Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC ) is an international standard ( ISO / IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. [1]

Common Criteria is a framework in which they can specify their security functional and insurance requirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implement and / or make claims on the security of their products. , and testing laboratories can evaluate the products they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner that is commensurate with the target environment for use. [2]

Key concepts

Common Criteria evaluations are performed on computer systems and systems.

  • Target of Evaluation (TOE) – the product or system that is the subject of evaluation.

The evaluation is validated claims made about the target. To be of practical use, the evaluation must verify the target’s security features. This is done through the following:

  • Protection Profile (PP) – a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures , or networkfirewalls) reporting to that user for a particular purpose. Product vendors can choose from PPs, and have their products evaluated against those PPs. In such a case, it may be used as a template for the ST product (Security Target, as defined below), or the authors of the ST will at least ensure that all of them fall within the target’s ST document. Customers looking for special types of products can focus on those certified against the PP that meets their requirements.
  • Security Target (ST) – the document that identifies the security properties of the target of evaluation. The ST can claim conformity with one or more PPs. The TOE is evaluated against the SFRs established in its ST, no more and no less. This allows for the ability to evaluate the capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a databasemanagement system, and that different firewalls may be different. The ST is usually published so that it is possible to determine the specific security features that have been certified by the evaluation.
  • Security Functional Requirements (SFRs) – specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalog of such functions. For example, a SFR may state howto use a particular role might be authenticated . The list of SFRs can be compared to the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function is ).

The evaluation process is also established in the product’s security features through quality assurance processes:

  • Security Assurance Requirements (SARs) – descriptions of the measures taken during development and evaluation of the product to ensure compliance with the claimed security functionality. For example, an evaluation may require that all source code be kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalog of these, and the requirements may vary from one to the next. ST and PP, respectively.
  • Evaluation Assurance Level (EAL) – the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most stringent (and most expensive). Normally, an ST or PP author will not select insurance requirements, but it may be necessary to increase the number of requirements. Higher EALs do notnecessarily better, they only mean the claimed security of the TOE has been more extensively verified .

So far, most PPs and most evaluated STs / certified products have been for IT components (eg, firewalls, operating systems , smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing, eg, interoperability, system management, user training, CC supplement and other product standards. Examples include the ISO / IEC 17799 (or more properly BS 7799-1, which is now ISO / IEC 27002 ) or the German IT-Grundschutzhandbuch  ( de ) .

Details of cryptographic implementation within the TOE are outside the scope of the CC. Instead, national standards, like FIPS 140-2 give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use.

More recently, PP authors are including cryptographic requirements for CC assessments that would typically be covered by FIPS 140-2 evaluations, broadening the bounds of the CC through scheme-specific interpretations.

Some national evaluation schemes are phasing out EAL-based evaluations and only accepting products for evaluation. The United States currently only allows PP-based evaluations. Canada is in the process of phasing out EAL-based evaluations.


CC originated out of three standards:

  • ITSEC – The European standard, developed in the early 1990s by France, Germany, the Netherlands and the UK. It is a unification of earlier work, such as the two approaches (the CESG UK Evaluation Scheme for the defense / intelligence market and the DTI Green Book aimed at commercial use), and was adopted by some other countries, eg Australia.
  • CTCPEC – The Canadian standard followed by the US DoD standard, but avoided several problems and was used jointly by the US and Canada. The CTCPEC standard was first published in May 1993.
  • TCSEC – The United States Department of Defense DoD 5200.28 Std, called the Orange Book and Parts of the Rainbow Series . The Orange Book, from the National Security Agency and the National Bureau of Standards (the NBS eventually became NIST ) in the late 1970s and early 1980s. The central thesis of the Orange Book by Dave Bell and Len LaPadula for a set of protection mechanisms.

These products have been pre-existing, primarily for the purpose of government market management (mainly for Defense or Intelligence purposes). The CC was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the US

Testing organizations

All tests laboratories must comply with ISO 17025 , and certification bodies will normally be approved against either ISO / IEC Guide 65 or BS EN 45011.

