What is Common Criteria Certification, and Why Is It Important?

Apr 12, 2024 Blog Article

Common Criteria is a way to hold a lot of different computer security products up to the same standards. It’s especially important for industries with strict regulations. Essentially, it sets out rules for how companies can claim their products are secure. Testing labs then check if these claims are true. This ensures that computer systems and software meet reliable standards for security. The latest edition, adopted in 2017, is version 3.1, revision 5. 

Blancco Senior Content Writer Stephanie Larochelle

Stephanie Larochelle Stephanie Larochelle, a tech enthusiast and writer based in Florida, is dedicated to simplifying the intricacies of the digital world. As Blancco's senior content writer, her goal is to make data erasure easily understandable and approachable so everyone can navigate this crucial aspect of data security.

What is Common Criteria Certification?

The Common Criteria for IT Security (Common Criteria, or “CC”) ensures computer security products meet specific standards. Users define their security needs with Protection Profiles, and companies claim their products meet these specifications. Testing labs verify whether software fulfills the claims, and when successful, a vendor gets Common Criteria certification. 

Common Criteria serves as the foundation for numerous government-led certification programs. Its meaning is evident in its name: it’s a shared set of rules or standards agreed upon by all involved parties. These standards define what makes a product secure. They serve as benchmarks during testing, conducted by approved laboratories at the request of product creators. Evaluations are usually done for federal government agencies and critical infrastructure. Businesses in the private sector may also seek out Common Criteria certification when acquiring new software.. 

Common Criteria works together with its partner, the Common Methodology for IT Security Evaluation (CEM). They create the technical foundation for the international Common Criteria Recognition Arrangement (CCRA). CCRA encourages global recognition of secure IT products among many countries. Even though each country has its own certification process, CCRA acknowledges evaluations based on a shared Protection Profile (cPP). This means that all member countries agree to recognize and accept these certifications. 

Common Criteria Recognition Arrangement Members

AuthorizingConsuming
Australia
Canada   
France   
Germany   
India
Italy
Japan   
Malaysia   
Netherlands
Norway
Poland
Qatar
Republic of Korea
Singapore
Spain
Sweden 
Turkey 
United States
Austria
Czech Republic
Denmark
Ethiopia
Finland 
Greece 
Hungary
Indonesia 
Israel 
New Zealand 
Pakistan
Slovakia
United Kingdom

Some members are authorizing countries. These members maintain their own Common Criteria scheme that products can be certified under. Others are consuming countries. These countries will accept Common Criteria but do not run their own scheme.

Purpose of the CC Certification

There are several reasons the Common Criteria certification exists. Some of these include:

  1. to improve the availability of security-enhanced IT products and protection profiles that have been successfully evaluated by the panel
  2. to ensure that evaluations of IT products and protection profiles are performed to consistently high standards and contribute to confidence in those profiles and products
  3. to remove the burden of duplicate IT product evaluations and protection profiles
  4. to improve the cost-effectiveness and efficiency of the validation/certification process for protection profiles and IT products

Key CC Concepts & Definitions

Here are some key terms and concepts to know when trying to understand the Common Criteria certification.

The History of Common Criteria

The Common Criteria as we know it comes out of a wide range of existing standards and regulations. Here are a few that directly influenced the structure of the CC.

The Common Criteria was developed by unifying these existing standards so that businesses selling computer products for the government industry (predominately for defense or intelligence use) would only need to evaluate them against one set of standards. The CC was created by the governments of France, Canada, the U.S., Germany, the United Kingdom, and the Netherlands.

How Products Get CC Certified

There are several steps a company must take to become Common Criteria certified.

  1. First, organizations must complete an ST description and other supporting documents, including an overview of the product and its security features, an evaluation of potential security threats and a self-assessment detailing how the product conforms to the relevant PP at the level tested against.
  2. Second, organizations must find an independently licensed laboratory to evaluate their product and determine if it meets security properties to a satisfactory level.
  3. If the product passes the evaluation, certification of the security properties are issued by various Certificate Authorizing Schemes. These certificates are recognized by all the signatories of the CCRA and groups such as SOG IS and EA MLA.

Blancco & Common Criteria Certification

There are several benefits to holding more than one Common Criteria certification, as most enterprises and ITADs will require options to erase drives. To meet that need, Blancco holds Common Criteria certifications for two of its products.

To achieve the Common Criteria certification, we submitted evaluation reports of our products, which were investigated and then accepted by the listed certifying body.

Visit our certifications page to learn more about how Blancco meets compliance with standards, regulations, and certifications across the globe.

This blog post has been updated from its original December 8, 2017, publication to reflect CC changes and new Blancco certifications.