min reading time
You probably heard about Common Criteria, but you might be unsure what it means and whether you should get your product or system certified. We will go into detail about this topic so that, in the end, the concept of Common Criteria is going to be perfectly clear.
This article will cover the following:
We will also introduce how we, at CCLab, one of the leading Common Criteria accredited laboratories, work and explain how we can help you with your Common Criteria certification projects.
Common Criteria for Information Technology Security Evaluation, or Common Criteria (CC) for short, is a framework, a set of guidelines and specifications used for independent, scalable and globally recognized security assessment for IT products. It is an international standard, also known as ISO/IEC 15408, that is used to validate that a particular IT system or product (Target of Evaluation=TOE) satisfies a defined set of security requirements. CC specifies the structure of the evaluation, defines the terminology for describing security requirements, and a technique for assessing those requirements. The Common Criteria certification ensures that an IT security product's (TOE)specification, implementation and cybersecurity evaluation has been carried out in a standard, rigorous, and repeatable way at a level that matches with its target operational environment.
Once a Common Criteria evaluation is completed and the product gets certified, it provides assurance that the process of specification, implementation and evaluation was conducted in a thorough and standard manner. Also, having Common Criteria certification is frequently listed as a requirement for procurement. CC has a grouping of 60 security requirements in 11 different classes.
The increase in cyber threats from individuals and foreign agents has required countries to work together to set standards and practices for systems and products that will mitigate vulnerabilities and protect IT product consumers across the globe.The need of standardized cybersecurity requirements increased in the past few years and it affects many industries already. Common Criteria is a global example of such, but many other standards will follow to fulfill the legal requirements of the EU’s Cybersecurity Act for instance.
Common Criteria was originally built in partnership with 6 countries: Canada, the United States, Germany, France, the United Kingdom, and the Netherlands. The foundation of Common Criteria used previous standards already in place by 3 of these countries. These are The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), the United States’ Trusted Computer System Evaluation Criteria (TCSEC), and the European Information Technology Security Evaluation Criteria (ITSEC).The first version of CC was issued in 1994.
The SOG-IS agreement was developed in response to the EU Council Decision of March 31, 1992 on information system security, and the following Council proposal of April 7th on uniform IT security evaluation standards. Government organizations and government agencies from 17 EU and EFTA member countries participated in this agreement representing their own country. The member's goal was to correspond to the standardization of Common Criteria protection profiles and certification measures across European Certification Bodies in order to maintain a common stance in the rapidly expanding global CCRA group. Besides, they aim the creation of protection profiles whenever the European Commission issues a regulation that must be applied in national legislation in terms of cybersecurity.
The original agreement was updated in 2010 in parallel with the technological developments and regulatory environment changes.
Common Criteria Certificate Authorizing Schemes were established by 17 countries from all over the world. It means that these countries set their own national schemes, rules, legislation, and Certification Bodies (i.e. Evaluation Authority). The Certification Body issues the CC Certification based on the evaluation of the Testing Laboratory. A Testing Laboratory can get accredited by multiple Certification Bodies to carry out CC evaluations. CCLab, for instance, has been accredited by OCSI, the Certification Body of the Italian Scheme since 2015 and by BSI, the German CB since 2022.
The European Union Cybersecurity Certification (EUCC) will be a successor of the existing national CC schemes in Europe, replacing the former SOG-IS MRA.
EUCC scheme is a Common Criteria-based certification system that combines the globally acknowledged methodologies of Common Criteria with new concepts. EUCC supplements current Common Criteria and Cybersecurity Evaluation Methodology (CEM) practices with new standards. The goal of EUCC schemes is to ensure that ICT services, products, and processes certified under such schemes meet specific requirements that aim to protect the authenticity, availability, confidentiality and integrity of stored, transmitted, or processed data, or related functions.
It will include improved compliance monitoring and management, more visible and publicly available vulnerability information, and improved customer assistance such as patch management for certified devices or systems.
Here is the list of the most essential elements of Common Criteria and their definition:
The Target of Evaluation (TOE) is a set of software, firmware and/or hardware possibly accompanied by guidance that is the subject of the evaluation.
A Protection Profile (PP) is a document that might be used as part of the certification process. The PP is usually created by a user or user community (i.e. technical community) and contains the threats, security objectives, assumptions, security functional requirements and security assurance requirements of a certain type of products (e.g. firewall, smart cards, electronic signature devices etc.). A Security Target is not required to claim conformance to a Protection Profile, but there might be mandatory requirements that will only recognize products that claim conformance to approved Protection Profiles. A TOE may be compliant with more than one PPs.
