Common Criteria (CC)

May 2, 2023

Common Criteria (CC) is an international standard (ISO/IEC 15408) that defines a set of criteria for evaluating and certifying the security of information technology products. The CC is used to provide assurance that the products meet a defined set of security requirements for a particular use case or environment.

The Common Criteria is used for a variety of purposes, including:

  1. Procurement: Governments and other organizations use CC evaluations to help make informed decisions when purchasing information technology products. The evaluations provide assurance that the products meet specific security requirements and can be trusted to protect sensitive information.
  2. Regulatory Compliance: In many industries, regulations require the use of CC-evaluated products for specific purposes. For example, the U.S. Federal Information Processing Standard (FIPS) 140-2 requires that cryptographic modules used in government systems be CC-evaluated.
  3. International Trade: CC evaluations are recognized internationally, which allows vendors to sell their products in multiple countries without having to go through multiple evaluation processes.
  4. Product Development: Vendors can use the CC as a guide for developing and testing their products to meet specific security requirements. By following the CC, vendors can ensure that their products meet the security standards required by their customers.

Overall, the Common Criteria provides a standardized and rigorous methodology for evaluating the security of information technology products.

What are Common Criteria standards?

Common Criteria (CC) is an international standard (ISO/IEC 15408) for evaluating the security features and capabilities of IT products. It provides a standardized framework for evaluating and certifying the security of products such as hardware, software, and systems, with a focus on ensuring that the products meet specific security requirements.

The Common Criteria defines a set of protection profiles, which are security requirements for different types of products. These profiles describe the security features and functions that a product should have to meet the needs of a particular security environment.

The CC evaluation process involves several stages, including security requirements analysis, security design analysis, security implementation analysis, security testing, and vulnerability assessment. A product that successfully completes this process receives a certification that indicates the level of security it provides.

The Common Criteria is used by government agencies, military organizations, and private sector companies worldwide as a basis for evaluating and selecting IT products that meet their security requirements.

What is the Common Criteria framework?

The Common Criteria (CC) framework is a set of guidelines, standards, and procedures used to evaluate the security of IT products, including hardware, software, and systems. The framework provides a structured approach to evaluating the security features and capabilities of a product, and ensures that the evaluation is based on established criteria and processes.

The Common Criteria framework is composed of several components, including:

Protection Profiles: These are security requirements for specific types of IT products, such as firewalls, operating systems, or smart cards. Protection profiles define the security functions and features that a product must have to meet the needs of a particular security environment.

  • Security Targets: These are specific implementations of a product that are being evaluated against a protection profile. Security targets define the security functions and features of the product that will be evaluated during the evaluation process.
  • Evaluation Assurance Levels (EALs): These are levels of assurance that indicate the level of confidence in the security of a product. EALs range from EAL1, which provides basic assurance, to EAL7, which provides the highest level of assurance.
  • Common Evaluation Methodology (CEM): This is a set of procedures and guidelines for conducting evaluations of IT products. The CEM provides a standardized approach to evaluating products, and ensures that the evaluation is conducted consistently across different products and evaluation facilities.

The Common Criteria framework is widely used by government agencies, military organizations, and private sector companies worldwide as a basis for evaluating and selecting IT products that meet their security requirements.

What are the 5 types of Common criteria?

The Common Criteria for Information Technology Security Evaluation (CC) is a framework that provides a set of standardized criteria for evaluating the security of information technology products and systems. The CC includes seven evaluation assurance levels (EALs), with each level corresponding to an increasing level of security assurance.

Here are five types of common criteria:

  1. Security Functionality: This refers to the security features and functions provided by the product or system. The evaluation verifies whether the security functions are properly implemented and whether they meet the specified requirements.
  2. Assurance: This refers to the confidence that can be placed in the security features and functions provided by the product or system. The evaluation verifies that the security functions are reliable and trustworthy.
  3. Strength of Mechanisms: This refers to the level of security provided by the mechanisms that implement the security functions. The evaluation verifies whether the mechanisms are strong enough to resist attacks.
  4. Security Architecture: This refers to the design of the product or system, including the security functions and mechanisms, and how they are integrated into the overall architecture. The evaluation verifies that the architecture is sound and secure.
  5. Development Environment: This refers to the processes and tools used to develop and test the product or system. The evaluation verifies that the development environment is secure and that the product or system has been thoroughly tested to ensure its security.