ITSEF

ITSEF -- IT Security Evaluation Facility

An Information Technology Security Evaluation Facility (ITSEFITSEFComplianceAccredited lab that performs Common Criteria smart card evaluations.Click to view →) is an accredited laboratory that performs Common Criteria security evaluations of IT products, including smart card chips, operating systems, and applications. ITSEFs are the technical workhorses of the Common CriteriaCommon CriteriaSecurityInternational IT security evaluation standard.Click to view → certification ecosystem, conducting the detailed testing and analysis required to validate a product's security claims.

Evaluation Process

When a smart card manufacturer submits a product for Common Criteria evaluation, the ITSEF performs a systematic assessment against the product's Security Target (ST) or an applicable Protection Profile (PP). The depth of evaluation depends on the target EAL level. At EAL4+, the ITSEF reviews the full design documentation, source code, and performs independent penetration testing. At EAL5+ and above (typical for smart card ICs), the ITSEF also conducts side-channel analysis (SPA/DPA), fault injection testing, and invasive physical attacks (probing, FIB circuit modification) to verify the chip's resistance to hardware-level attacks.

Accreditation and Governance

ITSEFs must be accredited by a national certification body -- such as BSI (Germany), ANSSI (France), NLNCSA (Netherlands), or NIAP (USA) -- and maintain ISO 17025 laboratory accreditation for testing competence. The accreditation scope specifies which product types and EALEALSecuritySecurity evaluation depth rating (1-7).Click to view → levels the ITSEF is qualified to evaluate. For smart card evaluations, the ITSEF must demonstrate specific competencies in hardware attack methods, cryptographic algorithm testing, and embedded software analysis, as defined by the JIL guidelines.

Industry Role

Major ITSEFs that evaluate smart card products include Brightsight (Netherlands), Serma Safety & Security (France), TUV Informationstechnik (Germany), and UL Transaction Security (USA). A typical smart card chip evaluation at EAL5+ takes 12-18 months and can cost several hundred thousand dollars. The evaluation results in a Certification Report published by the national certification body, which vendors reference when demonstrating security compliance to payment networks (EMVCo), government agencies (FIPS 140), and telecom operators (GSMA SAS).