are audited, then the concrete product is evaluated. The product evaluation is based on the Security Assurance Specifications (SCAS) for standardised functions specified by the 3rd Generation Partnership Project (3GPP). It is possible to use the audit for several product evaluations for products which were developed according to the same processes. This saves costs and time for all parties involved.
As a result of the audit activities, the certification body has reliable security statements about the product and also the processes under which this product is developed and maintained. This allows the certification body for the first time to extend the validity of certificates beyond the actual evaluated product version, provided the equipment vendor only makes "minor updates" to improve or restore security performance of its product. This is possible for the entire duration of the certificate, which is two years, without the need for explicit recertification by the BSI. The equipment vendor must report these minor updates in advance to the test laboratory, together with an impact analysis. The testing laboratory then prepares a vote for the certification body, which finally decides whether the update is indeed minor.
Contact
Federal Office for Information Security
Devision S 26 - BSZ, NESAS Certification
Postbox 20 03 63
53133 Bonn, Germany
