What is Common Criteria?

Common Criteria, officially known as the Common Criteria for Information Technology Security Evaluation, was developed to certify that products and systems meet a pre-defined security standard for government deployments. Security products that have undergone successful testing and evaluation are awarded Common Criteria certification.

A Brief History of Common Criteria

The standard was developed by the governments of the U.S., Canada, Germany, France, the UK and the Netherlands in 1994. Common Criteria is the result of combining the CTCPEC (Canada), the TCSEC (U.S.), and the ITSEC (European) standards. The unification of security evaluation criteria would help to avoid the re-evaluation of products and systems addressing international markets.

When reviewing Common Criteria documentation or certifications, there are several key concepts to consider.

Target of Evaluation – The device or system to be reviewed for CC certification.

Protection Profile (PP) – Template used to define a standard set of security requirements for a particular class of related products. A protection profile serves as a reusable template of security requirements. Depending on the Target of Evaluation, multiple profiles may be used at once.

Security Target (ST) – Explicitly stated set of requirements specific to the capabilities of the product under evaluation.

Security Functional Requirements (SFRs) – Security requirements that refer to unique security functions provided by a product.

Evaluation Assurance Levels (EAL) – Used to define the way the product is tested and how thoroughly. These levels are scaled from 1 to 7, with 7 being the highest level and 1 the lowest. A higher number does not necessarily mean that the product went through more rigorous testing.

If a vendor has a product that they would like to be evaluated under the Common Criteria standards, they must complete a Security Target (ST) description. This will include an overview of the product's security features and an evaluation of any potential security risks. The vendor will also need to complete a self-assessment that details how the product complies with the relevant Evaluation Assurance Level and Protection Profile the vendor wants their product to be tested against.

Tests are usually carried out under laboratory conditions to validate the product's security features and to evaluate how well the product meets the requirements defined in the Protection Profile. If the results are successful, the product will usually be awarded CC certification. The objective of CC certification is to assure customers that they can trust the products they are investing in to support the vendor's claims and most importantly, offer the best protection for their network environment.