Understanding Common Criteria Evaluation Process

The Common Criteria evaluation process involves three pivotal participants, each playing a distinctive role in the comprehensive security assessment. 

First, the Developer or Sponsor initiates the process by engaging an Accredited Laboratory and submitting their product and associated evidence for evaluation. 

The Laboratory performs the evaluation and reports evaluation results to the Certification Body. Evaluation is iterative in nature and the Developer is able to address findings during the evaluation.

Lastly, the scheme, or also known as a Certification Body acts as the authoritative oversight mechanism. These governmental or authorized entities issue Common Criteria certificates and provide validation of the laboratory's evaluation process. Each scheme has its own policies with regard to how to perform a CC evaluation under that scheme, or what products may be accepted into evaluation.

Diving Deep: What is Evaluated in Common Criteria?

Common Criteria evaluation encompasses multiple critical documentation and technical domains. The Security Target (ST) defines the Target of Evaluation (TOE), meaning the product configuration and version, and the scope of security functionality being evaluated. The ST is prepared using CC constructs and includes the definition of the threas to the TOEt, the assumptions about the TOE’s operational environment, security objectives, security functional requirements, and security assurance requirements. An ST may claim conformance to a Protection Profile (PP), such conformance is always optional.

Protection Profile evaluation is a separate process that offers an  implementation-independent statement of security needs for a specific technology type. This approach allows for standardized security expectations across different technological implementations. 

The product, technically called the Target of Evaluation (TOE), can be evaluated through the following activities: First, the development evaluation involves a thorough review of design, architecture, functional specification etc. documents, which can range from a simple interface specification to comprehensive layers of detailed design documentation and even source code examination, depending on the level of assurance required. Next, guidance evaluation scrutinizes the product’s accompanying documentation, including any Common Criteria-specific addenda or ‘Secure installation Guides’ that ensure the system is configured as intended. The life-cycle evaluation assesses not only configuration management and delivery procedures but also the security bug tracking (flaw remediation), and can also include development practices and site security audits. Functional testing involves evaluators repeating a sample of the developer’s functional tests and creating independent tests to verify that the specified security functions operate correctly. Finally, evaluators carry out vulnerability analysis/ penetration testing to identify and attempt to exploit potential weaknesses, ensuring the robustness of the product’s security posture.

Decoding Assurance Levels: From Basic to Advanced Security

Within the realm of information technology security, Common Criteria (CC) stands as a robust framework for the meticulous evaluation and certification of IT product security features, with the Common Criteria Evaluation Assurance Level (EAL) as a central metric that gauges the depth and rigor of security assessments. An Evaluation Assurance Level (EAL) is a predefined set of assurance requirements ranging from EAL1 (Functionally Tested) to EAL7 (Formally Verified Design and Tested), which may be referenced by a Protection Profile or Security Target, or alternatively, a custom set of assurance requirements may be specified.

To earn a specific Evaluation Assurance Level (EAL), a product must meet specific assurance requirements, including comprehensive design documentation, structured design analysis, functional testing, and independent penetration testing. Higher EALs demand greater depth and breadth across these activities, which increases cost and extends timelines. The EAL shown on a certificate confirms the product has successfully completed every requirement mandated for that level.

How CC Translates Standards Into Trust

Understanding the structure of EALs is only part of the story. The real strength of the Common Criteria framework lies in its ability to transform technical evaluation into tangible trust for organizations and customers alike.

The EAL system does not rate a product’s inherent security but rather the depth and rigor of its evaluation. This distinction is critical. A product with EAL4 certification, for instance, has been tested to a widely accepted commercial assurance level, whereas an EAL7 certification indicates a far more exhaustive process involving formal mathematical verification. In both cases, the certification communicates how much trust can be placed in the evaluation process itself.

For organizations seeking certification, climbing to higher EALs involves:

• Stricter evidence requirements, demanding in-depth documentation and proofs.
  
  
• Enhanced development environment controls, ensuring secure practices throughout the lifecycle.
  
  
• Greater investment of resources, including time, expertise, and cost.
  
