Common Criteria
Common Criteria is an international standard designed to ensure the security of information technology (IT) systems. Developed in the early 1990s and first published in 1998, it amalgamates elements from various national standards, including those from the United States, Canada, and Europe. The framework allows countries to certify IT products based on a structured evaluation process, which is conducted by licensed laboratories within those countries. Participating nations adhere to the Common Criteria Recognition Arrangement (CCRA), which facilitates mutual recognition of certified products.
Certification involves evaluating a product against a specific security target that aligns with a broader protection profile, which is defined by independent bodies. Vendors select an Evaluation Assurance Level (EAL) indicating the depth of testing, with levels ranging from 1 (basic testing) to 7 (comprehensive verification). The governance of the Common Criteria is maintained by a committee representing each member country, ensuring that the criteria evolve and adapt to new security challenges. Overall, Common Criteria provides a collaborative framework for enhancing IT security globally.
On this Page
Common Criteria
The Common Criteria for Information Technology Security Evaluation, or Common Criteria for short, is the international standard for the security of information technology (IT). Originally developed in 1993, the Common Criteria is a synthesis of three preexisting national and international standards and was first published in 1998. Each country that adheres to the Common Criteria standard maintains its own national certification body, and participating countries sign the Common Criteria Recognition Arrangement (CCRA), which states that they affirm the validity of each national body’s product evaluations.
Overview
In June 1993, representatives from the organizations behind the United States’ Trusted Computer System Evaluation Criteria (TCSEC), Canada’s Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the European Commission’s Information Technology Security Evaluation Criteria (ITSEC) began drafting a set of international standards for IT security, to be administered under the auspices of the International Organization for Standardization (ISO). The first draft of the criteria, version 1.0, was finalized in 1996. Following a period of review, Common Criteria version 2.0 was released two years later. In 1999, version 2.1 became the ISO 15408 standard. Subsequent major updates include version 2.3, released in 2005, and version 3.1, originally released in 2006 and revised several times, including in 2012. In 2022, a new version was released.
In 1998, following the release of version 2.0, Canada, France, Germany, the United Kingdom, and the United States signed the CCRA, putting the scheme into practice. Australia and New Zealand signed the following year and were soon joined by others. By 2023, thirty-one countries had joined at two different levels of membership, according to the National Information Assurance Partnership (NIAP), the US representative to the CCRA.
To attain certification, computer systems and security programs must be evaluated against the Common Criteria by a licensed laboratory within an authorizing member nation. The Common Criteria is not a single list of specific requirements; rather, products are evaluated according to a security target, or a set of requirements for a specific product provided by the vendor. In turn, the security target must conform to a given protection profile—a set of requirements for a certain class of product, such as a firewall, created by a third party and certified by an authorizing member nation—to a certain degree. Depending on the profile, the security target either must demonstrate “strict conformance” or may satisfy requirements with the less stringent “demonstrable conformance.” The vendor also selects the evaluation assurance level (EAL), which determines how thoroughly the product is to be tested. EALs range from 1, “functionally tested,” to 7, “formally verified design and tested.”
The Common Criteria is overseen by the Common Criteria Management Committee (CCMC), made up of representatives from each member nation. In 2000, the CCMC began holding an annual International Common Criteria Conference (ICCC), hosted by a different member nation every year. In addition, the Common Criteria Development Board (CCDB) manages the technical development of the criteria itself and supervises its application in the authorizing member nations, while the Common Criteria Maintenance Board (CCMB) processes and evaluates proposals for changes to the criteria from member nations and the ISO.
Bibliography
"About the Common Criteria." Common Criteria Portal, www.commoncriteriaportal.org/ccra/index.cfm. Accessed 12 Feb. 2025.
Common Criteria Portal. N.p., 2004. Web. 2 Oct. 2013.
Kallberg, Jan. “The Common Criteria Meets Realpolitik: Trust, Alliances, and Potential Betrayal.” IEEE Security and Privacy 10.4 (2012): 50–53. Print.
Keeling, Gene. “Achieving Network Security with Common Criteria.” COTS Journal 14.10 (2012): 34–37. Print.
"The Impact of Common Criteria on ICT Security Evaluation and Certification." CCLab, 30 May 2024, www.cclab.com/news/the-impact-of-common-criteria-on-ict-security-evaluation-and-certification. Accessed 12 Feb. 2025.
Mead, Nancy. “The Common Criteria.” Build Security In. Dept. of Homeland Security, 10 Aug. 2006. Web. 2 Oct. 2013.
Mercuri, Rebecca. “Uncommon Criteria.” Communications of the ACM45.1 (2002): 172. Print.
Pierre, Eve. Common Criteria Schemes around the World. N.p.: SAIC, 2008. PDF file.
Sloan, Kevin, and Mike Ormerod. “How a Variety of Information Assurance Methods Delivers Software Security in the United Kingdom.” CrossTalk: The Journal of Defense Software Engineering 20.3 (2007): 12–17. Print.
Smith, Richard E. “Trends in Security Product Evaluations.” Information Systems Security 16.4 (2007): 203–16. Print.