Common Criteria certification is not something that most organizations look for when buying mobility solutions for their front-line workers, but maybe they should if they want to ensure those devices have been rigorously tested and proven to be secure enough for nations’ top defense agencies. That was one of the key takeaways from a conversation we had with Scott Eggers, who recently led the year-long certification process for over two dozen Zebra Android™ 10 mobile devices, and Joe Licari, who leads the Zebra enterprise mobile computing team supporting government and healthcare customers. Read on to find out why this certification should warrant closer attention by all public and private sector organizations shopping for mobile devices.
Your Edge Blog Team: What is Common Criteria?
Scott: In the simplest terms, Common Criteria is an international security framework used to evaluate the security properties of IT products, including mobile devices and other computing hardware like those designed and manufactured by Zebra. It’s standardized as ISO 15408. The certification process is an intense evaluation that validates the security robustness of the software and hardware as it relates to permissions, access control, data destruction, and entropy. It also ensures that other security areas are addressed, such as National Institute of Standards and Technology (NIST) validated FIPS 140-2 encryption.
Your Edge Blog Team: Is this certification something that all enterprise-level organizations require?
Joe: In the U.S., it’s primarily a requirement set forth by federal government agencies, including the Department of Defense (DoD) and the Department of Veterans Affairs (VA). It’s also used by other global defense agencies, especially those within NATO countries.
Your Edge Blog Team: Why did Zebra feel it was important to secure this certification for its mobile computing solutions? Was it a request made by government agencies interested in deploying Zebra mobility solutions within their secure environments?
Joe: The public sector is one of Zebra’s fastest growing markets, so this has been a focus for our team. Increasingly, Common Criteria certification is a requirement for IT products purchased by the U.S. government for national security systems. Many government agencies, especially the Department of Defense (DoD), are now including this requirement in their RFPs. Even if it’s not specifically mandated, we know through conversations with our sales leaders and government agencies, particularly acquisition officers, that the procurement process goes a lot smoother when the Common Criteria certification can be presented.
Your Edge Blog Team: In other words, the certification gives customers greater security assurance and makes it easier for agencies to procure mobile devices?
Joe: Exactly. It empowers them to buy the Zebra devices they need. They no longer have to compromise on computing capabilities just to be compliant with one set of security requirements. It also provides assurance to organizations that the solution is certified to meet very specific security criteria and that the process of specification, implementation, and evaluation for that certified solution was conducted in a thorough and standard manner.
Scott: Joe’s absolutely right. The testing is rigorous and verified by an independently-licensed lab. The results are posted to the National Information Assurance Partnership (NIAP) site here. And it’s important to note that, even though defense agencies may be the ones defining the Common Criteria Certification standards and driving the greatest demand for solution evaluation, they aren’t the only ones that benefit from the improvements being made to Zebra’s solutions as a result.
Your Edge Blog Team: What do you mean?
Scott: I know our Chief Security Officer, Mike Zachman has mentioned this before in some podcasts, but Zebra is a very security aware organization, and we’re very proactive in strengthening our solutions. Every decision we make and every technology change we ultimately implement is driven by customers’ needs as well as the trends we’re seeing and anticipating in the market. We’re always thinking about how we can refine our solutions and services to better support their operations, and we take very aggressive, definitive steps to add more value to each SKU in our portfolio.
But the return on investment (ROI) is not exclusively a tangible number. In today’s world, technology is incorporated in some way into every workflow. It’s in every worker’s hands. It’s what now dictates productivity rates, operational capacity, and mission outcomes. It’s what guides front-line teams’ every move. And this is across all sectors: government, healthcare, retail, energy, equipment maintenance – you name it. Because mobile technology has become table stakes, it is prolific all the way to the edge of the enterprise. There is an unthinkable amount of sensitive data literally exchanging hands every day, sometimes in the form of a data connection, text message, email app alert and just as often in the form of a device handoff. Zebra’s Android mobile devices are often used as part of a shared fleet.
Therefore, all organizations want to ensure the next person to pick up each device is only seeing the information he or she has permission to see based on security clearance or some other access control measure. They also want to ensure those devices aren’t going to become points of vulnerability for bad actors to access back-end systems. So, even though we may have pursued the Common Criteria Certification to ensure we meet the security criteria for our government customers, all of our customers are going to benefit.
Your Edge Blog Team: Did Zebra’s entire mobile computing portfolio receive Common Core Certification?
Scott: There are 28 Android 10 handheld mobile computers, tablets and wearables – all on the Qualcomm SD660 chipset – currently certified under the U.S. schema administered by National Information Assurance Partnership (NIAP). Our certification is posted on the NIAP site here.
Your Edge Blog Team: Are there other devices that will be certified in the future?
Joe: We will continue to evaluate which other devices need certification in the future based on customer use cases, and we are committed to repeating this process as new Android operating system versions and chipsets come to market.
You can find the full list of certified Zebra certified devices and details about their security robustness here. You can also contact our government team directly with any questions about the certification or Zebra's mobility solutions.