What is the main purpose of the Common Criteria for Information Technology Security Evaluation?

What are “Common Criteria”?

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria provides assurance that IT security products have been specified and evaluated in a rigorous and repeatable manner and at a level commensurate with the target environment for use. Originally developed to unify and supersede national IT security certification schemes from several different countries, including the US, Canada, Germany, the UK, France, Australia and New Zealand. Common Criteria is now the widest available mutual recognition of secure IT products.

Security Standard

Common Criteria certified solutions are required by governments and enterprises around the world to protect their mission-critical infrastructures. Common Criteria is often a pre-requisite for qualified digital signatures under the European Union digital signature laws. In addition, U.S. Government agencies frequently request products that are National Information Assurance Partnership (NIAP) listed, which requires Common Criteria certification.

The Common Criteria standard provides an assurance on different aspect of the product security covering areas such as:

  • Development of the product and related functional specification, high-level design, security architecture and or implementation design
  • Guidance of the product and related manual for the secure deployment and preparation of the product
  • Life-cycle of the document and all related processes applicable during the creation of the product such as configuration management or secure development process and tools used to the deployment and retirement of the product with the life-cycle design and delivery process
  • Supporting security policy documentation
  • Tests of the product and particularly coverage of the functional security requirement
  • Vulnerability assessments

Certification Authorities

Common Criteria is an international standard (ISO/IEC 15408). The Common Criteria Development Board managed the technical work program for the maintenance and ongoing development of the CC set of documentation.

Two major recognition agreements exist in the Common Criteria:

  1. Common Criteria Recognition Arrangement (or CCRA) that comprises 28 countries across all continents, and recognizing the Common Criteria certification up to the level EAL 2 of secure IT products by the CCRA authorizing members
  2. Senior Official Group – Information Systems Security (or SOG-IS) that comprises 15 countries from Europe, and recognizing the certification Common Criteria up to the level EAL 7 of secure IT products depending on the level of the SOG-IS members
  • Common Criteria Certification

UL Solutions' Common Criteria Certification helps safeguard systems

International hacking scandals are putting the spotlight on countries' security loopholes and weaknesses. With many governments calling for higher security, their requirements for secure IT products are increasingly stringent.

UL Solutions was one of the first laboratories involved in the European Common Approval Scheme for Point-Of-Interaction devices. Today, UL Solutions is an accredited Common Criteria IT Security Evaluation Facility - providing advisory and evaluation services to help IT vendors successfully complete security evaluations.

Fortune 1000 companies choose UL Solutions for our customer responsiveness, proven expertise and security knowledge.

Common Criteria, also known as ISO/IEC 15408

Formalized as ISO/IEC 15408, the Common Criteria (CC) defines a hierarchical framework of security concepts and terminology. The CC also defines the Protection Profile (PP) construct which is a product category-specific but product-agnostic requirements template. This allows prospective consumers, developers and regulatory groups to create standardized sets of security threats, objectives, requirements and assurance measures. The Target of Evaluation (TOE) is that part of the product or system which is subject to evaluation. The Security Target (ST) contains the product-specific instantiation of the standardized content from the PP along with a summary specification of how the TOE satisfies the Security Functional Requirements and is used by the evaluators as the basis for evaluation. The Common Criteria Recognition Agreement (CCRA) forms an international cooperative agreement whereby participating government organizations ensure Certification Bodies issuing CC Certificates meet high and consistent standards as well as the conditions for mutual recognition.

Frequently asked questions regarding Common Criteria certification

Why should I evaluate my product?

In the US the Committee on National Security Systems (CNSS) releases policies binding upon all U.S. Government departments and agencies. Policy 11 requires all Information Assurance (IA) and IAEnabled IT products to be selected from the NIAP Product Compliant List (PCL). IA and IA-enabled products are those that have any mechanism providing for the availability of systems, ensuring the integrity and confidentiality of information, or ensuring the authentication and non-repudiation of parties in electronic transactions. This requirement is also stated in the NIAP FAQ. It is worth noting that this is not always understood or fully enforced by contractors, integrators, procurement, etc. For example, the need to be on the NIAP PCL vs just having a Common Criteria certificate from any CC country/scheme.

How does U.S. NIAP differ from other CC schemes?

