The Digitalist Team
May 30, 2022

Common Criteria: can this article give you an answer to all of your questions?

9

min reading time

You probably heard about Common Criteria, but you might be unsure what it means and whether you should get your product or system certified. We will go into detail about this topic so that, in the end, the concept of Common Criteria is going to be perfectly clear. 

This article will cover the following:

  • What are Common Criteria, and what was before that?
  • What is EUCC Scheme?
  • What is  Common Criteria Evaluation?
  • How can your business profit from Common Criteria Certification?

We will also introduce how we, at CCLab, one of the leading Common Criteria accredited laboratories, work and explain how we can help you with your Common Criteria certification projects. 

What Are Common Criteria?

Common Criteria for Information Technology Security Evaluation, or Common Criteria (CC) for short, are a framework, a set of guidelines and specifications used for independent, scalable and globally recognized security assessment for IT products. It is an international standard, also known as ISO/IEC 15408, that is used to validate that a particular  IT system or product (Target of Evaluation=TOE) satisfies a defined set of security requirements. CC specifies the structure of the evaluation, defines the terminology for describing security requirements, and a technique for assessing those requirements. The Common Criteria certification ensures that an IT security product's (TOE)specification, implementation and cybersecurity evaluation has been carried out in a standard, rigorous, and repeatable way at a level that matches with its target operational environment.

Common Criteria are used as a basis of a government-driven certification scheme. Once completed, it provides assurance that the process of specification, implementation and evaluation was conducted in a thorough and standard manner.. Also, it is frequently listed as a requirement for procurement. CC grouping of 60 security requirements in 11 different classes. 

How did we get to the point where we know we should use Common Criteria?

The increase in cyber threats from individuals and foreign agents has required countries to work together to set standards and practices for systems and products that will mitigate vulnerabilities and protect IT product consumers across the globe.The need of standardized cybersecurity requirements increased in the past few years and it affects many industries already. Common Criteria is a global example of such, but many other standards will follow to fulfil the legal requirements of the EU’s Cybersecurity Act for instance. 

What was before Common Criteria?

Common Criteria was originally built in partnership with 6 countries: Canada, the United States, Germany, France, the United Kingdom, and the Netherlands. The foundation of Common Criteria used previous standards already in place by 3 of these countries. These are The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), the United States’ Trusted Computer System Evaluation Criteria (TCSEC), and the European Information Technology Security Evaluation Criteria (ITSEC).The first version of CC was issued in 1994.

What is SOGIS?

The SOG-IS agreement was developed in response to the EU Council Decision of March 31, 1992 on information system security, and the following Council proposal of April 7th on uniform IT security evaluation standards. Government organizations and government agencies from 17 EU and EFTA member countries participated in this agreement representing their own country. The member's’ goal was to correspond to the standardization of Common Criteria protection profiles and certification measures across European Certification Bodies in order to maintain a common stance in the rapidly expanding global CCRA group. Besides, they aim the creation of protection profiles whenever the European Commission issues a regulation that must be applied in national legislation in terms of cybersecurity.

The original agreement was updated in 2010 in parallel with the technological developments and regulatory environment changes

What is the difference between national schemes?

Common Criteria Certificate Authorizing Schemes were established by 17 countries from all over the world. It means that these countries set their own national schemes, rules, legislation, and Certification Bodies (i.e. Evaluation Authority). The Certification Body issues the CC Certification based on the evaluation of the Testing Laboratory. A Testing Laboratory can get accredited by multiple Certification Bodies to carry out CC evaluations. CCLab, for instance, has been accredited by OCSI, Certification Body of the Italian Scheme since 2015 and by BSI, the German CB since 2022.

What is the future of Common Criteria – upcoming EUCC scheme

The European Union Cybersecurity Certification (EUCC) will be a successor of the existing national CC schemes in Europe, replacing the former SOG-IS MRA.

EUCC scheme is a Common Criteria-based certification system that combines the globally acknowledged methodologies of Common Criteria with new concepts. EUCC supplements current Common Criteria and Cybersecurity Evaluation Methodology (CEM) practices with new standards. The goal of EUCC schemes is to ensure that ICT services, products and processes certified under such schemes meet specific requirements that aim to protect the authenticity, availability, confidentiality and integrity of stored, transmitted, or processed data, or related functions. 

It will include improved compliance monitoring and management, more visible and publicly available vulnerability information, and improved customer assistance such as patch management for certified devices or systems.

What are the key elements of Common Criteria? 

Here is the list of the most essential elements of Common Criteria and their definition:

Target of Evaluation 

The Target of Evaluation (TOE) is a set of software, firmware and/or hardware possibly accompanied by guidance that is the subject of the evaluation. 

Protection Profile 

A Protection Profile (PP) is a document that might be used as part of the certification process. The PP is usually created by a user or user community (i.e. technical community) and contains the threats, security objectives, assumptions, security functional requirements and security assurance requirements of a certain type of products (e.g. firewall, smart cards, electronic signature devices etc.) . A Security Target is not required to claim conformance to a Protection Profile, but there might be mandatory requirements that will only recognize products that claim conformance to approved Protection Profiles. A TOE may be compliant with more than one PPs.

Security Target

A Security Target (ST) provides the basis for an evaluation of a specific Target of Evaluation (TOE), including the TOE configuration and version, as well as the breadth of security functionality that is being assessed. The ST can assert conformance with one or more PPs. 

Security Assurance Requirements 

Security Assurance Requirements (SARs) are descriptions of the measures taken during the product's (TOE’s) development and testing to assure compliance with the specified security functionality requirements.

