The Impact of Common Criteria on ICT Security Evaluation and Certification

Common Criteria (CC) is a globally recognized standard for evaluating and certifying the security features of eligible Information Technology (IT) products. Established through collaboration between multiple nations, CC provides a unified framework for assessing and comparing the security capabilities of IT solutions. This standardization ensures that products meet predefined security requirements, enhance consumer trust, and facilitate access to international markets.

‍

Impact on ICT Security Evaluation

Common Criteria significantly impact ICT security evaluation by providing a standardized framework for assessing and certifying the security features of IT products and systems. This framework enhances security evaluations' consistency, reliability, and objectivity, fostering trust and confidence in certified products. Common Criteria's structured approach ensures that security requirements are clearly defined and met, ultimately contributing to improved cybersecurity practices and the overall resilience of IT solutions in the digital landscape.

1. Standardization

Common Criteria's emphasis on standardization is essential for promoting consistent and reliable security evaluations across various IT products and systems. Standardization involves establishing uniform methodologies and criteria that guide the evaluation process.

The Cybersecurity Act (CSA) provides the legal foundation of EUCC – CSA defines the general framework requirement, while EUCC is a specific scheme within this broader framework. The EUCC leverages the Common Criteria framework. It incorporates evaluation assurance levels (EAL) and vulnerability assessment components (AVA_VAN) to determine the security robustness of ICT products.

It aims to ensure that all ICT products and services adhere to a unified security benchmark, enhancing trust and interoperability within the European cybersecurity landscape. The EUCC facilitates the adoption of secure technologies and promotes a harmonized approach to cybersecurity certification, benefiting businesses and consumers.

The CC framework provides structured approaches for assessing security features and capabilities, defining clear guidelines on documentation, testing methodologies, and evaluation criteria. Using predefined Protection Profiles (PPs), evaluators can apply consistent criteria to different products, ensuring fair and objective assessments.

CC's standardized Evaluation Assurance Levels (EALs) offer a common scale for measuring evaluation depth and rigor. Each EAL represents progressively higher assurance levels, indicating increased scrutiny and testing requirements.

2. Defining Security Requirements

Common Criteria's structured approach to defining security requirements is a vital advantage of the framework. The standard helps developers identify specific security objectives and functionalities for their products by providing detailed documentation and guidance.

This procedure ensures that security goals are clear and actionable, guiding the design and implementation of robust security measures within IT solutions. Integrating security considerations early in the development lifecycle promotes a security-first mindset and reduces risks and vulnerabilities.

Common Criteria's emphasis on structured security requirements aligns organizations with internationally recognized standards. This method contributes to a safer digital environment by improving the resilience and integrity of IT solutions.

3. Building Confidence

The Common Criteria Common Criteria Recognition Arrangement (CCRA) is an international agreement for the mutual recognition of security certificates. The updated CCRA-2014, ratified on September 8, 2014, covers certificates based on collaborative Protection Profiles (cPP), assurance components up to EAL 2, and the assurance family Flaw Remediation (ALC_FLR). It replaces the older CCRA-2000. Certificates issued under CCRA-2000 before September 8, 2014, remain recognized, with a transition period for ongoing certifications and Assurance Continuity until September 8, 2017.
The CCRA fosters trust in security-evaluated products by adhering to stringent international security standards. Organizations can more readily adopt these products, knowing they have undergone rigorous evaluations and meet recognized global security benchmarks.

CC contributes to harmonizing security practices across borders. By accepting evaluation results from other nations, countries can leverage shared expertise and resources, enhancing the effectiveness of security evaluations. This aspect of CC also promotes transparency and collaboration in the global cybersecurity landscape. It encourages information sharing and cooperation among evaluators and stakeholders, improving cybersecurity practices and outcomes worldwide.

Reach out to us and let our certified lab provide the assurance you need!

4. Enhanced Trust

The mutual recognition facilitated by the standard fosters trust among stakeholders. This trust is foundational for promoting the adoption of secure ICT solutions globally. By aligning with Common Criteria standards, organizations demonstrate their commitment to robust cybersecurity practices, enhancing their credibility in the marketplace and contributing to a more secure digital ecosystem.

