Understanding NVLAP Common Criteria Testing

Hand in server room holding laptop

Government agencies (and their vendors and partners) are increasingly entrusted with sensitive data. Accordingly, protecting critical infrastructure and cybersecurity are both top priorities. The tools they use must come from time-tested and verified protocols to ensure they are secure and not tampered with. In turn, this means that these tools must come from labs that follow the strictest of requirements. 

NVLAP Common Criteria certification serves as a valuable tool for governments to evaluate the security capabilities of IT products and systems before procurement.

 

What is the NVLAP Common Criteria Accreditation Process?

The accreditation process outlined in the 2014 edition of NIST Handbook 150-20 for laboratories is structured to ensure thorough evaluation and consistent quality standards. The goal is for these labs to reach a standardized approach to maintaining critical quality and security standards, an approach that they can document and prove to assessment organizations.

The general breakdown of this process, per Handbook 150-20, includes the following steps:

  • Application Submission: Laboratories seeking accreditation must submit a formal application to NVLAP. The application must include detailed information about the laboratory, including its facilities, personnel, equipment, and the specific tests it plans to perform. The lab must already have a fully implemented management system. 
  • Document Review: Once the application is received, NVLAP reviews the laboratory’s documentation to ensure compliance with the required standards and criteria. This includes the laboratory’s quality management system, testing protocols, and procedures.
  • On-Site Assessment: If the documentation review is satisfactory, NVLAP schedules an on-site assessment. During this visit, assessors evaluate the laboratory’s operations firsthand. They observe tests being performed, check calibration and maintenance records for equipment, and assess the competency of the staff.
  • Proficiency Testing: Laboratories must also participate in proficiency testing as part of the accreditation process. This involves performing tests on provided samples and comparing the results with those from accredited laboratories. This helps to ensure that the lab’s testing results are reliable and consistent with industry standards.
  • Assessment Report and Corrective Actions: NVLAP provides the laboratory with an assessment report detailing any non-conformities or areas needing improvement after the on-site assessment. The laboratory must address these issues and submit evidence of corrective actions.
  • Accreditation Decision: Once all non-conformities are resolved and the laboratory meets all the accreditation criteria, NVLAP issues an accreditation certificate. This certification is typically valid for a specific period, after which the lab must undergo re-assessment.
  • Surveillance and Re-assessment: To maintain accreditation, laboratories undergo periodic surveillance assessments. These are less comprehensive than the initial assessment but ensure ongoing compliance. Full re-assessments are conducted periodically (typically every two years) to renew accreditation.

Alongside this process, a lab may lose accreditation. If key personnel or facilities leave the lab or don’t demonstrate continued competence, the NIAP evaluators may decide to suspect or revoke accreditation.

 

What Are the Management Requirements for Accreditation? 

Handbook 150-20 outlines specific management requirements for laboratories to achieve and maintain accreditation under the NVLAP Common Criteria framework. 

These requirements ensure accredited laboratories operate under a defined quality management system supporting consistent and reliable testing outcomes. 

The managerial requirements for labs include:

  • Quality Management System (QMS): Laboratories must establish, document, and maintain a quality management system appropriate to the scope of their activities. The QMS should cover all aspects of laboratory operations, from test planning and execution to employee training and customer service.
  • Document Control: The handbook emphasizes the importance of proper document control systems. This includes procedures for the approval, review, and updating of documents. It also covers the control of external documents, such as standards and customer specifications, that impact laboratory operations.
  • Review of Contracts: Laboratories must establish procedures for reviewing contracts to ensure that they meet the specified requirements. This includes assessing whether the lab has the capability and resources to perform the service requested.
  • Subcontracting of Tests: If tests are subcontracted to other labs, the accredited laboratory is responsible for ensuring that the subcontractor meets the same standards of quality and competence. The subcontractor’s accreditation status should also be considered.
  • Purchasing Services and Supplies: The management of buying services and supplies must ensure that only suitable supplies and services that do not affect the quality of tests are used. This includes evaluating and selecting suppliers.
  • Service to the Client: The laboratory must have procedures to ensure good service. This includes handling queries and complaints and safeguarding the confidentiality of client information.
  • Control of Nonconforming Testing Work: There must be a process for identifying tests that deviate from typical results or procedures, taking corrective actions, and handling the effects of problematic testing.
  • Improvement: The QMS should include ongoing procedures for monitoring and improving the effectiveness of laboratory operations. This involves regular audits, data analysis, corrective and preventive actions, and management reviews.
  • Management Reviews: Periodic management reviews by senior laboratory personnel are required to ensure the continuing suitability, adequacy, and effectiveness of the QMS and to identify opportunities for improvement.
  • Personnel Competence: Ensuring the competence of personnel through education, training, skills development, and ongoing competence evaluations is also a crucial requirement.

The details of these requirements are more involved than we can reasonably cover here, so review the handbook to determine specifics for your organization.

What Are the Technical Requirements for Accreditation?

The technical requirements for accreditation are designed to ensure that laboratories can perform high-quality, secure, and reliable IT security evaluations. These differ from the managerial requirements in that they focus on implementing systems used to perform and validate tests, report on results, and support ongoing validation and audits.

These requirements include:

  • Technical Competence: Laboratories must demonstrate technical competence in conducting security testing. This includes having the appropriate and calibrated equipment, validated methodologies, and technically competent personnel.
  • Test Calibration and Method Validation: The laboratories are required to use validated methods appropriate for the tests they undertake based on guidance from ISO/IEC 17025. This also includes method validation, ensuring the methods are suitable for their intended use.
  • Handling of Test Items: Procedures must be in place for handling, transportation, storage, and preparation of test items to ensure that no deterioration, contamination, or loss of integrity affects the test results.
  • Quality Assurance of Test Results: Laboratories must have quality assurance procedures to monitor test validity. This often involves using standard reference or quality control materials and participating in interlaboratory comparison or proficiency testing programs.
  • Reporting of Results: The requirements include detailed guidelines on reporting test results, ensuring that reports are accurate, clear, and unambiguous, and all necessary data and information to understand the test results, such as describing the method and any deviations from standard procedures.
  • Measurement Traceability: Laboratories must ensure that measurements are traceable to national or international standards. This involves the calibration of measurement equipment and instruments and the use of traceable standards.
  • Management of Information Technology Security: Given the focus on IT security testing, there are specific requirements regarding the management of information technology used in laboratory processes. This includes ensuring data integrity, protecting sensitive or confidential information, and maintaining secure IT systems.

 

Trust Lazarus Alliance for NVLAP Common Criteria Assessment Preparation

If you’re looking to start or maintain your lab certification, contact Lazarus Alliance.

Lazarus Alliance

Website: