CAB and Lab Independence in Common Criteria: When the Separation Matters Most

The significance of independence in certification ecosystems

As cybersecurity landscapes continue to evolve, assurance mechanisms like Common Criteria (CC) and EUCC certifications have become vital components of procurement and deployment strategies for integrators, certification bodies, evaluators, regulators, and procurement professionals alike. The evaluation laboratory (ITSEF) and the certification body (CB) are critical entities within these ecosystems. This article delves into the importance of independence between these two entities, analyzing governance, assurance confidence, market trust, and risk management.

Section 1: Why independence between lab and certification body matters

The CC scheme defines distinct roles for ITSEF and CB:

• ITSEF: Responsible for conducting technical evaluations to determine whether a product meets the security requirements specified in the Protection Profile (PP) or Security Target (ST).
• CB: Verifies that the evaluation was performed correctly, ensures the ITSEF’s independence, and confirms that the certified product meets the relevant security requirements.

Independence between lab and CB is crucial for several reasons:

1. Trust: Independent review functions increase trust in the certification process. When a single entity performs both evaluations, it may create concerns about impartiality.
2. Impartiality: The CB’s role is to ensure that the ITSEF remains impartial and unbiased throughout the evaluation process.
3. Challenge mechanisms: Independence enables challenge mechanisms, allowing third parties to scrutinize certification decisions.

Commercial pressure and governance concentration can affect confidence in certification ecosystems:

• When a single entity controls both lab and CB functions, it may lead to conflicts of interest or biased evaluations.
• Concentration of governance can compromise the independence of evaluation processes.

Perception of independence also matters in conformity assessment ecosystems. Although not all assurance levels require identical levels of separation, EUCC Substantial (EAL1 to EAL3) and EUCC High (EAL4 to EAL7) assurance groupings have different characteristics:

EUCC Substantial / EAL1-EAL3

• Evaluation depth: Shallow
• Evaluator judgment involved: Moderate
• Governance and independence concerns: Low to moderate
• Risk tolerance: High

EUCC High / EAL4-EAL7

• Evaluation depth: Deep
• Evaluator judgment involved: High
• Governance and independence concerns: Moderate to high
• Risk tolerance: Low to moderate

For integrators and procurement organizations, performing an ISO 31000-style risk assessment is essential when relying on certifications with combined lab/CB structures.

Section 2: Performing a risk assessment

To perform a risk assessment, follow these steps:

1. Context establishment: Establish the context for the certification, including the deployment criticality and threat environment.
2. Risk identification: Identify potential risks associated with the combined lab/CB structure, such as biased evaluations or compromised independence.
3. Risk analysis: Analyze the likelihood and impact of each identified risk.
4. Risk evaluation: Evaluate the overall level of risk based on the analysis.
5. Risk treatment: Implement mitigations to reduce the overall level of risk.

Governance structure is just one contextual risk factor among many. Do not assume that combined lab/CB structures are automatically invalid or non-compliant. Instead, consider the acceptability of governance structures based on deployment criticality and threat environment.

Mitigations

• Independent penetration testing
• Supplier governance review
• Additional technical review
• Compensating architectural controls
• Procurement documentation of residual risk acceptance

To illustrate these concepts, consider the following table comparing lower and higher assurance considerations:

Assurance level	Governance concerns	Risk tolerance
EUCC Substantial (EAL1-EAL3)	Low to moderate	High
EUCC High (EAL4-EAL7)	Moderate to high	Low to moderate

A practical risk matrix can be used to show suggested governance concern levels based on assurance level and operational criticality:

Assurance level	Operational criticality	Governance concerns
EUCC Substantial (EAL1-EAL3)	High	Low
EUCC Substantial (EAL1-EAL3)	Moderate	Moderate
EUCC High (EAL4-EAL7)	High	Moderate to high
EUCC High (EAL4-EAL7)	Moderate	High

In conclusion, certification assurance is partly technical and partly institutional. As EUCC adoption matures, governance models will become increasingly important. Higher assurance environments may justify stronger scrutiny and compensating controls. ISO 31000-style proportional risk management provides a rational framework for making these decisions.

This article demonstrates the importance of independence between evaluation laboratories (ITSEF) and certification bodies (CB). By analyzing governance, assurance confidence, market trust, and risk management, integrators, procurement organizations, and regulators can make informed decisions about certification reliance.

How NenkinTracker helps you see the structure

NenkinTracker records the issuing scheme and, where published, the evaluation lab for every Common Criteria certificate we ingest. That makes it straightforward to filter or compare certificates by the combination of CAB and lab - useful when you want to understand the structural backing behind a certificate, not just its EAL number. The certification database and per-scheme pages such as the EUCC scheme overview and BSI scheme page are the places to start.

See also

• Common Criteria Certification Process Explained - the four-stage handoff between vendor, lab, and certifier.
• Guide to EAL Levels: What EAL2, EAL4, and EAL5+ Actually Mean - background on what each EAL implies for evaluator effort.
• Which EAL Do I Need? A Procurement Decision Guide - choosing an assurance level from the threat side.
• The CC Evaluation Lab Landscape - which labs do the work, and how they cluster across schemes.
• EUCC vs CCRA - how the two frameworks relate, including the substantial / high split.
• EUCC scheme entry - the EU-side governance structure in more detail.
• Certification Schemes Overview - the national CABs operating under CCRA.

Continue reading

Apr 29, 2026

Which EAL Do I Need? A Procurement Decision Guide

Pick the right Common Criteria Evaluation Assurance Level by working from threat model and procurement requirements, not vendor marketing. A practical decision guide.

ealcommon-criteriaprocurementguide

May 5, 2026

Anatomy of an EUCC Certificate: A Walkthrough of EUCC-3095-2026-01

An EUCC certificate from April 2026, taken apart piece by piece. Cert ID structure, NCCA versus CAB, the document set, EAL choice, and what is distinctive about EUCC compared with classical CCRA certificates.

eucccommon-criteriacertificate-walkthroughguide

May 5, 2026

The Most-Used Protection Profiles in Common Criteria, by Product Count

Of the 267 Protection Profiles tracked in NenkinTracker, a small number account for the majority of certified products. Here is the head and the long tail.

common-criteriaprotection-profilesprocurementguide