RELIANOID ISO/IEC 15408 (Common Criteria) Compliance

Last Reviewed: September 2025
Next Review Due: September 2026

ISO/IEC 15408 Compliance Statement

Common Criteria Security Alignment for RELIANOID Load Balancer and Organization

RELIANOID is aligned with the principles of ISO/IEC 15408:2022, also known as the Common Criteria for Information Technology Security Evaluation (CC). This internationally recognized standard enables structured evaluation of IT products’ security properties and is often required in government and critical infrastructure procurement.

While RELIANOID has not undergone formal certification under Common Criteria, our organizational controls and load balancing platform architecture are strongly aligned with the Common Criteria Evaluation Assurance Level (EAL) principles, particularly in the context of cloud and on-prem deployments in high-assurance environments.

What is ISO/IEC 15408?

ISO/IEC 15408 provides a framework for evaluating IT product security through:

  • Security Functional Requirements (SFRs) – the features and protections a product provides
  • Security Assurance Requirements (SARs) – the evidence and processes demonstrating how those features are securely implemented

It is widely adopted by national cybersecurity agencies and regulated sectors such as defense, energy, finance, and government procurement.

Product Scope and Target of Evaluation (TOE)

The TOE encompasses all RELIANOID Enterprise components:

  • Components: Hardware appliances, software platform, and management interfaces (Web UI, CLI, API).
  • LTS Lifecycle: All Enterprise versions are Long-Term Support. Current major version: v8 (supported until June 2029).
  • Operating System: Debian Bookworm.
  • Deployment Models: Primarily on-premises; also supported in cloud and hybrid environments.
  • Topologies: Standalone, clustered, and dual-mode with Disaster Recovery (DR).

Organizational Alignment with Common Criteria

RELIANOID follows key assurance and lifecycle principles of ISO/IEC 15408 across our internal development, deployment, and operational practices.

Security Target and Threat Model

We maintain an internal Security Target document aligned with the Common Criteria structure, defining:

  • Assets protected (e.g., network traffic, configurations, credentials)
  • Threats addressed (e.g., privilege escalation, man-in-the-middle, unauthorized access)
  • Assumptions and environmental considerations (e.g., secure network placement)

Design and Development Controls

Our Secure Software Development Lifecycle (SSDLC) incorporates:

  • Daily automated security testing (SAST, DAST)
  • Vulnerability scanning of third-party libraries
  • Formal change control and versioned release documentation
  • Code signing and release integrity checks

Security Functional Requirements (SFR) Mapping

RELIANOID Load Balancer implements a broad set of SFR-equivalent controls, including:

  • Identification & Authentication (FIA): Users authenticate via passwords, key pairs, or SSO. API access is per user with generated tokens; all interfaces support secure authentication flows.
  • Access Control (AC/FMT/FDP): Role-Based Access Control is enforced across all components and interfaces (Web, CLI, API), including per-object controls on load-balancing services.
  • Audit & Accountability (FAU): Audit and system logs are stored by default for 7 days and can be exported or integrated with SIEM platforms.
  • Cryptographic Support (FCS): Robust cryptography with high key lengths. TLS v1.2 or higher by default (TLS v1.3 preferred). Legacy protocols/ciphers are disabled by default and may be enabled manually if required. Optional FIPS 140-validated modules.
  • User Data Protection (FDP): User data is only stored when required and is always encrypted at rest (e.g., users and passwords).
  • Security Management (FMT): Root user serves as the primary administrative account. Additional users, groups, and permissions are configurable via the RBAC module.
  • Protection of TOE Security Functions (FPT): Secure Boot, signed kernel modules, and GPG-protected repository access are implemented.
  • Communication Protection (FTP/FTA): All communications are encrypted; session management includes expiration and re-authentication controls.

Security Assurance Requirements (SAR) Alignment

  • Design & Documentation: Internal documentation (modules, architecture diagrams) is available in our Knowledge Base.
  • Code Reviews & Scanning: Automated and AI-assisted code scanning with peer manual reviews.
  • Vulnerability Management: Weekly vulnerability scans, quarterly reports, and CVE-tracked patch releases published in our timeline.
  • Independent Testing: External pentests and scans at application, network, and infrastructure levels.
  • Formal Testing: Daily automated security tests with expanded coverage each release cycle.

Development and Maintenance Processes

  • SSDLC: Requirements → Design → Implementation → Testing → Validation → Continuous Improvement. Managed with Git, Gitea, and internal automation tools.
  • Change & Configuration Management: Approval workflows, rollback procedures, and documentation of changes applied across environments.
  • Release Management: Updates are packaged, tested, and securely distributed. Pre-production validation is performed before promotion to production repositories.

Operational Security

  • Incident Response: Defined escalation and resolution procedures with an average time to respond of ~2 minutes.
  • Monitoring: Real-time metrics with integrated intrusion detection/prevention systems. Threat intelligence is shared with community and industry platforms.
  • Backup & DR: Weekly encrypted backups with monthly restoration testing.

Use in Regulated and Certified Environments

While not formally certified, RELIANOID supports:

  • Integration into Common Criteria-evaluated systems
  • Client procurement evaluations in EAL-focused environments
  • Structured documentation aligned with national schemes (e.g., CCN-STIC, NIAP, BSI TR)

Assurance Measures and Evidence

To support Common Criteria-aligned assurance goals, we provide:

  • Release notes with detailed changelogs
  • Threat-driven security design documentation
  • Archived vulnerability scan and patch reports
  • Secure deployment guides and hardening checklists

Organizational Alignment

  • Security Governance: Security compliance team led by CEO, CTO, and COO ensuring secure development, processes, and compliance alignment.
  • Employee Security Training: Quarterly training sessions and ongoing awareness of industry threats.
  • Internal Security Audits: Quarterly audits with remediation tracking. Reports are publicly available.
  • Policies: Published policies covering Privacy, Incident Response, Business Continuity, Global Data Segregation, Third-Party Risk, Access Control, Acceptable Use, and Data Handling.

Supporting Evidence

  • Latest RELIANOID Security Report: Confirmed as the most up-to-date version.
  • Knowledge Base: Updated whitepapers, datasheets, and architecture diagrams: Knowledge Base.
  • Customer Assurance Statements: Published statements for regulated industries, aligned with evolving cybersecurity regulations.

Commitment to Common Criteria Principles

RELIANOID is committed to:

  • Aligning new feature development with Common Criteria design methodology
  • Supporting customer-led evaluation efforts
  • Maintaining a threat-aware, secure development environment
  • Ensuring transparency and integrity across the product lifecycle

Document Reviews

DateComment
10th July 2025Initial publication of ISO/IEC 15408 compliance alignment
2nd September 2025Expanded TOE scope, updated SFR mapping, SAR alignment, SSDLC and Ops details, organizational governance, and supporting evidence

Contact and Assurance

We welcome requests for technical evaluation materials, Security Target summaries, or support for Common Criteria procurement projects.

Contact our Compliance & Security Team

Download Latest Security Report