Common Criteria

Common Criteria[edit | edit source]

Common Criteria Logo

The Common Criteria (CC) is an international standard for evaluating the security of information technology products. It provides a framework for assessing the security features and capabilities of these products, ensuring that they meet specific security requirements. The CC is widely recognized and used by governments, organizations, and industries around the world to evaluate and certify the security of IT systems.

History[edit | edit source]

The development of the Common Criteria began in the early 1990s as a collaboration between several countries, including the United States, Canada, France, Germany, and the United Kingdom. The goal was to create a unified standard that could be used to evaluate the security of IT products across different countries and industries.

In 1993, the first version of the Common Criteria was published, known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE). Since then, the standard has undergone several revisions and updates to keep up with the evolving threat landscape and technological advancements.

Structure[edit | edit source]

The Common Criteria is structured into several parts, each addressing different aspects of the evaluation and certification process. These parts include:

1. Protection Profiles (PP): These define the security requirements for a specific type of IT product or system. They serve as a basis for evaluating and certifying products against a common set of criteria.

2. Security Targets (ST): These are documents that describe the security features and capabilities of a specific product or system. They are created by the product developers and provide the basis for evaluation against the relevant protection profile.

3. Evaluation Assurance Levels (EAL): These levels represent the depth and rigor of the evaluation process. They range from EAL1 (the lowest level) to EAL7 (the highest level). The higher the EAL, the more stringent the evaluation requirements.

4. Evaluation Methodology (EM): This part describes the procedures and techniques used to evaluate and certify IT products against the Common Criteria. It provides guidance to evaluators and ensures consistency in the evaluation process.

Benefits[edit | edit source]

The Common Criteria offers several benefits to both product developers and consumers:

1. Assurance of Security: By following the Common Criteria, product developers can ensure that their products meet specific security requirements. This provides assurance to consumers that the products they are using have undergone a rigorous evaluation process.

2. Interoperability: The Common Criteria allows for the evaluation and certification of IT products across different countries and industries. This promotes interoperability and facilitates the exchange of secure information between organizations.

3. Risk Management: The Common Criteria helps organizations assess the security risks associated with using IT products. By selecting products that have been evaluated and certified against the Common Criteria, organizations can mitigate potential security vulnerabilities.

4. International Recognition: The Common Criteria is recognized and accepted by governments, organizations, and industries worldwide. This global recognition enhances the marketability of IT products and increases consumer confidence.

Categories[edit | edit source]

The Common Criteria can be categorized into the following areas:

1. Security Evaluation: This category focuses on the evaluation and certification process, including the creation of protection profiles, security targets, and evaluation methodologies.

2. Security Requirements: This category encompasses the security requirements defined in the protection profiles. It includes aspects such as access control, cryptography, audit, and secure communication.

3. Evaluation Assurance Levels: This category relates to the different levels of assurance provided by the Common Criteria. It includes the evaluation criteria and requirements for each EAL.

4. International Cooperation: This category highlights the collaborative nature of the Common Criteria, involving multiple countries and organizations in its development and implementation.

Templates[edit | edit source]

Several templates are commonly used in Common Criteria documentation:

1. {{Infobox CC}}: This template is used to create an infobox that provides a summary of the Common Criteria document, including its title, version, and publication date.

2. {{CC-stub}}: This template is used to mark Common Criteria-related articles as stubs, indicating that they need further expansion and improvement.

3. {{CC-navbox}}: This template is used to create a navigation box at the bottom of Common Criteria articles, providing links to related topics and resources.

See Also[edit | edit source]

• ISO/IEC 15408 - The international standard that defines the Common Criteria
• Evaluation Assurance Level - The different levels of assurance provided by the Common Criteria
• Protection Profile - The document that defines the security requirements for a specific type of IT product or system

References[edit | edit source]