The need to ensure that consumers have access to IT products which are inherently secure has raised a demand for some kind of internationally recognized standard for evaluating and certifying equipment and software. Such a standard exists in what’s collectively known as the Common Criteria or CC.
Common Criteria or CC
More formally known as the “Common Criteria for Information Technology Security Evaluation”, the Common Criteria or CC is a set of international specifications and guidelines used in evaluating information security products. The provisions of the CC are designed to ensure that IT products achieve an agreed standard for security deployment in government applications.
The Common Criteria is the main driver for the most widely accepted and recognized conditions for secure IT products.
Common Criteria Recognition Arrangement or CCRA
The Common Criteria Recognition Arrangement (CCRA, sometimes referred to in this context simply as the Arrangement) is an international agreement spelling out conditions for the assessment and certification of information technology products intended for security applications. Its provisions ensure that:
- Products should be evaluated to establish their fulfillment of particular security properties to an agreed extent or assurance – and that this evaluation should be conducted at independent and competent testing laboratories.
- When specific technologies are being certified, supporting documents should be issued within the Common Criteria certification process to define how evaluation methods and conditions were applied.
- Certificate Authorizing Schemes defined within the Arrangement are empowered to issue certification of the security properties of evaluated products, based on the testing and assessment results.
- Certificates and documentation issued by the Certificate Authorizing Schemes should be recognized by all signatories of the CCRA.
The Common Methodology for Information Technology Security Evaluation or CEM is a companion regime to the Common Criteria, and sets out the technical basis for the Common Criteria Recognition Arrangement (CCRA).
Protection Profiles are one of the two key elements making up the Common Criteria. A Protection Profile or PPro applies to a specific type of information security product, such as an anti-virus program or a firewall. For each product type, the Protection Profile specifies a standard set of security requirements which have to be met before a certification is issued.
Evaluation Assurance Levels
An Evaluation Assurance Level or EAL is the second key element of the CC, and defines the extent to which a particular security product should be tested. Evaluation Assurance Levels are established on a scale from 1 to 7, with Level 1 being the lowest and Level 7 the highest level of evaluation. But a higher level of evaluation isn’t a guarantee that a particular product is more secure – it simply indicates that the product underwent more tests prior to its certification.
Security Target Descriptions
Before submitting a security product for evaluation, each manufacturer or vendor first has to compile a Security Target (ST) description, which gives an overview of the product and its security features. The ST description also has to include the vendor’s evaluation of potential security threats to their product, and their own assessment of how well their product conforms to the Protection Profile that’s been set for the Evaluation Assurance Level at which the product will be tested.
Evaluation and Certification
Having received a vendor’s ST description, a designated laboratory then subjects the product to a series of tests aimed at verifying its security features. The lab must also evaluate how well the product meets the criteria specified in its Protection Profile. A successful set of evaluation results will then form the basis of an official certification of the product.
Common Criteria certificates are issued by a Certification/Validation Body or CB. The term “validation” may be used interchangeably with “certification” under the terms of the CC Arrangement.
Objectives of the Common Criteria
CC certification is primarily aimed at assuring consumers that the products they’re buying have been tested and evaluated, and that a vendor’s claims and security assurances have been verified by a neutral third party (i.e., the CC-approved testing laboratory).
Participants in the Common Criteria Recognition Arrangement share these objectives:
- Ensuring that evaluations of information security products and Protection Profiles are conducted to a high and consistent standard – and that these evaluations are seen to contribute to consumer confidence in the security of these products and profiles.
- Increasing and improving the availability on the market of security-enhanced IT products and profiles which have been properly evaluated.
- Eliminating the need for IT products and profiles to be evaluated more than once: Under the Arrangement, a successful evaluation and certification by testing labs in one member state applies in all others.
- Taking steps to continuously improve the efficiency and cost-effectiveness of evaluation and certification/validation processes for information security products and Protection Profiles.
Participants in the CC Arrangement and signatories to the Common Criteria are known as Certificate Consuming Members. Senior representatives from each signatory nation form a Management Committee, which is tasked with implementing the Arrangement and providing guidance to those conducting evaluation and certification/validation activities at the various national levels.
The list of Certificate Consuming Members currently consists of:
- Czech Republic
- New Zealand
- Republic of Korea
- United Kingdom
- United States
Share this Post