This document summarizes Common Criteria certification statistics from various sources including the CCScraper tool. It provides statistics for 2021 based on data collected up to September 30th, highlighting the top certification schemes, assurance levels, laboratories, product categories and manufacturers. It also analyzes trends over the past 5 years and discusses the impact of the COVID-19 pandemic on certification numbers.

3. ❑ CC data collection with CCScraper
❑ CC statistics for 2021
❑ CC Statistics for 5 years
❑ Some historical CC statistics
❑ Conclusions
Contents

4. ❑ José Manuel Pulido:
❑ Lead Cybersecurity Consultant and Senior
Cybersecurity Evaluator at jtsec
❑ Common Criteria expert
❑ CCToolbox developer
❑ More than 10 years of experience in cybersecurity
technologies
❑ Speaker at several conferences including ICCC20
About me
❑ Cybersecurity evaluation & consultancy services
❑ Common Criteria and LINCE accredited lab.
❑ Developers of the most powerful tool for
Common Criteria, CCToolbox.
❑ Involved in standardization activities (ISO,
CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF,
CMUF, ERNCIP, …)
❑ Members of the SCCG (Stakeholder Cybersecurity
Certification Group)
About us

6. ❑ Web scraper written in Python. Created in 2018 by jtsec.
❑ CCScraper collects data about certified products from commoncriteriaportal.org
and from the websites of the Certification Body.
❑ Tons of interesting data collected: date of certification, EAL, PP, Product
Category, certification lab, etc. and even SFRs used or technical terms in the ST!
❑ Data is interpreted and organized / merged into a list of unique certified
products. We generate the statistics from that data.
What is CCScraper

7. ❑ CCScraper v1.0 was first presented here in the ICCC in 2018.
❑ Only data from commoncriteriaportal.org was collected.
❑ CCScraper v2.0 was presented in ICCC 2019.
❑ Main feature: add information from CB websites and merge into unique products
❑ CCScraper v2.1 was presented in ICCC 2020, with mainly efficiency improvements and email alerts.
❑ This year we present CCScraper v2.2 with some upgrades for ICCC 2021.
❑ Find changes in CB sites in a quicker and more reliable way.
❑ Improved logic to avoid false duplicates.
❑ Some bugs fixed ☺
CCScraper history

8. ❑ Modification of the name of some labs.
❑ We could include SERTIT (the Norwegian Certification Scheme) after
almost two years of website maintenance.
❑ We have had to change the way we constructed the OCSI (Italy) URLs
(so we had no access)
Latest challenges for CCScraper

9. ❑ With the statistics generated, we publish CC statistics reports in jtsec
webpage, at least once per year.
CCscraper reports
❑ https://www.jtsec.es/blog-entry/44/common-criteria-
statistics-report-for-2019
❑ https://www.jtsec.es/blog-entry/85/common-criteria-
statistics-report-for-2020

11. Statistics – 2021 (9 months)
❑ 286 products certified during 2021 (data from 30/09/2021)
103
89
94
80 85 90 95 100 105
2021 Q3
2021 Q2
2021 Q1

12. ❑ Top certifier schemes in 2021
Statistics – 2021 (9 months)
73
41 41
28
23
18 17
10
8 7 6 5 4
2
0
10
20
30
40
50
60
70
80
US NL DE FR JP CA SE ES MY IT TR AU KR IN

13. Statistics – 2021 (9 months)
❑ The top 3 schemes add up to 55% of the certifications!
US
26%
NL
15%
DE
14%
FR
10%
JP
8%
CA
6%
SE
6%
ES
4%
MY
3%
IT
2%
TR
2%
AU
2%
KR
1%
IN
1%

14. ❑ Certified products compliance in 2021
Statistics – 2021 (9 months)
EAL1
0,70%
EAL2
17,89%
EAL3
6,32%
EAL4
13,68%
EAL5
11,58% EAL6
7,72%
EAL7
0,35%
PP
41,75%
18
6
12
7
8
42
21
8
12
14
5
27
1
12
4
15
12
9
50
0 20 40 60 80 100 120
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
PP
2021 Q1 2021 Q2 2021 Q3
1
1
1

15. ❑ Product assurance level per country during 2021
Statistics – 2021 (9 months)
0
10
20
30
40
50
60
70
80
EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 PP
JP
US
DE
FR
Others
NL

16. ❑ Top 10 Laboratories (2021)
Statistics – 2021 (9 months)

17. Statistics – 2021 (9 months)
❑ Protection Profile certifications
13,67% 11,67% 17,00% 6,33%
0,00%
2,00%
4,00%
6,00%
8,00%
10,00%
12,00%
14,00%
16,00%
18,00%
Security IC
Platform
Protection
Profile
Protection
Profile for
Hardcopy
Devices
Protection
Profile for
Network
Devices
Machine
Readable
Travel
Document
Certifications
with PP
74%
Certifications without PP
26%
Certifications with Protection Profiles in 2021

