Common Criteria

« Back to Glossary Index

Common Criteria (CC), formally known as Common Criteria for Information Technology Security Evaluation, is an international standard (ISO/IEC 15408) for evaluating the security of IT products and systems. It provides a framework for specifying security requirements and evaluating products against those requirements.

Common Criteria

Common Criteria (CC), formally known as Common Criteria for Information Technology Security Evaluation, is an international standard (ISO/IEC 15408) for evaluating the security of IT products and systems. It provides a framework for specifying security requirements and evaluating products against those requirements.

How Do Common Criteria Work?

The CC framework involves several key components: Protection Profiles (PPs), which define generic security requirements for a class of products; Security Targets (STs), which are specific claims made by a vendor about the security features of their product; and Evaluation Assurance Levels (EALs), which specify the rigor of the security evaluation. Products are evaluated by accredited laboratories against the requirements in their ST, which are often based on PPs. A successful evaluation results in a certification that the product meets certain security assurance levels.

Comparative Analysis

Common Criteria provides a standardized, rigorous, and internationally recognized method for security evaluation, unlike ad-hoc or vendor-specific security claims. It offers a structured approach to defining and verifying security properties, ensuring a consistent level of assurance across different products and vendors.

Real-World Industry Applications

CC certification is often a requirement for IT products used in government, defense, and critical infrastructure sectors worldwide. Many governments mandate CC certification for products handling sensitive information. Examples include operating systems, network devices, smart card operating systems, and security modules.

Future Outlook & Challenges

The CC standard is continuously updated to address emerging security threats and technologies. Challenges include the complexity and cost of the evaluation process, the need for skilled evaluators, and keeping the standard relevant in the rapidly evolving IT landscape. Efforts are ongoing to streamline the process and expand its applicability.

Frequently Asked Questions

  • What is the main purpose of Common Criteria?To provide a standardized international framework for evaluating IT product security.
  • What are Protection Profiles (PPs) and Security Targets (STs)?PPs define generic security requirements, while STs are specific security claims made by a vendor for their product.
  • What do Evaluation Assurance Levels (EALs) indicate?EALs specify the depth and rigor of the security evaluation process.
« Back to Glossary Index
Back to top button