Definition

What are Common Criteria (CC) for Information Technology Security Evaluation?

Katie Terrell Hanna

By

Katie Terrell Hanna

Common Criteria (CC) is an international standard (ISO/IEC 15408) for evaluating information technology security products. It provides guidelines and specifications to ensure that these products meet recognized security standards, especially for government and other high-security environments.

Established in the late 1990s, the Common Criteria is formally titled Common Criteria for Information Technology Security Evaluation.

Key components of Common Criteria

The Common Criteria standard comprises two primary components:

Protection Profiles. A Protection Profile defines a set of security requirements tailored for a specific product category, such as firewalls, encryption modules or authentication systems. Protection Profiles ensure that products evaluated for the same purpose meet consistent security expectations as well as align with industry and governmental standards.
Evaluation Assurance Levels. EALs measure the depth and rigor of the product evaluation. They range from EAL1 to EAL7. EAL1 represents a basic level of security assurance, and EAL 7 indicates an extensive evaluation but does not imply that the product is inherently more secure.

The process of Common Criteria certification

To submit a product for Common Criteria certification, vendors must follow several steps to ensure the product meets CC standards:

Security Target preparation. The vendor prepares a Security Target, a document detailing the product's security functions, capabilities, and intended operational environment. The ST also specifies the protection profile and the evaluation assurance level that the vendor is targeting.
Laboratory evaluation. After the Security Target is complete, an independent testing laboratory, accredited by the Common Criteria Recognition Arrangement (CCRA), assesses the product. The laboratory reviews the product against the standards outlined in the chosen Protection Profile and evaluation assurance level. They verify that the product's features align with the security claims and test it against potential security threats.
Certification issuance. Following a successful evaluation, the product receives Common Criteria certification. This certification provides customers with the assurance that the product's security claims have been independently verified.

Types of security threats diagram. — Common Criteria aims to ensure products are protected against security threats.

Common Criteria Recognition Arrangement

CCRA is an international agreement that facilitates global acceptance of Common Criteria-certified products. Member countries agree to recognize certificates up to EAL2, which enables product vendors to achieve internationally accepted certification without undergoing separate evaluations in each country.

Currently, over 30 nations, including the United States, Canada, the United Kingdom and Germany, participate in the CCRA, making it a globally recognized standard for security product certifications.

Advantages and limitations of Common Criteria

While the Common Criteria framework provides significant advantages, it also has some limitations.

Advantages

International recognition. Common Criteria certification is recognized by governments and organizations globally, reducing the need for multiple certifications across different countries.
Consistency in security standards. By using Protection Profiles, the Common Criteria standardizes security expectations, ensuring consistency in product security across similar categories.
Independent validation. Certification provides a vendor-neutral assessment, offering customers an unbiased validation of the product's security features.

Limitations

Cost and time intensive. Achieving certification, especially at higher EALs, is a costly and lengthy process, making it challenging for smaller companies to participate.
Misinterpretation of EAL levels. The assumption that higher EALs guarantee better security is incorrect, as EALs only indicate the thoroughness of the evaluation process.
Updating challenges. Certification is based on the product as evaluated. Therefore, future updates or patches might not automatically retain the original certification, requiring re-evaluation in some cases.

The evolving importance of Common Criteria in cybersecurity

In an era where cybersecurity threats are becoming increasingly sophisticated, Common Criteria remains a vital component in establishing trust in IT security products. As security threats evolve, the need for a standardized approach to evaluating security products is crucial for both government and commercial sectors.

With continued support from member countries and updates to the standards, Common Criteria is evolving to meet emerging security challenges, making it relevant for next-generation security products, including those involving cloud security, AI and IoT technologies.

Check out our ultimate guide to cybersecurity planning for businesses, and learn about cybersecurity controls and how to place them. Explore common types of malware attacks and how to prevent them, tips for building a cybersecurity culture at your company and leading enterprise cybersecurity challenges.

This was last updated in December 2024

Continue Reading About What are Common Criteria (CC) for Information Technology Security Evaluation?

Types of security incidents and how to prevent them

Cybersecurity statistics to lose sleep over

Free cybersecurity tools you should know about

Top types of data security technology

Top cloud security challenges and how to combat them

Search Networking

What is Cisco Certified Internetwork Expert (CCIE) certification?
Cisco Certified Internetwork Expert (CCIE) certification is a series of technical certifications for senior networking ...
What is Cisco Performance Routing (PfR)?
Cisco Performance Routing (PfR) is a way of sending network packets based on intelligent path control.
What is a MAC address and how do I find it?
A MAC address (media access control address) is a 12-digit hexadecimal number assigned to each device connected to the network.

Search Security

What is identity and access management? Guide to IAM
No longer just a good idea, IAM is a crucial piece of the cybersecurity puzzle. It's how an organization regulates access to ...
What is a stream cipher?
A stream cipher is an encryption method in which data is encrypted one byte at a time.
What is a block cipher?
A block cipher is a method of encrypting data in blocks to produce ciphertext using a cryptographic key and algorithm.

Search CIO

What is incremental innovation?
Incremental innovation is a series of small improvements or upgrades made to a company's existing products, services, processes ...
What is transformational leadership?
Transformational leadership is a leadership style that focuses on inspiring and motivating employees to innovate and find new ...
What is compliance risk?
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

Search HRSoftware

What is employee self-service (ESS)?
Employee self-service (ESS) is a widely used human resources technology that enables employees to perform many job-related ...
What is DEI? Diversity, equity and inclusion explained
Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...
What is payroll software?
Payroll software automates the process of paying salaried, hourly and contingent employees.

Search Customer Experience

What is an AI assistant?
An AI assistant, or digital assistant, is software that uses artificial intelligence to understand natural language voice ...
What is a chief experience officer (CXO)?
A chief experience officer (CXO) is an executive in the C-suite who ensures positive interactions with an organization's ...
What is contact center infrastructure?
A contact center infrastructure (CCI) is a framework composed of the physical and virtual resources that a contact or call center...

Close