18. Statistics – 2021 (9 months)
❑ PP and cPP compliant certifications in 2021
Network Devices
73%
Stateful Traffic Filter
Firewalls
16%
Full Drive Encryption
3%
Network Devices +
Stateful Traffic Filter
Firewalls
8%
Certifications using CPPs in 2021
Collaborative PPs
27%
Non-Collaborative
PPs
73%
Collaborative PPs vs Non-Collaborative
PPs

19. ❑ Top 5 manufacturers of certified products (2021)
Statistics – 2021 (9 months)
=
+4
+4
-1
-4

20. ❑ Top product categories (2021) and their evolution
Statistics – 2021 (9 months)
ICs, Smart Cards
and Smart Card-
Related Devices
and Systems; 29%
Other Devices
and Systems; 24%
Network and
Network-Related
Devices and
Systems; 13%
Multi-Function
Devices; 10%
Data Protection;
4%
Boundary
Protection
Devices and
Systems; 4%
Operating
Systems; 4%
Others; 12%

21. 1
6
8
8
0 1 2 3 4 5 6 7 8 9
Arbit Cyber Defence Systems ApS
Infineon Technologies AG
NXP Semiconductors Germany GmbH
Samsung Electronics Co., Ltd.
❑ Manufacturers and categories that obtained EAL6 & EAL7
Statistics – Higher EAL manufacturers
Only one with EAL 7
1
2
20
0 5 10 15 20 25
Boundary Protection Devices and Systems
Java Card Protection Profile Open
Configuration
ICs, Smart Cards and Smart Card-Related
Devices and Systems

22. ❑ Products uploaded to CC Portal vs products only in CB websites
Statistics – 2021 (9 months)
93%
7%

24. ❑ Number of certifications in the last 5 years
❑ Will 2021 be the worst year of the last five?
Statistics – 5 years trend

25. ❑ Compliance with EAL or PP of certified products (5 year)
Statistics – 5 years trend
EAL1
1,62%
EAL2
17,75%
EAL3
4,85%
EAL4
16,35%
EAL5
18,30%
EAL6
5,64%
EAL7
0,17%
PP
35,32%

26. ❑ Certifications per country scheme in the last 5 years
Statistics – 5 year trend
FR
19%
US
23%
DE
13%
CA
6%
JP
8%
ES
4%
NL
7%
SE
5%
NO
2%
KR
2%
MY
3%
TR
2%
IT
2%
AU
1%

27. ❑ Evolution of top 6 laboratories
Statistics – 5 year trend
0 20 40 60 80 100 120 140 160
CEA - LETI (FR)
TÜV (DE/JP)
SERMA (FR)
GOSSAMER (US)
Acumen (US)
BRIGHTSIGHT (*)
2017 2018 2019 2020 2021

28. ❑ Evolution of top product categories (five years)
Statistics – 5 year trend
129
119
91
147
73
19
4
11
8 10
53
38
47
44 42
59
52
55
76
60
0
20
40
60
80
100
120
140
160
2017 2018 2019 2020 2021
ICs, Smart Cards and Smart Card-Related Devices and Systems Mobility
Multi-Function Devices Network and Network-Related Devices and Systems

30. ❑ Number of certifications per country, historical (archived included)
Statistics – Historical Trends
16
66
67
98
99
104
117
122
132
149
239
439
544
857
898
1340
0 200 400 600 800 1000 1200 1400 1600
IN
IT
TR
NO
MY
AU
UK
SE
KR
ES
NL
CA
JP
DE
FR
US

31. ❑ Technological terms found in Security Targets
Statistics – Historical Trends

33. Global numbers in the end of the Pandemics era
❑ 2021 shows overall a small number of
certifications, below the previous five years.
❑ The top certifying schemes show numbers very
similar to the ones in 2020 by this date, some
schemes are a bit up and some a bit down.
❑ Most of the top certification laboratories don’t
show big variations in their numbers with
respect to 2021.
❑ Exception: SERMA (3) as lab and ST
Microelectronics as vendor (1) in 2021.

34. Global numbers in the end of the Pandemics era
❑ Global numbers, they are very similar to 2020 by
30th September: 286 vs 284.
❑ In last year’s ICCC we were very pessimistic, but it
went really up during the Q4, and the year ended
with more than 390 certifications.
❑ We expected bigger impacts in certifications
started in 2020 and to be ended in 2021.
❑ Here we are and the numbers lead to pessimism
again… will we be wrong again?

35. jtsec Beyond IT Security
Granada & Madrid – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es
Contact
“Any fool can make something complicated. It takes a
genius to make it simple.”
Woody Guthrie