Common Criteria, known as CC, is an international standard, formally called ISO/IEC 15408, that evaluates information technology security products. It sets out guidelines to ensure these products meet recognized security standards, especially in high-security environments like government agencies. It started in the late 1990s as a way to create a consistent evaluation standard across different technologies.
There are two main parts to the Common Criteria framework:
-
Protection Profiles: These define specific security requirements for product categories like firewalls or encryption tools. Protection Profiles ensure that products serving similar functions meet the same security expectations and align with industry norms.
- Evaluation Assurance Levels (EALs): These levels, ranging from EAL1 to EAL7, show how rigorous the evaluation is. EAL1 offers basic assurance while EAL7 indicates a comprehensive evaluation. However, a higher EAL doesn’t automatically mean a product is more secure.
Getting a product certified under Common Criteria involves several steps:
-
Preparing a Security Target: Vendors create a document detailing the product’s security functions, capabilities, and intended use, along with the relevant protection profile and desired EAL.
-
Laboratory Evaluation: Once the Security Target is ready, an accredited independent lab assesses the product against the security requirements in the chosen protection profile. They verify that the product meets its security claims and test it for vulnerabilities.
- Certification Issuance: After successful evaluation, the product gets its Common Criteria certification, providing reassurance to customers that the security claims have been objectively validated.
CCRA, or Common Criteria Recognition Arrangement, is an international agreement that promotes acceptance of Common Criteria-certified products across borders. Member countries recognize certifications up to EAL2, allowing vendors to achieve international recognition without needing multiple evaluations in every country. Over 30 nations, including the US, UK, and Canada, are part of the CCRA, which makes it a globally recognized standard.
While Common Criteria has its benefits, it’s not without drawbacks:
Advantages:
- International Recognition: Government and organizations worldwide acknowledge the certification, simplifying the certification process across different regions.
- Consistency in Security Standards: Standardized protection profiles deliver consistent security expectations across similar products.
- Independent Validation: The certification offers an unbiased evaluation, giving customers confidence in the product’s security.
Limitations:
- Costs and Time: The certification process can be expensive and time-consuming, making it tough for smaller companies to participate.
- EAL Misinterpretation: Higher EALs don’t necessarily mean better security; they just reflect the thoroughness of the evaluation.
- Updating Challenges: Certification is tied to the evaluated product. Any updates or patches could require re-evaluation to maintain certification.
As cybersecurity threats evolve, Common Criteria plays an essential role in building trust in IT security products. With ongoing support from member nations and updates to its standards, CC continues to adapt to new security challenges, ensuring its relevance for emerging technologies like cloud computing, AI, and IoT.