About - Common Criteria

Your Premier Resource: Guide to IT Security Standards

Welcome to your hub for IT security certification, where you can easily explore ISO/IEC 15408 and enhance your digital security expertise across business, government, and personal domains. Our mission is to demystify and facilitate the CC certification process, ensuring a thorough and standardized approach for evaluating IT products and systems. We provide a detailed framework for both users and vendors, guiding you in effectively addressing and understanding security requirements. Our goal is to simplify the complexities of CC, making it accessible and actionable for everyone involved in IT security.

Understanding Common Criteria

Common Criteria allows for the specification of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) through a Security Target (ST), often derived from Protection Profiles (PPs). This structure ensures that IT products and systems are evaluated against a consistent set of criteria, providing assurance to users and a clear pathway for vendors to demonstrate their compliance.

Key Concepts of Common Criteria

Target of Evaluation (TOE)

This is the product or system being evaluated. The TOE's security features are validated against the claims made in the Security Target.

Protection Profile (PP)

A document created by users or communities specifying security requirements for a class of security devices, providing a template for STs and focusing evaluations on relevant requirements.

Security Target (ST)

This document identifies the security properties of the TOE. It may claim conformance with one or more PPs and is the basis against which the TOE is evaluated.

Security Functional Requirements (SFRs)

These specify the individual security functions a product may provide, with Common Criteria offering a standard catalogue of functions.

Security Assurance Requirements (SARs)

These describe the measures taken during a product's development and evaluation to assure its security functionality. They vary from one evaluation to the next, reflecting the specific security assurance needs of the product.

The Evaluation Process

The evaluation process under Common Criteria is aimed at establishing confidence in the product's security features. It involves a rigorous examination of the product against its ST and the broader context of its intended environment. The process also considers the level of assurance required, represented by the Evaluation Assurance Level (EAL) - a scale from EAL1 (most basic) to EAL7 (most stringent).

Certification and Mutual Recognition

Common Criteria maintains a list of certified products, offering a valuable reference for users seeking secure IT solutions. The certification is often a requirement in IT procurement, especially in sensitive industries. Additionally, the Common Criteria Recognition Arrangement (CCRA) ensures that products certified in one member country are recognized across all member countries, facilitating a global market for secure IT products.

Adapting to Modern IT Challenges

As technology evolves, so does Common Criteria. The framework is increasingly incorporating considerations for modern IT challenges like cloud services, IoT, and mobile technologies. It also adapts to include cryptographic requirements typically covered by other standards like FIPS 140-2, demonstrating its responsiveness to the changing cybersecurity landscape. Common Criteria serves as a critical standard for ensuring IT security across the globe. By providing a structured framework for evaluating and certifying IT products, it helps users make informed decisions and fosters a market where security and trust are paramount. Whether you're a business looking to certify your product or a user seeking secure solutions, understanding and leveraging Common Criteria is essential in today's digital world.