Common Criteria for Information Technology Security Evaluation (CC): Certifying Computer Security

Common Criteria for Information Technology Security Evaluation (CC), an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is widely recognized and adopted for security evaluations of information technology products and systems.

In this article, we will delve into the significance of the Common Criteria, its global adoption, and the entities that rely on it for securing their digital assets. Additionally, we will touch upon its historical predecessor, the C2 security standard, to highlight the evolution of security evaluations in the IT realm.

Table of Contents:

1. What is the Common Criteria for Information Technology Security Evaluation?
2. The Importance of Common Criteria
3. Certification Process and Evaluation Assurance Levels (EALs)
4. Global Adoption and Recognition
5. Who Uses the Common Criteria?
6. Comparison with Previous Standards: The C2 Security Standard
7. Conclusion
8. References

1. What is the Common Criteria for Information Technology Security Evaluation?

The Common Criteria for Information Technology Security Evaluation (CC), formally recognized as ISO/IEC 15408, represents a pivotal standard in the cybersecurity domain. It provides a detailed framework for the evaluation of the security features and capabilities of information technology (IT) products and systems. The essence of Common Criteria lies in its structured approach towards establishing a clear and comprehensive set of criteria for assessing security functions, from the design phase through to deployment and maintenance. This standard not only specifies how to evaluate the security of IT products but also how to certify them at an international level, facilitating a unified approach to security evaluation.

See also: National Institute of Standards and Technology (NIST)

Goals and Objectives

The primary goal of the Common Criteria is to serve as a universal benchmark for the security of IT products, enabling consistent and repeatable evaluations that can be recognized globally. Its objectives include:

• Establishing a Common Understanding of Security Features: By providing detailed descriptions of security attributes and mechanisms, CC helps vendors, evaluators, and purchasers speak the same language when it comes to security features.
• Facilitating the Development and Evaluation of Secure IT Products: CC guides product developers on incorporating security into their products from an early stage and provides evaluators with criteria for assessing these security measures.
• Promoting Confidence and Trust: Through rigorous evaluation processes, CC aims to build confidence among consumers and organizations that certified products meet declared security standards.
• Enabling International Recognition of Security Evaluations: By adhering to internationally agreed-upon standards, CC certifications are recognized across national borders, simplifying the process for vendors to market their products worldwide.

2. The Importance of Common Criteria

Enhancing Trust in IT Products

In today’s digital age, where cybersecurity threats loom large, trust in the security of IT products and systems is paramount. The Common Criteria framework plays a crucial role in building this trust. By ensuring that IT products undergo rigorous and standardized security evaluations, CC certification acts as a seal of approval, indicating that a product has met high-security benchmarks. This reassurance is vital for organizations and individuals relying on these products to protect sensitive information and maintain operational integrity.

Read next: Demystifying the Role of Computer System Analyst.

Facilitating International Trade

The global recognition of Common Criteria certifications significantly impacts international trade in the IT sector. Before the adoption of CC, countries had their own security evaluation standards, creating barriers to trade and complicating the process for international companies to offer their products in different markets. The Common Criteria, with its standardized evaluation methodology, has broken down these barriers, allowing products certified in one member country to be accepted in others. This mutual recognition fosters a more dynamic and competitive international market for secure IT products, encouraging innovation and the development of superior security technologies.

3. Certification Process and Evaluation Assurance Levels (EALs)

Steps in the Certification Process

The certification process under the Common Criteria for Information Technology Security Evaluation (CC) is a systematic approach that ensures IT products meet the security standards required for their intended use. This process typically involves several key steps:

1. Security Target (ST) Creation: The product vendor begins by drafting a Security Target document, which outlines the specific security attributes and behaviors of the IT product. This document includes the product’s intended use, the security environment, and the security requirements it seeks to fulfill.
2. Evaluation by an Accredited Laboratory: Once the ST is prepared, the product undergoes evaluation by an accredited evaluation laboratory. This lab assesses the product against the ST and the applicable CC criteria, conducting thorough testing and analysis to verify the security claims.
3. Certification Body Review: After the evaluation laboratory completes its assessment, the results are submitted to a national or regional certification body. This body reviews the evaluation evidence, ensuring it meets the necessary standards and criteria for certification.
4. Granting of Certification: If the product successfully meets the evaluation criteria and the certification body is satisfied with the evidence, a CC certification is granted. This certification indicates that the product complies with the specified security requirements at the designated assurance level.

Explanation of Evaluation Assurance Levels

Evaluation Assurance Levels (EALs) are a core component of the Common Criteria, providing a scale to measure the degree of trust that can be placed in an IT product’s security features. Ranging from EAL1 to EAL7, these levels offer a graded approach to security evaluation, with each level representing a more rigorous and comprehensive examination than the last:

• EAL1 – Functionally Tested: Provides a basic level of assurance, focusing on testing the product to ensure it functions correctly in line with its documentation.
• EAL2 – Structurally Tested: Offers a modest increase in assurance by requiring more detailed testing and examination of the product’s security features, including developer insights into its design.
• EAL3 – Methodically Tested and Checked: Introduces a systematic review of the product’s security measures, including its development environment and security engineering practices.
• EAL4 – Methodically Designed, Tested, and Reviewed: Represents a medium level of assurance, including a thorough security analysis that is feasible for most commercially developed products.
• EAL5 – Semi-Formally Designed and Tested: Provides a high level of assurance, suitable for products that demand rigorous security measures, involving detailed testing and partial formal methods in its design and testing processes.
• EAL6 – Semi-Formally Verified Design and Tested: Targets high-risk environments, requiring a comprehensive security analysis and using formal methods to verify the security architecture.
• EAL7 – Formally Verified Design and Tested: The highest level of assurance, aimed at extremely high-risk settings, necessitating extensive testing, formal analysis, and verification of the product’s security architecture.