The compliance with ISO 17025 is typically demonstrated to a National approval authority:

  • In Canada, the Standards Council of Canada (SCC) under Accreditation of Laboratories (PALCAN) accredited Common Criteria Evaluation Facilities (CCEF)
  • In France, the French Accreditation Committee  ( en ) (COFRAC) Common Criteria Evaluation accredits facilities, commonly called Center for Safety Evaluation of information technology  ( en ) (CESTI). Evaluations are done according to norms and standards by the National Agency for the Security of Information Systems (ANSSI).
  • In the UK the United Kingdom Accreditation Service (UKAS) accredited Commercial Evaluation Facilities (CLEF)
  • In the US, the National Institute of Standards and Technology (NIST) National Accreditation Accreditation Program Accreditation Program (NVLAP) Common Criteria Testing Laboratories (CCTL)
  • In Germany, the Bundesamt für Sicherheit in Informationtechnik (BSI)
  • In Spain, the National Cryptologic Center (CCN) accredited Common Criteria Testing Laboratories operating in the Spanish Scheme.
  • In the Netherlands, the Netherlands scheme for Certification in the Area of ​​IT Security (NSCIB) accredited IT Security Evaluation Facilities (ITSEF).

Characteristics of these organisms were examined and presented at ICCC 10. [3]

Mutual recognition arrangement

As a standard Common Criteria, there is also a Common Criteria MRA (Mutual Recognition Arrangement), where each party has its assessments against the standard Common Criteria done by other parties. Originally signed in 1998 by Canada, France, Germany, United Kingdom and the United States, Australia and New Zealand joined 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. The Arrangement has since been renamed Common Criteria Recognition Arrangement ( CCRA ) and membership continues to expand. Within the CCRA only evaluations up to EAL 2 are mutually recognized (Including increase with flaw remediation). The European countries within the framework of ITSEC agreement EALs as well. Evaluations at EAL5 and above tend to involve the security requirements of the host nation’s government.

In September 2012, a majority of members of the CCRA produced a mutual recognition report of EAL 2 (Including increase with flaw remediation). Further, this vision indicates a move away from insurance levels. This will be achieved by working with the world in a more efficient manner.

On July 2, 2014, a new CCRA was ratified by the vision statement . Major changes to the Arrangement include:

  • Recognition of Assessments against a Collaborative Protection Profile (cPP) or Evaluation Assurance Levels 1 through 2 and ALC_FLR.
  • The Emergence of International Technical Communities (iTC), groups of technical experts with the creation of cPPs.
  • A transition plan from the previous CCRA, including recognition of certificates issued under the previous version of the Arrangement.



Common Criteria is very generic; ITSEC ( ITSEC ): The approach taken by ITSEC , the approach taken by ITSEC TCSEC and FIPS 140 -2.

Value of certification

Common Criteria certification can not guarantee security. In other words, products evaluated against a Common Criteria standard exhibit a clear chain of evidence that the process of specification, implementation, and evaluation has been conducted in a rigorous and standard manner.

Various Microsoft Windows versions, including Windows Server 2003 and Windows XP , have been certified, but security patches to address security vulnerabilities are still getting published by Microsoft for these Windows systems. This is possible because the Common Criteria certification allows a vendor to restrict the analysis of certain security features and to make certain assumptions about the operating environment and the strength of the product. In addition, the cost-effective and certifiable criteria for the assessment of cost-effective insurance are as follows: Evaluations activities are therefore performed at a certain depth, use of time, and resources and provide reasonable assurance for the intended environment.

In the Microsoft case, the A.PEER assumptions include:

“Any other systems with which the TOE communicates are assumed to be under the same management and operate under the same conditions. There are no security requirements in this area.

This assumption is contained in the Controlled Access Protection Profile (CAPP) to which their products adhere. Et al., Supra, et la questiona, la actuala de presuppos de la presidente de la presidente de la presidente, la actuala de la presidente de la presidente de la presidente de la presidente de la presidente de la presidente de la presidente. THUS They shoulds only be regarded in the secure ASSUMED, specified Circumstances, Also Known As the Evaluated Configuration .

Whether you run Microsoft Windows in the same way or not, you should apply Microsoft’s security patches for the vulnerabilities in Windows as they continue to appear. If any of these security vulnerabilities are exploitable in the product’s evaluated configuration, the product’s Common Criteria certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include the application of patches to fix the security vulnerabilities within the configuration configuration. Failure by the vendor to take one of these steps would result in the withdrawal of the product’s certification by the certification body of the country in which the product was evaluated.

The certified Microsoft Windows versions remain at EAL4 + without including the application of any Microsoft security vulnerability patches in their configuration configuration. This shows both the limitation and the strength of an evaluated configuration.