The National Information Assurance Partnership (NIAP) operates the Common Criteria Evaluation and Validation Scheme (CCEVS) and approves Common Criteria Testing Laboratories (CCTLs). By design, all Common Criteria evaluations, regardless of country/scheme may, but are not required, to reference conformance to a Protection Profile. Due to the template aspect, Protection Profile-based evaluations generally provide more consistent and comparable evaluations. As a result, by the policy since 2014, NIAP has only included on the PCL products whose evaluations are in “exact” conformance to a NIAP approved Protection Profile (PP). So, for example, you can search the PCL and see it is possible to evaluate a product through another CCRA scheme (Spain for example) but still done against a “NIAP approved” PP.

“EAL” refers to an Evaluated Assurance Level of the TOE and corresponds to the assurance activities that are performed by the CCTL and reflects the level of assurance that a TOE meets the functional requirements listed in the ST. CC part III lists the specific assurance activities that correspond to EAL levels 1-8. For PP evaluations, assurance activities are explicitly indicated in the PP. As a result, they may or may not exactly correspond to those designated by an EAL level. The assurance activities for NIAP approved PPs generally correspond to EAL1 to EAL2.

Which Protection Profile?

NIAP published a guideline for when no appropriate PP exists which states that “if there is no PP in development or planned, NIAP will work with the end-user and/or vendor to determine whether a Common Criteria evaluation is necessary and will provide alternatives for the product security use case requirements.” It is also worth noting that the CC Technical Communities and the CC Users Forum welcome vendors to get involved and provide input and feedback into the PP’s.

It is possible to extend a PP through optional secondary PP’s referred to as extended packages or PP modules. The amount of work and therefore cost of an evaluation depends on the Protection Profile and/or extensions. Each one has an introduction that helps explain what security functionality is covered as well as the features of a compliant Target of Evaluation (TOE). NIAP Publication #5 is a guide to sponsors and provides very useful information on the process and the roles of the various parties involved in the evaluation.

What is the common criteria certification process?

UL Solutions validation includes assistance with Security Target authoring to ensure your evaluation gets started right. UL Solutions also has a strong entropy assessment team and can provide full entropy analysis. UL Solutions is a FIPS 140 certified test lab and can provide NIST CAVP algorithm certification required by NIAP.

UL Solutions begins an evaluation with an extensive workshop to review the PP requirements and the Target of Evaluation (TOE) design which helps highlight compliance concerns and kick-start the ST documentation authoring. The evaluation process requires 100% compliance with the requirements of the Protection Profile and as a result ends up being an iterative process.

After all documentation has been evaluated and is largely conformant, UL Solutions will take delivery of the product and perform functional testing. This testing is typically done at UL Solutions facilities and may leverage some vendor-specific testing tools, depending on the testing required. This is a collaborative process, where UL Solutions may reach out to the vendor to address functional issues, typically related to the configuration of the product. Once all tests are passing the testing is complete and the project can move to the last phase.

The final phase requires all findings of the project to be submitted to NIAP in a specific form known as the Evaluation Technical Report. This will include a brief summary of activities of the evaluation known as the Assurance Activity Report. UL Solutions responds to the Evaluation Coordination Review with NIAP. Upon formal validation, the ST, AAR, and the Validation report will become public record and posted on the NIAP website with the Validation certificate.

Commit to higher security with UL Solutions

Founded in 1894, UL Solutions has been a leader in product testing and certification for over 100 years. As such, UL Solutions has the ability not only to conduct Common Criteria certification under multiple schemes, but to evaluate products to multiple cyber-security, safety and performance standards in parallel with Common Criteria certification.

What is the Common Criteria certification is an international standard ISO IEC 15408 for IT security evaluation?

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO / IEC 15408) for IT product security certification. It is a framework that provides criteria for independent, scalable and globally recognized security inspections for IT products.

What is the purpose of security evaluation?

security evaluation The examination of a system to determine its degree of compliance with a stated security model, security standard, or specification.

What do you mean by security evaluation criteria?

Security Evaluation Criteria are usually presented as a set of parameter thresholds that must be met for a system to be evaluated and deemed acceptable. These criteria are established based on a Threat Assessment to establish the extent of the data sensitivity, the security policy, and the system characteristics.

What is the purpose of Common Criteria?

The Common Criteria enable an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements. Although the focus of the Common Criteria is evaluation, it presents a standard that should be of interest to those who develop security requirements.