4. Global Adoption and Recognition

Countries and Regions Recognizing CC

The Common Criteria enjoys widespread international recognition, with over 30 countries participating in the Common Criteria Recognition Arrangement (CCRA). These countries, spanning continents from North America to Europe, Asia, and Oceania, acknowledge CC certifications, allowing products evaluated in one member country to be sold and trusted in others without the need for re-evaluation. Notable participants include the United States, Canada, the United Kingdom, Germany, France, Australia, Japan, and South Korea, among others.

You may also be interested in: Request for Proposal: what is it?

Industries Relying on CC for Security

The adoption of Common Criteria transcends national borders, finding application across a broad spectrum of industries. Key sectors that rely on CC for securing their IT products include:

• Government and Defense: Many national governments mandate CC certification for IT products used in sensitive and classified environments, ensuring they meet stringent security standards.
• Finance and Banking: The finance sector, dealing with critical financial data, demands high assurance levels for their IT systems to protect against fraud and breaches.
• Healthcare: With the increasing digitization of medical records and healthcare services, CC certification is crucial for ensuring the confidentiality and integrity of patient data.
• Telecommunications: As the backbone of digital communication, the telecom industry relies on CC-certified products to safeguard their networks and services against cyber threats.
• Information Technology: Beyond specific industries, IT companies at large, developing products ranging from operating systems to network devices, seek CC certification to demonstrate their commitment to security.

The global recognition and industry-wide adoption of the Common Criteria underscore its importance as a foundational element in the security posture of IT products and systems worldwide, ensuring a trusted framework for protecting digital assets against evolving cyber threats.

5. Who Uses the Common Criteria?

Government Entities

Government agencies globally leverage the Common Criteria to ensure that IT products and systems procured and deployed within their networks meet established security standards. This is particularly crucial for national defense, intelligence, and other sensitive operations, where security cannot be compromised. Governments often require CC certification for products used in classified and high-security environments, making it a prerequisite for vendors aiming to supply technology solutions to the public sector.

Private Sector and Corporations

In the private sector, corporations across various industries, including finance, healthcare, and telecommunications, use CC as a benchmark to evaluate and select secure IT products. By choosing CC-certified products, these organizations can better protect their data, ensure compliance with regulatory requirements, and mitigate the risk of security breaches. The assurance levels provided by CC certification help corporations in making informed decisions aligned with their specific security needs and risk management strategies.

IT Product Developers and Vendors

For IT product developers and vendors, obtaining CC certification is a strategic move that can significantly enhance the marketability and credibility of their products. It demonstrates a commitment to security that can distinguish their offerings in a competitive marketplace. Additionally, the process of achieving CC certification can help in identifying and rectifying security vulnerabilities, thereby improving the overall quality of their products.

6. Comparison with Previous Standards: The C2 Security Standard

Overview of C2

The C2 security standard, part of the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, was a United States government standard that specified basic security requirements for computer systems. The C2 level emphasized discretionary access control mechanisms and audit capabilities, allowing users to control access to their own data and providing a means to log security-relevant events.

Transition from C2 to Common Criteria

The transition from the C2 security standard to the Common Criteria marked a significant evolution in the approach to IT security evaluation. While C2 provided a baseline for security, it was primarily focused on the needs of government entities and did not easily adapt to the rapidly changing technology landscape or the diverse requirements of global markets. The Common Criteria, on the other hand, introduced a more flexible and comprehensive framework that could be applied across different technologies and industries. This transition reflects a broader shift towards harmonizing security evaluation standards at an international level, enabling a unified methodology for assessing and certifying the security of IT products and systems worldwide.

7. Conclusion

The Common Criteria for Information Technology Security Evaluation stands as a critical framework in the realm of IT security, bridging the gap between the diverse security needs of government entities, the private sector, and IT product developers. By providing a standardized approach to security evaluation and certification, the Common Criteria enhances trust in IT products, facilitates international trade, and drives the development of secure technologies. As we move forward, the continued evolution and adoption of the Common Criteria will be vital in addressing the complexities of modern cybersecurity challenges.

8. References

• Books:
  • “Introduction to Computer Security” by Michael T. Goodrich and Roberto Tamassia
  • “Security Engineering: A Guide to Building Dependable Distributed Systems” by Ross Anderson
• RFCs:
  • RFC 2828 – “Internet Security Glossary”
  • RFC 3647 – “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”
• Other Resources:
  • ISO/IEC 15408 – “Information technology — Security techniques — Evaluation criteria for IT security”
  • National Institute of Standards and Technology (NIST) Publications
  • Common Criteria Portal (www.commoncriteriaportal.org)
  • Trusted Computer System Evaluation Criteria (TCSEC) – The “Orange Book”