Full Report
Enterprise-grade protection, independently verified
Analysis Summary
# Regulation/Compliance: Common Criteria (ISO/IEC 15408) Certification
## Overview
Common Criteria (CC) is an internationally recognized framework (ISO/IEC 15408) for certifying the security functionality and assurance of Information Technology products. It provides a standardized process for vendors to claim security functional requirements and for independent laboratories to verify those claims.
## Key Details
- **Issuing Authority:** International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC), governed by the Common Criteria Recognition Arrangement (CCRA).
- **Effective Date:** Certificate for Symantec DCS 6.10 awarded May 21, 2026.
- **Jurisdiction:** International (Recognized by 36 member nations via the CCRA).
- **Status:** Final / Certified (Valid through May 21, 2031).
## Requirements
### Mandatory Requirements
1. **Security Functional Requirements (SFRs):** Products must meet specific security behavior targets (e.g., identification, authentication, audit, and resource utilization).
2. **Security Assurance Requirements (SARs):** Evidence of security throughout the product lifecycle, including secure development, testing, and vulnerability management.
3. **Independent Evaluation:** Testing must be conducted by an accredited third-party laboratory.
4. **EAL2+ Specifics:** Requires evidence of design documentation, test results, and independent confirmation of developer testing.
### Recommended Practices
1. **Regular Patching:** Maintenance of the certified version to address emerging threats.
2. **Secure Configuration:** Deployment of the product according to the "Certified Configuration" guidance provided in the Security Target (ST) document.
## Affected Organizations
- **Industries:** Government, Defense, Finance, Healthcare, and Critical Infrastructure.
- **Organization Size:** Large enterprises and government agencies requiring high-assurance security validation.
- **Geographic Scope:** Global (Specifically the 36 member nations of the CCRA, including the U.S., Canada, UK, and EU nations).
## Compliance Timeline
- **February 9, 2026:** Symantec DLP 25.1 achieves EAL2+ Certification.
- **May 21, 2026:** Symantec DCS 6.10 officially receives Common Criteria Certification.
- **May 21, 2031:** Expiration of the current certification cycle for DCS 6.10.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Determine if current data center security controls meet the Security Target (ST) defined in the CC certification.
- **Inventory:** Identify all workloads, hypervisors, and virtual environments requiring CC-certified protection.
### Implementation Phase
- **Software Update:** Ensure Symantec DCS is updated to version 6.10.
- **Hardening:** Apply server-level hardening and infrastructure protection policies as validated during the EAL2+ evaluation.
### Validation Phase
- **Audit Logging:** Enable and review security logs to ensure the product is operating within the certified functional parameters.
- **Certification Verification:** Confirm product status via the Common Criteria Portal.
## Technical Requirements
- **Core Workload Protection:** Hardening of hypervisors and virtual environments.
- **Secure Development Lifecycle (SDL):** Verification of code integrity and vulnerability management during the product's creation.
- **Evaluation Assurance Level (EAL) 2+:** Specifically validates that the product is structurally tested and includes "flaw remediation" (the '+' in EAL2+).
## Penalties & Enforcement
- **Fines:** Common Criteria is generally a procurement requirement rather than a law; however, failure to use certified products in regulated industries (per NIAP or SOG-IS requirements) can lead to contract termination.
- **Other Consequences:** Loss of eligibility for government contracts; increased risk of audit failure; potential exposure to zero-day threats due to unverified development practices.
- **Enforcement:** Enforced by government procurement offices and regulatory bodies that mandate CC-certified equipment for critical infrastructure.
## Related Standards
- **ISO/IEC 15408:** The foundational international standard for Common Criteria.
- **NIST SP 800-53:** Common Criteria certifications often satisfy specific technical control requirements within the NIST framework.
- **FIPS 140-2/3:** Often required in conjunction with CC for cryptographic modules.
## Resources
- **Official Documentation:** [https]://www.commoncriteriaportal.org/
- **Vendor Release Notes:** [https]://techdocs.broadcom.com/
- **Certified Product List:** [https]://www.commoncriteriaportal.org/products/
## Practical Recommendations
- **Verify Certificates:** Always cross-reference vendor claims with the official Common Criteria Portal list to ensure the specific version (6.10) is covered.
- **Standardize Procurement:** Update internal procurement policies to require EAL2 or higher for all core infrastructure security components.
- **Monitor Experiation:** Note the 2031 expiration date to begin transition or re-validation planning 12 months in advance.