  
• Independent, third-party reviews conducted by accredited evaluation facilities.

From the customer’s perspective, this translates into greater confidence in certified products. Buyers can rely on the fact that an EAL-certified solution has undergone systematic scrutiny, ranging from design analysis to independent testing, before reaching the market.

By establishing a structured and standardized process, Common Criteria bridges the gap between abstract security standards and practical assurance. The result is a global language of trust, enabling organizations and governments to adopt certified solutions with confidence, knowing they have met recognized benchmarks for security robustness.

While assurance levels define the depth of evaluation, building trust also requires addressing potential vulnerabilities that could undermine security in practice. This is where vulnerability analysis comes into play.

How AVA_VAN Vulnerability Analysis Supports Assurance

At the heart of Common Criteria’s trust-building mechanism lies the systematic evaluation of vulnerabilities, captured through the AVA_VAN family of requirements. This component directly addresses whether a product contains exploitable weaknesses that could be targeted during development, deployment, or operation.

The AVA_VAN evaluations scale in intensity across the EAL spectrum:

• Lower levels (EAL1–EAL3) rely on basic vulnerability analysis (e.g., AVA_VAN.1 or AVA_VAN.2), where evaluators review known weaknesses and test for straightforward exploits.
  
  
• Higher levels (EAL4–EAL7) demand comprehensive vulnerability assessments (AVA_VAN.3 through AVA_VAN.5), requiring evaluators to apply advanced analysis, sophisticated penetration testing, and even modeling of potential attack vectors.
  
  

Through independent vulnerability analysis and penetration testing, evaluators assess whether products can resist adversaries with realistic capabilities appropriate to the claimed security level. This ensures that certified products provide meaningful protection against credible threats rather than theoretical assurances. In practice, this process verifies that IT systems can withstand both casual and highly skilled attackers, depending on the assurance level sought.

How Common Criteria Ensures Repeatable, Transparent Testing

While vulnerability analysis strengthens the technical side of assurance, transparency and repeatability form the backbone of Common Criteria’s credibility. Trust in the framework comes not only from the depth of testing but also from the consistency of evaluation results across different environments.

At the center of this effort lies clear and standardized reporting. It is important to distinguish between the Evaluation Technical Report (ETR) and the Certification Report (CR):

• The ETR is a confidential document prepared for the Certification Body, containing highly detailed technical findings, analyses, and potential vulnerabilities discovered during evaluation. Because of its sensitive content, it is never made public.
  
  
• The CR, in contrast, is a non-confidential summary of the evaluation results. It outlines the assurance level achieved and provides a high-level account of the product’s assessment outcome. Most Certification Reports are published on the Common Criteria Portal, giving governments, enterprises, and users a reliable point of reference when assessing a product’s security assurance.

This consistency is further reinforced through:

• Common Evaluation Methodology (CEM): A globally recognized standard that defines the minimum evaluation actions an evaluator must perform, ensuring uniform practices across accredited labs.
• Accredited Evaluation Laboratories: Independent facilities tasked with executing evaluations, maintaining impartiality, and applying CEM guidance rigorously.
• Certification Bodies (CBs): Independent authorities that review all submitted evidence, validate the evaluation’s impartiality, and formally issue the certification if the product meets the established requirements

This multi-layered oversight guarantees that certifications are not simply rubber stamps but genuine attestations of trustworthiness.

Achievements and Strengths of Common Criteria

The Common Criteria Recognition Arrangement (CCRA) stands as one of the most important achievements of the Common Criteria framework, ensuring international recognition of cybersecurity certifications and eliminating the need for duplicate evaluations across countries. Since its introduction, the agreement has matured into a cornerstone of global cybersecurity assurance.

How CC Supports International Recognition Through CCRA

The updated CCRA, ratified in September 2014, replaced the earlier 2000 arrangement and established formal mutual recognition of certificates among its member nations. Today, the agreement includes over 30 participating countries, such as the United States, Germany, the United Kingdom, Japan, Canada, Singapore, France, and Australia.

