What is Common Criteria Certification, and Why Is It Important?

Dec 08, 2017 Blog Article

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. It is presently in version 3.1 revision 5. What is Common Criteria Certification? Common Criteria is a framework in which computer system users can specify their security functional requirements (SFRs) and security functional assurance requirements (SARs) using Protection Profiles (PPs). Technology vendors can then implement and/or make claims […]

Katie Jefcoat - Blancco Author

Katie Moss Jefcoat Katie has launched and supported marketing campaigns for B2B technology companies since 2011. From 2016 to 2021, Katie served Blancco in the roles of content manager and senior product marketing manager, communicating the features and benefits of Blancco products, evaluating market and competitive trends, supporting sales enablement, and representing the voice of the customer.

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. It is presently in version 3.1 revision 5.

What is Common Criteria Certification?

Common Criteria is a framework in which computer system users can specify their security functional requirements (SFRs) and security functional assurance requirements (SARs) using Protection Profiles (PPs). Technology vendors can then implement and/or make claims about the security attributes of their products, and hire testing laboratories to evaluate their products to determine if they meet these claims. In short, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that corresponds with its target use environment. Once this process is completed successfully, a vendor achieves Common Criteria certification.

Common Criteria is used as the basis for a government-driven certification scheme. Evaluations are typically completed for the use of Federal Government agencies and critical infrastructure. Additionally, many enterprise organizations use Common Criteria as a requisite for procuring new software solutions based on the quality guarantee these certified products deliver.

The Common Criteria for Information Technology Security Evaluation and its companion, Common Methodology for Information Technology Security Evaluation (CEM), make up the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA). The CC is the driving force for the widest available mutual recognition of secure IT products across the globe. And though each country has its own certification process, the Common Criteria Recognition Arrangement (CCRA) recognizes evaluations against a collaborative Protection Profile (cPP)—meaning all member countries will acknowledge these certifications.

Purpose of the CC Certification

There are several purposes as to why the Common Criteria certification exists. Some of these include:

  1. to improve the availability of security-enhanced IT products and protection profiles that have been successfully evaluated by the panel
  2. to ensure that evaluations of IT products and protection profiles are performed to consistently high standards and contribute to confidence in those profiles and products
  3. to remove the burden of duplicate IT product evaluations and protection profiles
  4. to improve the cost-effectiveness and efficiency of the validation/certification process for protection profiles and IT products

Key CC Concepts & Definitions

Here are some key terms and concepts to know when trying to understand the Common Criteria certification.

The History of Common Criteria

The Common Criteria as we know it comes out of a wide range of existing standards and regulations. Here are a few that directly influenced the structure of the CC.

The Common Criteria was developed by unifying these existing standards so that businesses selling computer products for the government industry (predominately for defense or intelligence use) would only need to evaluate them against one set of standards. The CC was created by the governments of France, Canada, the U.S., Germany, the United Kingdom and the Netherlands.

How Products Get CC Certified

There are several steps a company must take to become Common Criteria certified.

  1. First, organizations must complete a Security Target (ST) description and other supporting documents, including an overview of the product and its security features, an evaluation of potential security threats and a self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level tested against.
  2. Second, organizations must find an independently-licensed laboratory to evaluate their product and determine if it meets security properties to a satisfactory level.
  3. If the product passes the evaluation, certification of the security properties of are issued by various Certificate Authorizing SchemesThese certificates are recognized by all the signatories of the CCRA and groups such as SOG IS and EA MLA.

Blancco & Common Criteria Certification

Blancco’s File Eraser solution (version 8.2) recently achieved Common Criteria certification, at the request of several customers from different regions around the world, both enterprise and government.

To achieve the Common Criteria certification, we submitted evaluation reports of our products, which were investigated and then accepted by the CSEC (the certification body in Sweden that issues the Common Criteria certificate in that country). You can find the certificate online, here.

Visit our certifications page to learn how Blancco meets compliance with standards, regulations and certifications across the globe.