Definition

What are Common Criteria (CC) for Information Technology Security Evaluation?

Katie Terrell Hanna
By

Common Criteria (CC) is an international standard (ISO/IEC 15408) for evaluating information technology security products. It provides guidelines and specifications to ensure that these products meet recognized security standards, especially for government and other high-security environments.

Established in the late 1990s, the Common Criteria is formally titled Common Criteria for Information Technology Security Evaluation.

Key components of Common Criteria

The Common Criteria standard comprises two primary components:

  • Protection Profiles. A Protection Profile defines a set of security requirements tailored for a specific product category, such as firewalls, encryption modules or authentication systems. Protection Profiles ensure that products evaluated for the same purpose meet consistent security expectations as well as align with industry and governmental standards.
  • Evaluation Assurance Levels. EALs measure the depth and rigor of the product evaluation. They range from EAL1 to EAL7. EAL1 represents a basic level of security assurance, and EAL 7 indicates an extensive evaluation but does not imply that the product is inherently more secure.

The process of Common Criteria certification

To submit a product for Common Criteria certification, vendors must follow several steps to ensure the product meets CC standards:

  1. Security Target preparation. The vendor prepares a Security Target, a document detailing the product's security functions, capabilities, and intended operational environment. The ST also specifies the protection profile and the evaluation assurance level that the vendor is targeting.
  2. Laboratory evaluation. After the Security Target is complete, an independent testing laboratory, accredited by the Common Criteria Recognition Arrangement (CCRA), assesses the product. The laboratory reviews the product against the standards outlined in the chosen Protection Profile and evaluation assurance level. They verify that the product's features align with the security claims and test it against potential security threats.
  3. Certification issuance. Following a successful evaluation, the product receives Common Criteria certification. This certification provides customers with the assurance that the product's security claims have been independently verified.
Types of security threats diagram.
Common Criteria aims to ensure products are protected against security threats.

Common Criteria Recognition Arrangement

CCRA is an international agreement that facilitates global acceptance of Common Criteria-certified products. Member countries agree to recognize certificates up to EAL2, which enables product vendors to achieve internationally accepted certification without undergoing separate evaluations in each country.

Currently, over 30 nations, including the United States, Canada, the United Kingdom and Germany, participate in the CCRA, making it a globally recognized standard for security product certifications.

Advantages and limitations of Common Criteria

While the Common Criteria framework provides significant advantages, it also has some limitations.

Advantages

  • International recognition. Common Criteria certification is recognized by governments and organizations globally, reducing the need for multiple certifications across different countries.
  • Consistency in security standards. By using Protection Profiles, the Common Criteria standardizes security expectations, ensuring consistency in product security across similar categories.
  • Independent validation. Certification provides a vendor-neutral assessment, offering customers an unbiased validation of the product's security features.

Limitations

  • Cost and time intensive. Achieving certification, especially at higher EALs, is a costly and lengthy process, making it challenging for smaller companies to participate.
  • Misinterpretation of EAL levels. The assumption that higher EALs guarantee better security is incorrect, as EALs only indicate the thoroughness of the evaluation process.
  • Updating challenges. Certification is based on the product as evaluated. Therefore, future updates or patches might not automatically retain the original certification, requiring re-evaluation in some cases.

The evolving importance of Common Criteria in cybersecurity

In an era where cybersecurity threats are becoming increasingly sophisticated, Common Criteria remains a vital component in establishing trust in IT security products. As security threats evolve, the need for a standardized approach to evaluating security products is crucial for both government and commercial sectors.

With continued support from member countries and updates to the standards, Common Criteria is evolving to meet emerging security challenges, making it relevant for next-generation security products, including those involving cloud security, AI and IoT technologies.

Check out our ultimate guide to cybersecurity planning for businesses, and learn about cybersecurity controls and how to place them. Explore common types of malware attacks and how to prevent them, tips for building a cybersecurity culture at your company and leading enterprise cybersecurity challenges.

This was last updated in December 2024

Continue Reading About What are Common Criteria (CC) for Information Technology Security Evaluation?