This international cooperation provides clear, tangible benefits:

• Products certified in one country receive automatic acceptance in all other member nations.
• Vendors benefit from “certify once, sell globally,” reducing both costs and certification timelines.
• Governments and enterprises can buy with confidence, knowing that certified products meet shared international security benchmarks.
  
  

Under the current rules, certificates that rely on collaborative Protection Profiles (cPPs) and assurance components up to EAL2 qualify for mutual recognition.

How CC Aligns with EUCC and the EU Cybersecurity Act

Within Europe, the EU Common Criteria-based Cybersecurity Certification Scheme (EUCC) extends and adapts Common Criteria principles to EU-specific needs while remaining globally compatible. Directly tied to the EU Cybersecurity Act, the EUCC ensures consistency with international standards while integrating European priorities for digital sovereignty and resilience.

Key aspects of the EUCC include:

• Leveraging Common Criteria’s Evaluation Assurance Levels (EALs) and vulnerability analysis methods.
  
  
• Providing a voluntary certification scheme as of February 2025, simplifying cross-border trade across EU Member States.
  
  
• Continuing recognition of non-EU CCRA certificates by EU countries that are also CCRA signatories, ensuring smooth global interoperability.
  
  

This alignment ensures that European cybersecurity certification remains harmonized with global standards, strengthening both market access and security assurance.

How CC Has Influenced Secure Product Development Globally

Beyond international recognition, one of the greatest strengths of Common Criteria lies in its ability to shape secure development practices worldwide. By requiring detailed documentation, structured evaluation levels, and alignment with Protection Profiles, CC encourages developers to:

• Identify and articulate clear security objectives early in the design phase.
  
  
• Adopt a security-first mindset, embedding protection measures throughout the development lifecycle.
  
  
• Deliver products with enhanced reliability and interoperability, reducing long-term risks and vulnerabilities.

How Can CCLab Help?

This structured approach helps organizations worldwide not only achieve certification but also raise their baseline security posture, ultimately fostering trust, global trade, and stronger cyber resilience.

Navigating the Common Criteria (CC) certification process can be daunting for developers and organizations seeking to validate their IT products' security. Achieving compliance requires extensive documentation, adherence to strict evaluation methodologies, and a deep understanding of Evaluation Assurance Levels (EALs). As a trusted partner in this process, CCLab plays a crucial role in simplifying the certification process and equipping development teams with the necessary knowledge, tools, and expert guidance to meet Common Criteria standards efficiently.

CCLab is accredited by the Italian Scheme OCSI (Organismo di Certificazione della Sicurezza Informatica) and also by the Dutch Scheme Trust CB.

CCLab offers comprehensive services beyond just Common Criteria EAL 4+ evaluation projects completed within 4 months. Our professional consultancy supports organizations in preparing thoroughly for successful Common Criteria evaluations. Additionally, we provide innovative solutions such as CC for the World.

On our website, visitors can access the CCGUIDE and CC Training programs, designed to reveal the secrets of seamless certification through insights from industry experts. We also offer free downloadable resources, and regularly publish detailed blog posts to support ongoing learning and awareness in the field.

Summary

Common Criteria demonstrates how cybersecurity standards evolve into trust. Starting with a structured evaluation process, it brings together developers, accredited laboratories, and certification bodies to ensure products undergo rigorous and transparent testing.

Through Evaluation Assurance Levels (EALs), CC provides a clear benchmark for the depth of assessment, while vulnerability analysis (AVA_VAN) and transparent reporting guarantee that certifications reflect real-world resilience rather than theory.

Its strength lies not only in technical rigor but also in global recognition. The CCRA agreement ensures mutual acceptance across more than 30 countries, and the EUCC scheme aligns CC with the EU’s cybersecurity priorities. Together, these frameworks reduce barriers, streamline certification, and create a common language of security assurance.

Beyond certification, CC has shaped a security-first approach to product development, encouraging organizations to embed protection into every stage of the lifecycle. The result is greater confidence, interoperability, and resilience across industries and borders.

In essence, Common Criteria shows how structured standards, when combined with international cooperation and consistent evaluation, can transform into what organizations and users need most: trust in the technologies that safeguard our digital world.