Adherence to CC standards signifies a commitment to cybersecurity best practices for businesses. It instills confidence among business partners, customers, and stakeholders regarding the security and reliability of the products and services offered. By aligning with Common Criteria, businesses demonstrate that cybersecurity is important when developing a product. Unlike in the case of competitors without CC certification, businesses can be confident that the product has successfully met the cybersecurity requirements at the chosen EAL level.

From a consumer perspective, CC-certified products ensure their security capabilities. Consumers can make informed decisions when choosing ICT products and services, knowing they have undergone rigorous evaluations aligned with international standards. This transparency and trust-building contribute to consumer confidence in securely adopting and utilizing digital technologies.

5. Reducing Trade Barriers

Common Criteria significantly reduces trade barriers and promotes international commerce in ICT products by standardizing security evaluation practices and promoting mutual recognition of certifications.

The standard establishes a uniform framework for evaluating the security features of ICT products, ensuring consistent and transparent evaluations across different regions. This standardization simplifies compliance efforts for IT vendors seeking international market access.

Additionally, it supports mutual recognition of certification results among participating countries. Once a product is certified in one country, its certification is accepted by others – up to EAL2 augmented with ALC_FLR – in the Common Criteria Recognition Arrangement (CCRA). This eliminates redundant evaluations and facilitates market access across multiple countries.

By harmonizing evaluation practices, CC enables smoother market access for IT vendors. Certified products can efficiently navigate international trade barriers, benefiting businesses and consumers globally.

Reduced trade barriers encourage cross-border trade in secure ICT products. IT vendors can expand their market reach confidently with CC certifications, fostering a more interconnected global marketplace.

‍

Impact on ICT Security Certification

Common Criteria greatly influence ICT security certification through standardized Evaluation Assurance Levels (EALs), offering a precise scale for evaluating the security robustness of IT products. CC also maintains a comprehensive repository of certified products, aiding organizations in making informed decisions and enhancing confidence in secure ICT solutions.

1. Standardized Evaluation Levels

The CC standard’s introduction of Evaluation Assurance Levels (EALs) is a fundamental aspect of its certification framework. EALs provide a standardized scale for measuring the depth and rigor of security evaluations conducted on Information Technology (IT) products.

EALs range from EAL1 to EAL7, representing increasing assurance and security rigor. Each EAL corresponds to specific security activities performed by the Common Criteria Testing Laboratory (CCTL) and reflects the level of assurance that a Target of Evaluation (TOE) meets the functional requirements outlined in the Security Target (ST). These levels provide clear benchmarks that organizations use to assess the security robustness of potential solutions; therefore, knowing how to choose the right EAL level is essential.

‍

CC Part III (Security assurance components) outlines the detailed assurance activities corresponding to EAL levels 1-7, ensuring consistency and clarity in evaluation procedures. However, for Protection Profile (PP) evaluations, assurance activities are explicitly specified within the PP document.

The standardized approach of EALs empowers organizations to make informed decisions about product selection based on their specific security needs. By leveraging EALs, organizations can ensure that certified products meet defined levels of assurance, enhancing confidence in the security robustness of ICT solutions.

CC certification is essential for niche IT security needs, with 310 certifications issued in the first 9 months of 2023. Specific IT products or technologies (Target of Evaluation - TOE) are granted certifications, such as firewalls, encryption solutions, or network devices. During the main steps of  Common Criteria evaluations, the Sponsor and Developer may be different entities. The Sponsor who seeks the certification owns the TOE and aims to support sales through the certification. The Developer, who may be a different entity outsourced by the Sponsor, is responsible for the development of the TOE​.

Smooth communication and collaboration are critical for a successful CC evaluation. Hiring a Common Criteria expert and selecting a competent Test Laboratory are essential steps to streamline the evaluation process and ensure compliance with rigorous security standards.

‍

2. Certified Products Repository

The Common Criteria portal maintains a publicly accessible list of certified products across diverse categories, including operating systems, network devices, cryptographic modules, and more. 

This comprehensive repository is a valuable resource for organizations seeking secure ICT solutions.

