What is Common Criteria Certification, and Why Is It Important?

Common Criteria is a way to hold a lot of different computer security products up to the same standards. It’s especially important for industries with strict regulations. Essentially, it sets out rules for how companies can claim their products are secure. Testing labs then check if these claims are true. This ensures that computer systems and software meet reliable standards for security. The latest edition, adopted in 2017, is version 3.1, revision 5. 

Stephanie Larochelle Stephanie Larochelle, a tech enthusiast and writer based in Florida, is dedicated to simplifying the intricacies of the digital world. As Blancco's senior content writer, her goal is to make data erasure easily understandable and approachable so everyone can navigate this crucial aspect of data security.

What is Common Criteria Certification?

The Common Criteria for IT Security (Common Criteria, or “CC”) ensures computer security products meet specific standards. Users define their security needs with Protection Profiles, and companies claim their products meet these specifications. Testing labs verify whether software fulfills the claims, and when successful, a vendor gets Common Criteria certification. 

Common Criteria serves as the foundation for numerous government-led certification programs. Its meaning is evident in its name: it’s a shared set of rules or standards agreed upon by all involved parties. These standards define what makes a product secure. They serve as benchmarks during testing, conducted by approved laboratories at the request of product creators. Evaluations are usually done for federal government agencies and critical infrastructure. Businesses in the private sector may also seek out Common Criteria certification when acquiring new software.. 

Common Criteria works together with its partner, the Common Methodology for IT Security Evaluation (CEM). They create the technical foundation for the international Common Criteria Recognition Arrangement (CCRA). CCRA encourages global recognition of secure IT products among many countries. Even though each country has its own certification process, CCRA acknowledges evaluations based on a shared Protection Profile (cPP). This means that all member countries agree to recognize and accept these certifications. 

Common Criteria Recognition Arrangement Members

Some members are authorizing countries. These members maintain their own Common Criteria scheme that products can be certified under. Others are consuming countries. These countries will accept Common Criteria but do not run their own scheme.

Purpose of the CC Certification

There are several reasons the Common Criteria certification exists. Some of these include:

1. to improve the availability of security-enhanced IT products and protection profiles that have been successfully evaluated by the panel
2. to ensure that evaluations of IT products and protection profiles are performed to consistently high standards and contribute to confidence in those profiles and products
3. to remove the burden of duplicate IT product evaluations and protection profiles
4. to improve the cost-effectiveness and efficiency of the validation/certification process for protection profiles and IT products

Key CC Concepts & Definitions

Here are some key terms and concepts to know when trying to understand the Common Criteria certification.

• Target of Evaluation (TOE) – the product or system that is the subject of the evaluation.
• Protection Profile (PP) – a document created by a user or user community that identifies security requirements for a class of security devices (examples include firewalls and digital signatures) relevant to that user for a specific purpose. Product vendors can choose to implement products that comply with one or several PPs and have their products evaluated against them. In this situation, a PP may serve as a template for the product’s Security Target (ST), or the authors of the ST will ensure that all requirements in relevant Protection Profiles also appear in the target’s ST document. Customers looking for certain types of products can focus on those certified against these PPs. The United States currently only allows PP-based evaluations.
• Security Target (ST) – A document that identifies the security properties of the target of evaluation. The ST may claim compliance with one or more PPs. The Target of Evaluation is assessed against the SFRs (Security Functional Requirements) established in its Security Target. This allows vendors to accurately tailor the evaluation to match the intended capabilities of their product. The ST is typically published so that potential customers may determine the specific security features that have been certified by the evaluation.
• Security Functional Requirements (SFRs) – requirements that lay out the individual security functions provided by a product. The Common Criteria presents a standard catalogue of such functions. The list of SFRs can vary across evaluations, even if two targets are the same type of product. Although CC does not propose any SFRs to be included in a Security Target, it recognizes dependencies where the correct operation of one function is dependent on another.
• Security Assurance Requirements (SARs) – a quality assurance process that describes the steps taken during the development and evaluation process to ensure compliance with the claimed security functionality.
• Evaluation Assurance Level (EAL) –the numerical rating that describes the rigor and depth of an evaluation. Each EAL corresponds with a package of SARs, which covers the full development of a product across a certain level of strictness. Common Criteria lists seven levels of EAL, with EAL 1 being the most basic and EAL 7 being the most stringent. However, the levels only mean more testing was done—not that the product itself is more secure. The United States currently only allows PP-based evaluations—not EALs. Other national evaluation schemes, such as those in Canada, are phasing out EAL-based evaluations and only accept products for evaluation that claim strict conformance with an approved PP.

The History of Common Criteria

The Common Criteria as we know it comes out of a wide range of existing standards and regulations. Here are a few that directly influenced the structure of the CC.

• CTCPEC – The Canadian standard was born from The U.S. Department of Defense (DoD) 5200.28 Standard, called the Orange Book, but it avoided several existing issues and was used jointly by evaluators from both Canada and the United States. The CTCPEC standard was first published in May 1993.
• TCSEC – The Orange Book came out of Computer Security research including the Anderson Report, completed by the National Security Agency and the National Bureau of Standards (now known as National Institute of Standards and Technology) in the late 1970s and early 1980s.
• ITSEC – This European standard was created in the early 1990s by Germany, France, the Netherlands, and the United Kingdom. This standard (like the CC) was a unification of earlier work, such as the CESG UK Evaluation Scheme targeted at the defense/intelligence market and the DTI Green Book for commercial use.

The Common Criteria was developed by unifying these existing standards so that businesses selling computer products for the government industry (predominately for defense or intelligence use) would only need to evaluate them against one set of standards. The CC was created by the governments of France, Canada, the U.S., Germany, the United Kingdom, and the Netherlands.

How Products Get CC Certified

There are several steps a company must take to become Common Criteria certified.

1. First, organizations must complete an ST description and other supporting documents, including an overview of the product and its security features, an evaluation of potential security threats and a self-assessment detailing how the product conforms to the relevant PP at the level tested against.
2. Second, organizations must find an independently licensed laboratory to evaluate their product and determine if it meets security properties to a satisfactory level.
3. If the product passes the evaluation, certification of the security properties are issued by various Certificate Authorizing Schemes. These certificates are recognized by all the signatories of the CCRA and groups such as SOG IS and EA MLA.

Blancco & Common Criteria Certification

There are several benefits to holding more than one Common Criteria certification, as most enterprises and ITADs will require options to erase both files and drives. To meet that need, Blancco holds Common Criteria certifications for three of its products.

• Blancco Drive Eraser 7.3.1:  Granted in 2023 by evaluation under the Australian Information Security Evaluation Scheme.
• Blancco Drive Eraser 6.9.1: Granted in 2021 under the Australasian Information Security Evaluation Program.
• Blancco File Eraser 8.2: Granted in 2017 by the Swedish Certification Body for IT Security.

To achieve the Common Criteria certification, we submitted evaluation reports of our products, which were investigated and then accepted by the listed certifying body.

Visit our certifications page to learn more about how Blancco meets compliance with standards, regulations, and certifications across the globe.

You may be interested in:

A Comprehensive List of Data Wiping & Erasure Standards

Blancco Drive Eraser Certified for Government Use in Australia and New Zealand

[Guide Book] NIST SP 800-88 “Media Sanitization Guidelines” Quick-Start Guide

67 Percent of Used Drives Sold on eBay and Craigslist Hold Personally Identifiable Information and 11 Percent Contain Sensitive Corporate Data

This blog post has been updated from its original December 8, 2017, publication to reflect CC changes and new Blancco certifications.