A Security Target (ST) provides the basis for an evaluation of a specific Target of Evaluation (TOE), including the TOE configuration and version, as well as the breadth of security functionality that is being assessed. The ST can assert conformance with one or more PPs.
Security Assurance Requirements (SARs) are descriptions of the measures taken during the product's (TOE’s) development and testing to assure compliance with the specified security functionality requirements.
Security Functional Requirements (SFRs) are used to specify a product's (TOE’s) distinct (individual) security functionalities. The Common Criteria provides a catalog of these functions. Even if two TOEs are the same sort of product, the list of SFRs might vary.
In the past decades, technology was evolving faster than the regulations could follow the changes, which caused security risks and vulnerabilities with few existing rules in place to fix these issues. Fortunately, more and more regulations, standards and solutions are coming to solve these vulnerability problems. One of the first standards for IT product security certification is the Common Criteria certification, however, it is very important to note that CC is within a specialized area of IT security, e.g. health care, financial services, IC cards, networks, software etc. A CC Certification guarantees that the TOE is evaluated objectively by a competent and independent third party, aka Testing Laboratory, and validates that a particular TOE satisfies the defined set of security requirements. We see a stable increase in the number of Common Criteria certifications in the past years. The certification opens the door to the government market and we can see the increasing growth and demands in the public safety sector. Also, because of the nature of the evaluation method, the evaluation process may uncover previously unknown vulnerabilities that can be addressed.
Common Criteria Evaluation is used to validate that the TOE functions as claimed by the vendors. During the evaluation a Protection Profile might be used. All evaluations are conducted against a chosen Evaluation Assurance Level (EAL). The numerical rating in the EAL level describes the depth and rigour of an evaluation. The EALs have specific requirements laid out by Common Criteria, with each EAL level being particular in its specifications.
Evaluation Assurance Level (EAL) is a category ranking assigned to the TOE after the Common Criteria evaluation. The level represents the security requirements which the TOE was evaluated against. There are seven levels:
The general model defines four roles and their responsibilities in a Common Criteria Evaluation process
The Target of Evaluation (TOE) is the product or part of the product to be evaluated. The TOE boundary shall be defined by the Developer. The depth of the TOE evaluation depends on the chosen EAL level. The evaluation may include:
Your business can profit in many ways by having your system or product (TOE) achieve Common Criteria ISO 15408 certification. The first is the ability to uncover security risks in a product before a company launches it, which will prevent the need for expensive patches from being released at a later date. Being certified also increases your products’ market competitiveness, which allows you to do business in sectors that require certification. An example of an industry that requests certification would be the government sector.
CCLab Ltd. was established in 2013 as a cybersecurity laboratory specialized mainly in Common Criteria evaluations and consultations. Our agile method and commitment to guide our customers step-by-step through an evaluation process helped us to complete several successful evaluation and consulting projects in the field of Common Criteria, and the number of evaluation projects continues to grow in size and quality year after year. CCLab is committed to provide support to its existing and potential clients in the field of CC education therefore organized professional workshops about Common Criteria.
If you're searching for a Common Criteria specialist to help you prepare for the evaluation or you require a CC Certificate, you are in the right place.
Don’t hesitate to contact us if you are unsure whether your product is eligible for (ISO 15408) Common Criteria Certification or not. We offer pre-assessment and consulting services to prepare you for an evaluation project and guide you through it to minimize the delays and unnecessary expenditures during the CC certification process. Using our industry-leading agile methodology, we provide assessments up to EAL 4+ or EAL 5 in the shortest period feasible.
For more information please watch CCLab’s Common Criteria on demand webinar or request a free consultation to learn about the services we can provide for your system or product.
Common Criteria laid down the standards for IT security and is the driving force in the field of recognition of secure IT products. The EUCC scheme is a scheme for ICT products based on Common Criteria. The aim of EUCC is to serve as a successor to the existing schemes operation under the SOG-IS MRA using the existing practices of this MRA.
Having your product certified can provide multiple benefits to your business, including increased profitability and market competitiveness. CCLab is a trusted and experienced accredited lab that offers Common Criteria certification in as little as 4 months for an EAL4+ evaluation .
To learn more about how our services can help make your system or product become Common Criteria Certified, please visit our website or request a free consultation.
Our aim is to share practical information and recommendations not only to those who are still be planning Common Criteria evaluation, but also those who have already been involved in such a process.
min reading time