In August 2007, Government Computing News (GCN) columnist William Jackson critically reviewed Common Criteria methodology and its US implementation by the Common Criteria Evaluation and Validation Scheme (CCSAC). [4]In the column executives from the security industry, researchers, and representatives from the National Information Assurance Partnership (NIAP) were interviewed. Objections outlined in the article include:

  • Evaluation is a costly process – and the vendor’s return on that is not necessarily a more secure product.
  • Evaluation of the assessment of the quality of the information, For US evaluations, only at EAL5 and higher do experts from the National Security Agency participate in the analysis; and only at EAL7 is full source code analysis required.
  • The effort and time needed to prepare evaluation evidence and other evaluation-related documentation is so complete that the work is completed, the product in evaluation is obsolete.
  • Industry input, especially those of organizations such as the Common Criteria Vendor ‘s Forum , generally has little impact on the process as a whole.

In a 2006 research paper, David A. Wheeler suggests that the Common Criteria process and open source software (FOSS) -centric organizations and development models. [5] Common Criteria insurance requirements are designed by the traditional waterfall software development methodology. In contrast, much FOSS software is produced using modern agile paradigms. Although some paradigms do not align, [6] others have attempted to reconcile both paradigms. [7] Political scientist Jan KallbergThey are certified, the absence of a permanent staff of the body, and the idea that the trust in the Common Criteria IT-security certifications will be maintained across geopolitical boundaries. [8]

Alternative approaches

Throughout the lifetime of CC, it has not been universally adopted by the creator nations, with, in particular, cryptographic approvals being handled separately, such as by the Canadian / US FIPS-140 implementation , and the CESGAssisted Products Scheme (CAPS ) [9] in the UK.

The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to the operation of the market:

  • The CESG System Evaluation (SYSn) and Fast Track Approach (FTA) schemes for insurance of government systems rather than generic products and services, which have become CESG Tailored Assurance Service (CTAS) [10]
  • The CESG Claims Tested Mark (CCT Mark), which is designed to handle less comprehensive insurance.

In early 2011, NSA / CSS published a paper by Chris Salter, which proposed a Protection Profile oriented approach toward evaluation. In this approach, communities of interest in the field of technology and technology, which define the definition of technology. [11] The objective is a more robust evaluation. There is some concern that this has a negative impact on mutual recognition . [12]

In Seven of 2012, The Common Criteria published a Vision to a large extent Chris Salter’s thoughts from the previous year. Key elements of the Vision included:

  • Technical Communities will be focused on authoring Protection Profiles (PP) that support their goal of reasonable, comparable, reproducible and cost-effective evaluation results
  • Evaluations should be done against these PP’s if possible; if not mutual recognition of Security Target assessments would be limited to EAL2

List of acronyms

DC Common Criteria
EAL Evaluation Insurance Level
IT Information technology
PP Protection Profile
SAR Security Assurance Requirement
SF Security Function
SFR Security Functional Requirement
SFP Security Function Policy
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TSP TOE Security Policy
TSF TOE Security Functionality
TSC TSF Scope of Control
TFSI TSF Interface

See also

  • Bell-LaPadula model
  • Usability testing
  • ISO 9241
  • ISO / IEC 27001
  • Verification and Validation
  • Information Assurance
  • China Compulsory Certificate
  • FIPS 140-2
  • Evaluation Insurance Level


  1. Jump up^ “The Common Criteria” .
  2. Jump up^ “Common Criteria – Communication Security Establishment” .
  3. Jump up^ “Common Criteria Schemes Around the World” (PDF) .
  4. Jump up^ Under Attack: Common Criteria has a lot of criticism, but it is getting a bump rapGovernment Computer News, retrieved 2007-12-14
  5. Jump up^ Free-Free / Open Source Software (FLOSS) and Software Assurance
  6. Jump up^ Wäyrynen, J., Boden, M., and Boström, G.,Security Engineering and eXtreme Programming: An Impossible Marriage?
  7. Jump up^ Beznosov, Konstantinand Kruchten, Philip, Towards Agile Security Assurance , retrieved 2007-12-14
  8. Jump up^ Common Criteria meets Realpolitik – Trust Alliances and Potential Betrayal
  9. Jump up^ “CAPS: CESG Assisted Products Scheme” . Archived from the originalon August 1, 2008.
  10. Jump up^ Infosec Insurance and Certification Services (IACS) ArchivedFebruary 20, 2008, at theWayback Machine.
  11. Jump up^ “Common Criteria Reforms: Better Security Products Through Increased Cooperation with Industry” (PDF) . Archived from the original (PDF) on April 17, 2012.
  12. Jump up^ “Common Criteria” Reforms “-Sink or Swim– How Should Industry Handle the Brewing Revolution with Common Criteria?” .

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2019
Shale theme by Siteturner