In the mid-1990s, the governments of the UK, the US, Canada, France, Germany, and the Netherlands developed the international set of rules, called Common Criteria for Information Technology Security Evaluation (aka Common Criteria or CC). The CC is an international framework for IT security certification which has come a long way since its establishment and has developed a lot in parallel with the technology. Nowadays, it covers many areas of IT and provides cybersecurity certification solutions for Firewalls, mobile devices, network devices, application software, and more. The questions that we will discuss in this article:
- What is Common Criteria?
- What are the core international IT security guidelines that built CC?
- Which groups can benefit from it and how?
Find out the answers below.
What is Common Criteria?
The Common Criteria for Information Technology Security Evaluation (often known as Common Criteria or CC) is a framework based on international standards (ISO 15408) for IT security certifications. In order to get a certain IT product CC certified, it has to go through an evaluation process and meet several requirements. The product or system undergoing the cybersecurity assessment is called the ‘target of evaluation’ (TOE). The process ensures that Common Criteria certified products perform according to the global standard’s requirements at the chosen security level (EAL 1 – EAL 7).
What was before Common Criteria?
Common Criteria was created based on these previously existing international IT security guidelines and standards:
- Trusted Computer System Evaluation Criteria (TCSEC) – Collection of IT security guidelines and standards published by the United States. TCSEC contains the Orange Book and several parts of the Rainbow Series.
- Information Technology Security Evaluation Criteria (ITSEC) – A European standard that was developed by Germany, France, the Netherlands, and the United Kingdom in the early 1990s.
- Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) – It was first published in May 1993 and used by evaluators from both Canada and the U.S.
Main Components of Common Criteria
Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels.
- Protection Profile: This component defines a standard set of security requirements for a specific type of product.
- Evaluation Assurance Level (EAL): This component defines how thoroughly a security product is tested. Evaluation Assurance Levels are scaled from 1-7, with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests.
Who can benefit from Common Criteria and how?
First of all, it’s important to know that Common Criteria certification is not an option for all developers and IT products. In fact, in 2021 only 411 products have been certified globally. Based on international trends, this number is increasing year by year.
There are three main parties that can benefit from Common Criteria certification in general: end-users, developers, and evaluators. Here is how:
Benefit for end-users
End-users are the Consumers using a certain IT product or solution. They have the following benefit if the device or system they use is CC certified:
1. Fulfills their needs: as the core objective and reason for the assessment process, Common Criteria is designed to guarantee that the evaluation meets the high-security demands of customers.
Benefits for Developers and Manufacturers
Developers and/or Manufacturers (called Sponsor in CC evaluation projects) are the owners of the TOE. Also, they are responsible for compliance with CC requirements to get their products or solutions certified.
These are their main benefits for them:
2. Useful information in the results: developers and manufacturers can utilize evaluation findings to determine whether a TOE meets their security needs or not. These safety requirements are generally identified as a result of both risk analysis and policy direction.
3. Supports TOE development: Common Criteria and its clearly stated requirements are designed to help developers in planning and developing their TOEs, as well as outlining security standards that those TOEs must meet. These conditions are collected in an implementation-dependent construct called the Security Target (ST).
4. Protection Profiles for smooth communication: CC provides an implementation-independent structure for developers and manufacturers, known as Protection Profile (PP). They can choose from different PPs to certify their products against. It means that they get the Common Criteria certification based on the clear requirements written in a certain PP. For instance, it can be for mobile devices, secure signature devices, application SW, and much more.
Benefit for Evaluators
5. Clearly defines tasks: CC provides criteria that evaluators must strictly follow during evaluations When making decisions about the conformance of TOEs to CC security requirements accredited laboratories have a clear methodology to work with. Besides, the so-called CEM (Common Methodology for Information Technology Security Evaluation) Common Criteria defines the set of general steps all certified evaluators are to perform. Common Criteria provides assurance that the process evaluation of a TOE has been conducted in a rigorous, standard and repeatable manner at a level that corresponds with its target use environment.
6. Although Common Criteria is generally used to specify and evaluate the IT security aspects of TOEs, they may also be valuable as reference material for anybody interested in or responsible for IT security. Some of the additional groups that can benefit from CC evaluation and the methodology itself:
- security designers and architects,
- auditors, both external and internal,
- system security officers and custodians
Common Criteria is a set of standards for scalable, and internationally accepted security assessments of IT products. It provides cybersecurity certification solutions in a variety of IT areas such as mobile and network devices, application SW, firewall, secure signature, file encryption and many other IT products and solutions. As you can see in the article, it has numerous advantages for several different groups. Maybe you will be the next to enjoy these benefits?