Security Functional Requirements

Security Functional Requirements (SFRs) are used to specify  a product's (TOE’s) distinct (individual) security functionalities. The Common Criteria provides a catalog of these functions. Even if two TOEs are the same sort of product, the list of SFRs might vary.

Why is Common Criteria Certification important? 

In the past decades, technology was evolving faster than the regulations could follow the changes, which caused security risks and vulnerabilities with few existing rules in place to fix these issues. Fortunately, more and more regulations, standards and solutions are coming to solve these vulnerability problems. One of the first standards for IT product security certification is the Common Criteria certification, however, it is very important to note that CC are within a specialized area of ​​IT security, e.g. health care, financial services, IC cards, networks, softwares etc. A CC Certification guarantees that the TOE is evaluated objectively by a competent and independent third party, aka Testing Laboratory, and validates that a particular TOE satisfies the defined set of security requirements.  We see a stable increase in the number of Common Criteria certifications in the past years.. The certification opens the door to the government market and we can see the increasing growth and demands in the public safety sector. Also, because of the nature of the evaluation method, the evaluation process may uncover previously unknown vulnerabilities that can be addressed. 

What is the purpose of CC Certification? 

  • To raise efficiency and cost-effectiveness of the certification process for protection profiles and IT properties
  • Guarantees that IT product's specification, implementation and cybersecurity evaluation has been carried out in a standard, rigorous, and repeatable way
  • Helps to eliminate the burden of duplicate security profiles and IT product assessments by being accepted by all CCRA countries

What Is Common Criteria Evaluation?

Common Criteria Evaluation is used to validate that the TOE functions as claimed by the vendors. During the evaluation a Protection Profile might be used. All evaluations are conducted against a chosen Evaluation Assurance Level (EAL). The numerical rating in the EAL level describes the depth and rigour of an evaluation. The EALs have specific requirements laid out by Common Criteria, with each EAL level being particular in its specifications.

What Are the EAL Levels?

Evaluation Assurance Level (EAL) is a category ranking assigned to the TOE after the Common Criteria evaluation The level represents the security requirements which the TOE was evaluated against. There are seven levels:

  • EAL1: Functionally Tested
  • EAL2: Structurally Tested
  • EAL3: Methodically Tested and Checked
  • EAL4: Methodically Designed, Tested and Reviewed
  • EAL5: Semi-Formally Designed and Tested
  • EAL6: Semi-Formally Verified Design and Tested
  • EAL7: Formally Verified Design and Tested

Who Are the Participants of a CC Evaluation Project?

The general model defines four roles and their responsibilities in a Common Criteria Evaluation process

  1. The Sponsor is responsible for requesting and supporting an evaluation, i.e. hires an accredited laboratory and submits the application to the scheme accompanied with the Security Target.
  2. The Developer produces the TOE and prepares all the necessary documentations needed for the evaluation (evaluation deliverable). The Sponsor and Developer can be the same.
  3. The Evaluator of the accredited laboratory performs the evaluation tasks and activities and presents the results of the evaluation to the  evaluation authority (or certification authority).
  4. The Evaluation Authority or Certification Authority (Certification Body) establishes and maintains the schemes, monitors the evaluations conducted by the Laboratory and issues the certification reports and certificates. 

What gets evaluated?

The Target of Evaluation (TOE) is the product or part of the product to be evaluated. The TOE boundary shall be defined by the Developer. The depth of the TOE evaluation depends on the chosen EAL level. The evaluation may include:

  • Functional testing
  • Vulnerability analysis 
  • Guidance evaluation 
  • Design evaluation 
  • Life-cycle evaluation

How can your business profit from Common Criteria Certification?

Your business can profit in many ways by having your system or product (TOE) achieve Common Criteria ISO 15408 certification. The first is the ability to uncover security risks in a product before a company launches it, which will prevent the need for expensive patches from being released at a later date. Being certified also increases your products’ market competitiveness, which allows you to do business in sectors that require certification. An example of an industry that requests certification would be the government sector.

Who is CCLab and how can we help your business?

CCLab Ltd. was established in 2013 as a cybersecurity laboratory specialized mainly in Common Criteria evaluations and consultations. Our agile method and commitment to guide  our customers step-by-step through an evaluation process helped us to complete several successful evaluation and consulting projects in the field of Common Criteria, and the number of evaluation projects continues to grow in size and quality year after year. CCLab is committed to provide support to its existing and potential clients in the field of CC education therefore organized professional workshops about Common Criteria.

Why Should One Choose CCLab’s Services?

If you're searching for a Common Criteria specialist to help you prepare for the evaluation or you require a CC Certificate, you are in the right place. 

Don’t hesitate to contact us if you are unsure whether your product is eligible for (ISO 15408) Common Criteria Certification or not. We offer pre-assessment and consulting services to prepare you for an evaluation project and guide you through it to minimize the delays and unnecessary expenditures during the CC certification process. Using our industry-leading agile methodology, we provide assessments up to EAL 4+ or EAL 5 in the shortest period feasible.

For more information please watch CCLab’s Common Criteria on demand webinar or request a free consultation to learn about the services we can provide for your system or product.

Conclusion

Common Criteria laid down the standards for IT security and is the driving force in the field of recognition of secure IT products. The  EUCC scheme is a scheme for ICT products based on Common Criteria. The aim of EUCC is to serve as a successor to the existing schemes operation under the SOG-IS MRA using the existing practices of this MRA. 

Having your product certified can provide multiple benefits to your business, including increased profitability and market competitiveness. CCLab is a trusted and experienced accredited lab that offers Common Criteria certification in as little as 4 months for an EAL4+ evaluation . 

To learn more about how our services can help make your system or product become Common Criteria Certified, please visit our website or request a free consultation.