In April 2015, Sophos UTM v9 earned the Common Criteria (ISO 15408) certification under the German Common Criteria Evaluation and Certification Scheme by the German Federal Office for Information Security BSI (Bundesamt für Sicherheit in der Informationstechnik). As soon as we receive the certificate it will be available for download under the following link: https://www.sophos.com/en-us/support/knowledgebase/117713.aspx.
The certificate with the identification number BSI-DSZ-CC-0942 applies to the product Sophos UTM v9 Packet Filter Version 1.000, which is the firewall component of the UTM security solution Sophos UTM v9 and was delivered with Sophos UTM 9.305. The certification is based on the Common Criteria Version 3.1 Revision 4 for the security level EAL4+ and was accompanied by the accredited testing laboratory SRC (Security Research & Consulting GmbH) situated in Bonn, Germany.
What is Common Criteria?
Common Criteria is a standard for evaluating the security features and capabilities of information technology products and is accepted by many countries around the globe. The highest internationally, mutually recognized certification level EAL4+ requires an inspection of the development site, as well as close scrutiny of the complete source code by independent experts. The certification process also includes flaw remediation, which evaluates Sophos’ processes for supporting Sophos UTM with future security and maintenance updates.
The IT Security Certificate warrants to customers, especially to those within the government sector, that security requirements are properly implemented and that the processes used meet recognized standards. One particular benefit of a Common Criteria certification is its compliance with various purchasing policies (e.g., NSTISSP #11 in the U.S.), mandating that federal departments and agencies shall acquire, for use on national security systems, only those information technology products that have been validated according to Common Criteria.