The Common Criteria Recognition Arrangement encompasses certificates that claim compliance with CC assurance components under two scenarios:

• Certificates aligned with a collaborative Protection Profile (cPP), developed and maintained according to CCRA Annex K. These certificates include assurance activities selected from Evaluation Assurance Levels (EALs) up to and including level 4, along with ALC_FLR. The cPPs are established through an International Technical Community endorsed by the Management Committee.
• Certificates compliant with Evaluation Assurance Levels 1 through 2, along with ALC_FLR.

In cases where a CC certificate asserts compliance with Evaluation Assurance Level (EAL) 3 or higher but does not align with a collaborative Protection Profile, it should be considered equivalent to Evaluation Assurance Level 2 for the purposes of mutual recognition under the CCRA.

By providing visibility into certified products, the standard facilitates informed purchasing decisions and promotes the adoption of secure IT solutions. This repository ensures that organizations can quickly identify products that have undergone rigorous security evaluations, bolstering confidence in the security posture of adopted technologies.

3. Rigorous Evaluation Process

CC mandates that accredited and independent laboratories conduct thorough and objective evaluations of IT products to assess specific security properties. This rigorous evaluation process is essential for ensuring the integrity and credibility of Common Criteria certifications.

By entrusting evaluations to qualified and impartial entities, the standard maintains a high scrutiny standard, assuring stakeholders that certified products meet stringent security requirements. This commitment to objective evaluation contributes significantly to the overall trustworthiness of the certification process.

4. Tailored Security Targets

The concept of Security Targets (STs) within the Common Criteria framework allows vendors to tailor the evaluation process of their products to align closely with their intended security capabilities. Essentially, the ST document serves as a roadmap that outlines the specific security objectives, functionalities, and requirements the product aims to achieve and demonstrate during the evaluation.

Customizing the evaluation process through STs is compulsory. This ensures that assessments accurately reflect their products' real-world security attributes and functionalities. This customization is crucial because it allows vendors to showcase how their security measures effectively address specific threats and vulnerabilities relevant to their product's intended use.

By aligning the evaluation with tailored security targets, vendors can provide tangible evidence of their product's security effectiveness to certification bodies and end-users. This alignment enhances the relevance and applicability of certification outcomes, ensuring that certified products meet practical security needs and instill confidence in their security posture.

5. Alignment with Protection Profiles

Protection Profiles (PPs) in the context of CC define security requirements tailored for specific security devices or systems. PPs are developed collaboratively by experts within the international security community to address common security needs and scenarios.

Aligning product vendors' offerings with relevant PPs streamlines the certification process by providing a predefined set of security requirements that are recognized and accepted globally. 

This alignment ensures that evaluations effectively address the unique security needs and use cases of different product categories, leading to more efficient and targeted assessments.

By adhering to established PPs, vendors comply with industry-recognized security standards tailored to specific use cases. This alignment simplifies the certification process and enhances the clarity and relevance of certification efforts.

How can CClab help?

Independent and accredited cybersecurity testing laboratories, such as CClab, play an essential role in the Common Criteria Certification process by evaluating the security features and capabilities of IT devices and systems. We conduct rigorous testing and analysis to ensure compliance with the standard’s security standards (ISO 15408) and provide valuable feedback and recommendations to enhance product security. CC2022 testing procedures are already implemented at CCLab and we are also getting ready for EUCC evaluations. We can support our clients in the preparation for their upcoming EUCC certification projects.

Want to ensure your IT product meets security standards? Get in touch with us for a thorough evaluation in our accredited lab!

We offer pre-assessment and consulting services to prepare you for the evaluation project and guide you through the process, minimizing delays and unnecessary expenditures. Our industry-leading agile methodology allows us to provide assessments up to EAL 4+ efficiently.

Summary

By establishing standardized frameworks, structured evaluation levels, and alignment with protection profiles, Common Criteria enhance the reliability and interoperability of IT solutions, thereby promoting global trade through reduced barriers and mutual recognition of certifications. Independent cybersecurity laboratories play a crucial role in ensuring rigorous evaluations and bolstering the credibility of certifications, ultimately contributing to a more secure and trustworthy digital environment.