What is Common Criteria?
Common Criteria (often abbreviated as CC) is an international set of standardized guidelines and specifications that were developed to evaluate information security products. Specifically, Common Criteria ensures that certified products meet an agreed-upon security standard for government deployments.
More formally, Common Criteria is known as “Common Criteria for Information Technology Security Evaluation.”
The Common Criteria for Information Technology Security Evaluation, and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement called the Common Criteria Recognition Arrangement (CCRA). As of 2019, thirty countries (including the United States and Canada) have signed the CCRA, making it an unparalleled measure of security for the international commerce of IT products.
The CCRA ensures that:
- Products are evaluated by competent and independent licensed laboratories.
- Supporting documents are used within the certification process to define how the criteria and evaluation methods are applied.
- Certification of the security properties is based on the result of these independent evaluations.
The History of Common Criteria
Common Criteria evolved from three distinct but related security standards:
TCSEC: Trusted Computer System Evaluation Criteria (TCSEC) was a United States Government Department of Defense (DoD) standard that set basic requirements for assessing the effectiveness of computer security controls built into a computer system. Originally called the Orange Book, this security standard began with computer security work done by the National Security Agency and the National Bureau of Standards in the late 1970s and early 1980s.
ITSEC: Developed in the early 1990s by France, Germany, the Netherlands and the United Kingdom, the Information Technology Security Evaluation Criteria (ITSEC) was the European standard for evaluating computer security within products and systems.
CTCPEC: First published in May 1993, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) was based on the US Department of Defense standard and was used jointly by evaluators from both the United States and Canada.
By unifying and consolidating these existing standards, companies that create computer products for the government market are only evaluated against one set of standards, saving time and money for all involved parties. The CC was developed by the governments of Canada, France, Germany, the Netherlands, the United Kingdom and the United States.
The Components of Common Criteria
Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels.
Protection Profile: This component defines a standard set of security requirements for a specific type of product.
Evaluation Assurance Level (EAL): This component defines how thoroughly a security product is tested. Evaluation Assurance Levels are scaled from 1-7, with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests.
The Certification Process
The first step in submitting a product for CC certification is completing a Security Target description, which includes an overview of the product and its security features, an evaluation of potential security threats, and the vendor’s self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level the vendor chooses to test against. The second step is generating all of the assurance documentation that is required for the testing lab.
Next, the product and its associated documentation are submitted to an accredited testing laboratory, which tests the product to verify its security features and evaluate how well it meets the specifications outlined in the Protection Profile; the results of a successful evaluation form the basis for an official certification of the product.
So why is Common Criteria important?
The goal of CC certification is to assure customers that the products they are buying have been evaluated and that the vendor’s claims have been verified by a vendor-neutral third party. But here’s three more reasons it may be worth the investment.
1) Certification opens the door to the government market.
All IT security products purchased by the U.S. government for national security systems are required to have Common Criteria certification and many government agencies specifically write it into their RFPs. Want to sell into government? Common Criteria certification is a necessity.
2) Certification keeps the market competitive.
To capture (or maintain) market share, especially in the government and public safety sector, Common Criteria certification is critical in competing with other well-established security products have already been evaluated.
3) Products will improve with certification.
The stringent evaluation process may uncover previously unknown vulnerabilities that can be addressed before sending a product to market, preventing costly post-release patches.
The complete Common Criteria certification report for NetMotion Mobility 11.0 is available online, for the security-minded IT manager.
A complete list of all certified products is available at www.commoncriteriaportal.org.