The Common Criteria for Information Technology Security Evaluation (also known as Common Criteria or CC) is a framework for cybersecurity certifications based on international standards (ISO 15408). The CC as a new set of guidelines was launched in June 1993, with the supporting organizations – the United States, Canada, France, Germany, and the United Kingdom – merging diverse IT security requirements into a single set. CC Version 2.1 was released in August 1999. This collection of Common Criteria is known as ISO 15408, or International Standard 15408. ISO 15408 is meant to be used as the basis for the assessment of the safety properties of IT products. Common Criteria Certification might be given to an IT product or system that has successfully passed this evaluation. If you ever wondered what exactly is regulated by Common Criteria, keep reading because this article will provide you with plenty of useful information.
What does the Common Criteria framework include?
A specific IT product must go through an evaluation procedure and fulfill numerous standards in order to be CC certified. The product or system being assessed for cybersecurity is referred to as the ‘target of evaluation’ (TOE). The method guarantees that Common Criteria certified products meet the criteria of the global standard at the selected security level.
Here are the principles of CC framework:
- Security Target (ST): A Security Target is a document that outlines the Target of Evaluation (TOE), or the product configuration and version, as well as the breadth of security functionality that is being assessed.
- Protection Profile (PP): a document, often prepared by a user or user community, that outlines security criteria for a class of security devices relevant to them for a specific purpose. Suppliers and developers have the option of executing products that comply with one or more PPs and having their products assessed against those PPs.
- Evaluation Assurance Levels (EAL): it is a standardized set of assurance standards that range from Functionally Tested (EAL1) to Formally Verified Design and Tested (EAL7). A PP or ST can relate to an EAL or provide a unique set of assurance requirements. It’s important to know that higher EALs do not necessarily reflect “greater security,” but rather that the TOE’s asserted security promise has been more thoroughly tested.
How does Common Criteria evaluation work?
There are 3 parties involved in Common Criteria evaluation: the vendor or developer, the accredited testing laboratory, and the scheme or certification body. The evaluation process usually takes up to a few months depending on how complex the TOE is and the evaluation claims are.
In order to start the evaluation process, the vendor (or developer) has to complete and provide the so-called Security Target (ST) document. The ST has to include:
- a summary of the product and its protection components,
- an assessment of potential safety threats,
- a self-assessment of the vendor, describing how the product conforms to the relevant PP at the chosen EAL that the product should be tested against.
Once it’s done, the laboratory tests the product to validate its security segments and assesses how well it satisfies the standards set in the PP. The findings of a successful examination serve as the foundation for the product’s formal certification.
What is Common Criteria certification good for?
The benefit of CC certification for end-users is to provide the certainty that the items they are using have been assessed and the vendor’s claims about the product’s safety have been validated by an independent, accredited third party.
Common Criteria certifications are one of the world’s most widely used and recognized IT security solutions. They provide multiple advantages for developers and vendors. CC certification puts product owners in a privileged selling position thanks to CCRA (Common Criteria Recognition Arrangement) and other international agreements that internationally recognize it. Common Criteria certified products are not only in compliance with expected IT security requirements but also have evidence of being complied with recent international professional standards.
Conclusion
Common Criteria is an international set of standards, also known as ISO/IEC 15408. Common Criteria framework provides the basis for the evaluation of the protection properties of IT products and systems. As the result of a so-called “full pass” evaluation, a CC certification will be provided which comes with numerous benefits for both vendors (or developers) and buyers listed above.