Certification Authority Licensing - Audit

In order to establish that the certification authority is using a secure computer system, all applicants must pass a CS-2 systems audit prior to licensing. This is generally the most extensive requirement of the certification authority licensing process.

The audit must be performed by auditors who are qualified to perform information system security audits. The Auditor Qualifications page has more detailed information regarding auditor certification requirements.

CS-2 is a computer security auditing standard developed by the National Institute of Standards and Technology. It’s full name is the "Common Criteria (CC) Protection Profile (PP) for Commercial Security 2 (CS2), (CCPPCS)."

According to NIST, "The purpose of CS-2 is to provide the guidance necessary to develop ‘compliant’ protection profiles for near-term achievable, security baselines using commercial off the shelf (COTS) information technology." A CS-2 audit reviews the certification authority’s compliance with the profile’s functional security requirements.

A copy of the profile can be downloaded from the NIST CS-2 website. This site also includes several documents describing the common criteria profiles, and other supporting documents.