Common Criteria

What is common criteria


The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

Target Of Evaluation (TOE) - the product or system that is the subject of the evaluation.

The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target´s security features. This is done through the following:

Protection Profile (PP) - a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product´s ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target´s ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.

Security Target (ST) - the document that identifies the security properties of the target of evaluation. It may refer to one or more PPs. The TOE is evaluated against the Security Functional Requirements established in its ST.

This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product.

Security Functional Requirements (SFRs) - specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions.

The evaluation process also tries to establish the level of confidence that may be placed in the product´s security features through quality assurance processes:

Security Assurance Requirements (SARs) - descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality.

Evaluation Assurance Level (EAL) - the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements  which covers the complete development of a product, with a given level of strictness.

Common Criteria lists seven levels, with EAL 1 being the most basic and EAL 7 being the most stringent.

Return to Old Site