Ärendetyp: 6 Diarienummer: 18FMV5993-20:1
HEMLIG/
enligt Offentlighets- och sekretesslagen
(2009:400)
2018-12-18
Country of origin: Sweden
Försvarets materielverk
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection
Profile
Issue: 1.0, 2018-dec-18
Authorisation: Helén Svensson, Lead certifier , CSEC
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
2 (9)
Table of Contents
1 Executive Summary 3
2 Identification 4
3 Results of the Evaluation 5
4 Evaluator Comments and Recommendations 6
5 Glossary 7
6 Bibliography 8
Appendix A QMS Consistency 9
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
3 (9)
1 Executive Summary
The TOE described in this PP is software only and consists of a secure messaging
server.
A user within an organization uses the TOE to send a sensitive message to an external
user. The TOE stores this message in a local database and sends to the recipient a noti-
fication of incoming message via e.g. SMS. The recipient can then, after successful
identification and authentication, read and reply to the message securely by using a
web browser.
The File Encryption Protection Profile requires demonstrable conformance, and does
not claim conformance to any other PP. The product assurance package is EAL3 +
ALC_FLR.2.
The evaluation has been performed by atsec information security AB in their premises
in Danderyd, Sweden and was completed on 2018-11-28.
The evaluation was conducted in accordance with the requirements of Common Crite-
ria, version 3.1, release 5, and the Common Methodology for IT Security Evaluation,
version 3.1, release 5. The evaluation was performed according to the requirements in
assurance class APE.
atsec information security AB is a licensed evaluation facility for Common Criteria
under the Swedish Common Criteria Evaluation and Certification Scheme. atsec infor-
mation security AB is also accredited by the Swedish accreditation body SWEDAC
according to ISO/IEC 17025 for Common Criteria evaluation.
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Protection Target [PP], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy.
The certificate applies only to the specific version and release of the protection pro-
file listed in this certification report.
The certificate is not an endorsement of the protection profile by CSEC or by any
other organisation that recognises or gives effect to this certificate, and no warranty
of the protection profile by CSEC or by any other organisation that recognises or
gives effect to this certificate, is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
4 (9)
2 Identification
Certification Identification
Certification ID CSEC2018004
Name and version of the
certified IT product
Secure Messages Protection Profile
Compliance requirement Demonstrable conformance
EAL EAL3 + ALC_FLR.2
Sponsor Myndigheten för samhällsskydd och beredskap, MSB
Developer Myndigheten för samhällsskydd och beredskap, MSB
ITSEF atsec information security AB
Common Criteria version 3.1 release 5
CEM version 3.1 release 5
QMS version 1.21.5
Recognition Scope CCRA, SOGIS, EA/MLA
Certification date 2018-12-18
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
5 (9)
3 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the evaluated PP [PP] meets the re-
quirements in assurance class APE.
The certifier reviewed the work of the evaluator and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators overall verdict is PASS.
The verdicts for the respective assurance class and its components are summarised in
the following table:
Assurance Class Name / Component Short name Verdict
Protection Profile Evaluation APE PASS
PP Introduction APE_INT.1 PASS
Conformance Claims APE_CCL.1 PASS
Security Problem Definition APE_SPD.1 PASS
Security Objectives APE_OBJ.2 PASS
Extended Components Definition APE_ECD.1 PASS
Security Requirements APE_REQ.2 PASS
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
6 (9)
4 Evaluator Comments and Recommendations
None.
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
7 (9)
5 Glossary
CEM Common Methodology for Information Technology Secu-
rity, document describing the methodology used in Common
Criteria evaluations
ITSEF IT Security Evaluation Facility, test laboratory licensed to
operate within a evaluation and certification scheme
ST Security Target, document containing security requirements
and specifications , used as the basis of a TOE evaluation
TOE Target of Evaluation
TSF TOE Security Functions
TSFI TSF Interface
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
8 (9)
6 Bibliography
PP Secure Messages Protection Profile, MSB, 2018-11-26, document ver-
sion 1.1
CCpart1 Common Criteria for Information Technology Security Evaluation,
Part 1, version 3.1 revision 5, CCMB-2017-04-001
CCpart2 Common Criteria for Information Technology Security Evaluation,
Part 2, version 3.1 revision 5, CCMB-2017-04-002
CCpart3 Common Criteria for Information Technology Security Evaluation,
Part 3, version 3.1 revision 5, CCMB-2017-04-003
CC CCpart1 + CCpart2 + CCpart3
CEM Common Methodology for Information Technology SecurityEvalua-
tion, version 3.1 revision 5, CCMB-2017-04-004
SP-002 SP-002 Evaluation and Certification, CSEC, 2018-04-24, document
version 29.0
SP-188 SP-188 Scheme Crypto Policy, CSEC, 2017-04-04, document version
7.0
Swedish Certification Body for IT Security
Certification Report - Secure Messages Protection Profile
18FMV5993-20:1 1.0 2018-12-18
9 (9)
Appendix A QMS Consistency
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme has been used.
1.21.5 Valid from 2018-11-19
1.21.4 Valid from 2018-09-13
In order to ensure consistency in the outcome of the certification, the certifier has ex-
amined the changes introduced in each update of the quality management system.
The changes between consecutive versions are outlined in “Ändringslista CSEC QMS
1.21.5”. The certifier concluded that, from QMS 1.21.4 to the current QMS 1.21.5,
there are no changes with impact on the result of the certification.