Common Criteria (CC)

What Are Common Criteria Standards?

Common Criteria (CC) standards are a set of internationally recognized guidelines designed to evaluate the security features and capabilities of IT products and systems. Established under the auspices of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), these standards provide a framework that enables vendors to demonstrate the security reliability of their products. By adhering to these criteria, developers and manufacturers can assure consumers and end-users that their technology solutions meet established security benchmarks, which is crucial in today's cybersecurity landscape.

Compliance with Common Criteria standards is not just beneficial for product assurance; it also plays a vital role in facilitating trust in technology across diverse sectors, including government, finance, and healthcare. Often a prerequisite for procurement, possessing a CC rating can significantly enhance a product's marketability and open doors to various contracts and partnerships.

Uses Of Common Criteria(CC)

The Common Criteria is used for a variety of purposes, including:

• Procurement: Governments and other organizations use CC evaluations to help make informed decisions when purchasing information technology products. The evaluations provide assurance that the products meet specific security requirements and can be trusted to protect sensitive information.

• Regulatory Compliance: In many industries, regulations require the use of CC-evaluated products for specific purposes. For example, the U.S. Federal Information Processing Standard (FIPS) 140-2 requires that cryptographic modules used in government systems be CC-evaluated.

• International Trade: CC evaluations are recognized internationally, which allows vendors to sell their products in multiple countries without having to go through multiple evaluation processes.

• Product Development: Vendors can use the CC as a guide for developing and testing their products to meet specific security requirements. By following the CC, vendors can ensure that their products meet the security standards required by their customers.

Key Components Of Common Criteria (CC)

The Common Criteria (CC) framework is a set of guidelines, standards, and procedures used to evaluate the security of IT products, including hardware, software, and systems. The framework provides a structured approach to evaluating the security features and capabilities of a product, and ensures that the evaluation is based on established criteria and processes.

The Common Criteria framework is composed of several components, including:

• Protection Profiles: These are security requirements for specific types of IT products, such as firewalls, operating systems, or smart cards. Protection profiles define the security functions and features that a product must have to meet the needs of a particular security environment.

• Security Targets: These are specific implementations of a product that are being evaluated against a protection profile. Security targets define the security functions and features of the product that will be evaluated during the evaluation process.

• Evaluation Assurance Levels (EALs): These are levels of assurance that indicate the level of confidence in the security of a product. EALs range from EAL1, which provides basic assurance, to EAL7, which provides the highest level of assurance.

• Common Evaluation Methodology (CEM): This is a set of procedures and guidelines for conducting evaluations of IT products. The CEM provides a standardized approach to evaluating products, and ensures that the evaluation is conducted consistently across different products and evaluation facilities.

What Are The 5 Types Of Common Criteria?

The Common Criteria for Information Technology Security Evaluation (CC) is a framework that provides a set of standardized criteria for evaluating the security of information technology products and systems. The CC includes seven evaluation assurance levels (EALs), with each level corresponding to an increasing level of security assurance.

Here are five types of common criteria:

• Security Functionality: This refers to the security features and functions provided by the product or system. The evaluation verifies whether the security functions are properly implemented and whether they meet the specified requirements.

• Assurance: This refers to the confidence that can be placed in the security features and functions provided by the product or system. The evaluation verifies that the security functions are reliable and trustworthy.

• Strength of Mechanisms: This refers to the level of security provided by the mechanisms that implement the security functions. The evaluation verifies whether the mechanisms are strong enough to resist attacks.

• Security Architecture: This refers to the design of the product or system, including the security functions and mechanisms, and how they are integrated into the overall architecture. The evaluation verifies that the architecture is sound and secure.

• Development Environment: This refers to the processes and tools used to develop and test the product or system. The evaluation verifies that the development environment is secure and that the product or system has been thoroughly tested to ensure its security.

Conclusion

Common Criteria (CC) is an essential framework for evaluating the security and assurance of information technology products. It provides a standardized approach for assessing the security features and capabilities of various products. Understanding and implementing Common Criteria (CC) can help organizations make informed decisions when selecting products for their cybersecurity needs. It is crucial for businesses and governments to prioritize the adoption of Common Criteria (CC) to enhance their overall security posture.