The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. It is presently in version 3.1 revision 5.
What is Common Criteria Certification?
Common Criteria is a framework in which computer system users can specify their security functional requirements (SFRs) and security functional assurance requirements (SARs) using Protection Profiles (PPs). Technology vendors can then implement and/or make claims about the security attributes of their products, and hire testing laboratories to evaluate their products to determine if they meet these claims. In short, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that corresponds with its target use environment. Once this process is completed successfully, a vendor achieves Common Criteria certification.
Common Criteria is used as the basis for a government-driven certification scheme. Evaluations are typically completed for the use of Federal Government agencies and critical infrastructure. Additionally, many enterprise organizations use Common Criteria as a requisite for procuring new software solutions based on the quality guarantee these certified products deliver.
The Common Criteria for Information Technology Security Evaluation and its companion, Common Methodology for Information Technology Security Evaluation (CEM), make up the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA). The CC is the driving force for the widest available mutual recognition of secure IT products across the globe. And though each country has its own certification process, the Common Criteria Recognition Arrangement (CCRA) recognizes evaluations against a collaborative Protection Profile (cPP)—meaning all member countries will acknowledge these certifications.
Purpose of the CC Certification
There are several purposes as to why the Common Criteria certification exists. Some of these include:
- to improve the availability of security-enhanced IT products and protection profiles that have been successfully evaluated by the panel
- to ensure that evaluations of IT products and protection profiles are performed to consistently high standards and contribute to confidence in those profiles and products
- to remove the burden of duplicate IT product evaluations and protection profiles
- to improve the cost-effectiveness and efficiency of the validation/certification process for protection profiles and IT products
Key CC Concepts & Definitions
Here are some key terms and concepts to know when trying to understand the Common Criteria certification.
- Target of Evaluation (TOE) – the product or system that is the subject of the evaluation.
- Protection Profile (PP) – a document created by a user or user community that identifies security requirements for a class of security devices (examples include firewalls and digital signatures) relevant to that user for a specific purpose. Product vendors can choose to implement products that comply with one or several PPs and have their products evaluated against them. In this situation, a PP may serve as a template for the product’s Security Target (ST), or the authors of the ST will ensure that all requirements in relevant Protection Profiles also appear in the target’s ST document. Customers looking for certain types of products can focus on those certified against these PPs. The United States currently only allows PP-based evaluations.
- Security Target (ST) – a document that identifies the security properties of the target of evaluation. The ST may claim compliance with one or more PPs. The Target of Evaluation is assessed against the SFRs (Security Functional Requirements) established in its Security Target. This allows vendors to accurately tailor the evaluation to match the intended capabilities of their product. The ST is typically published so that potential customers may determine the specific security features that have been certified by the evaluation.
- Security Functional Requirements (SFRs) – requirements that lay out the individual security functions provided by a product. The Common Criteria presents a standard catalogue of such functions. The list of SFRs can vary across evaluations, even if two targets are the same type of product. Although CC does not propose any SFRs to be included in a Security Target, it recognizes dependencies where the correct operation of one function is dependent on another.
- Security Assurance Requirements (SARs), a quality assurance process that describes the steps taken during the development and evaluation process to ensure compliance with the claimed security functionality
- Evaluation Assurance Level (EAL) –the numerical rating that describes the rigor and depth of an evaluation. Each EAL corresponds with a package of SARs, which covers the full development of a product across a certain level of strictness. Common Criteria lists seven levels of EAL, with EAL 1 being the most basic and EAL 7 being the most stringent; however, the levels only mean more testing was done—not that the product itself is more secure. The United States currently only allows PP-based evaluations—not EALs. Other national evaluation schemes, such as those in Canada, are phasing out EAL-based evaluations and only accept products for evaluation that claim strict conformance with an approved PP.
The History of Common Criteria
The Common Criteria as we know it comes out of a wide range of existing standards and regulations. Here are a few that directly influenced the structure of the CC.
- CTCPEC – The Canadian standard was born from the US DoD standard, but it avoided several existing issues and was used jointly by evaluators from both Canada and the United States. The CTCPEC standard was first published in May 1993.
- TCSEC – The U.S. Department of Defense (DoD) 5200.28 Standard, called the Orange Book and parts of the Rainbow Series. The Orange Book came out of Computer Security research including the Anderson Report, completed by the National Security Agency and the National Bureau of Standards (now known as NIST) in the late 1970s and early 1980s.
- ITSEC – This European standard was created in the early 1990s by Germany, France, the Netherlands and the United Kingdom. This standard (like the CC) was a unification of earlier work, such as the CESG UK Evaluation Scheme targeted at the defense/intelligence market and the DTI Green Book for commercial use.
The Common Criteria was developed by unifying these existing standards so that businesses selling computer products for the government industry (predominately for defense or intelligence use) would only need to evaluate them against one set of standards. The CC was created by the governments of France, Canada, the U.S., Germany, the United Kingdom and the Netherlands.
How Products Get CC Certified
There are several steps a company must take to become Common Criteria certified.
- First, organizations must complete a Security Target (ST) description and other supporting documents, including an overview of the product and its security features, an evaluation of potential security threats and a self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level tested against.
- Second, organizations must find an independently-licensed laboratory to evaluate their product and determine if it meets security properties to a satisfactory level.
- If the product passes the evaluation, certification of the security properties of are issued by various Certificate Authorizing Schemes. These certificates are recognized by all the signatories of the CCRA and groups such as SOG IS and EA MLA.
Blancco & Common Criteria Certification
Blancco’s File Eraser solution (version 8.2) recently achieved Common Criteria certification, at the request of several customers from different regions around the world, both enterprise and government.
To achieve the Common Criteria certification, we submitted evaluation reports of our products, which were investigated and then accepted by the CSEC (the certification body in Sweden that issues the Common Criteria certificate in that country). You can find the certificate online, here.
Visit our certifications page to learn how Blancco meets compliance with standards, regulations and certifications across the globe.