Common Criteria Overview










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Common Criteria Overview

by James G. Barr

Docid: 00018711

Publication Date: 1905

Report Type: TUTORIAL

Preview

The Common Criteria for Information Technology Security Evaluation (CC) provides internationally
accepted, standards-based IT security specifications that can help an
organization assess and express its IT security needs, then compare the
security capabilities of various products and choose the most appropriate system. First used primarily in government, the CC is now also used by consumers and
businesses as a reliable standard of IT security across different vendors and
countries.

Report Contents:

Executive Summary

[return to top of this report]

The Common Criteria for
Information Technology Security Evaluation (CC) is a set of international
standards for IT security evaluation, certification, and accreditation. 

The CC is
equivalent to the International Organization for Standardization (ISO)/IEC 15408-1:2009 standard.
ISO/IEC 15408 establishes the general concepts and principles of IT security
evaluation and is meant to be used as the basis for evaluation of security
properties of IT products. The standard was last reviewed and confirmed in 2015
and remains current.

The CC was developed
through the cooperation of governmental organizations in six countries, and
at first was used primarily for government applications. However, the CC has gained
popularity among private sector businesses and consumers who rely on it as an
impartial standard of IT security across different vendors and different
countries. The CC’s evaluations are standardized, mutually accepted, and published for public use on the Common Criteria Portal,
eliminating the waste and redundancy of each purchasing company performing its
own evaluations.

The CC comprises
hierarchically organized security definitions that describe issues such as
how information is stored, what encryption methods are used, and what user
authentication procedures are employed. The CC defines seven assurance
levels. The lowest level requires only functional testing and provides
moderate confidence in the security of applications that are not at a high
risk. The highest level demands formally verified design and testing, and
provides strong assurance for high-risk applications. The CC focuses on IT
security measures in hardware, firmware, or software that protect information
from unauthorized disclosure, alteration, or loss of use due to malicious or
non-malicious human activities.

The CC helps consumers, developers, and evaluators assess, compare, and
improve the security of IT systems and products. Consumers can use the CC for guidance in stating their
IT security requirements, and to help determine whether a system meets their needs. Developers can use the CC for help in interpreting customers’ statements of IT
security requirements, and in formulating the specifications of the system being
developed. Evaluators can use the CC for guidance in evaluating predefined security
profiles, and to determine whether a system meets the security functions specified
for it. Others who may find the CC useful include system custodians,
internal and external auditors, security architects and designers, and IT
product vendors and resellers.

The current version of the CC is Release 3.1, Revision 5, unveiled in May 2017.

As of April 2019, there were approximately 2570 CC certified products, as
detailed in Figure 1. The overall total is not precise since a particular
product may be certified in more than one category.

Table 1. CC Certified Products by Category

Category

# Products

Access Control Devices and Systems

69

Biometric Systems and Devices

3

Boundary Protection Devices and Systems

78

Data Protection

74

Databases

31

Detection Devices and Systems

14

ICs, Smart Cards and Smart Card-Related
Devices and Systems

1215

Key Management Systems

22

Mobility

33

Multi-Function Devices

208

Network and Network-Related Devices and
Systems

278

Operating Systems

108

Other Devices and Systems

292

Products for Digital Signatures

107

Trusted Computing

38

Total

2570

Description

[return to top of this report]

In the early 1980s, the
US government sponsored an initiative to develop effective criteria for IT
security evaluation: the Trusted Computer System Evaluation Criteria (TCSEC). In 1991, France, Germany, the Netherlands, and the UK jointly published a
similar set of IT security evaluation criteria: the Information Technology
Security Evaluation Criteria (ITSEC). Working to combine these two approaches
into a single international standard, Canada then published the Canadian
Trusted Computer Product Evaluation Criteria (CTCPEC), and the US published the
Federal Criteria for Information Technology Security.

Meeting distinct
evaluation criteria in different countries created difficulties for
manufacturers who sought to sell their products globally. A single
international standard was needed. In 1993, the governmental organizations
that sponsored these initiatives collaborated to develop a single set of IT
security criteria that could ultimately be submitted to the International
Organization for Standardization (ISO) as a contribution to the standard it
was also pursuing.

In 1999, the ISO adopted
the CC as ISO 15408, with minor modifications, and accepted compliance with
the CC as equivalent to compliance with ISO 15408. The Common Criteria
Project Sponsoring Organizations make the CC readily available for
unrestricted public use via free downloads. 

The CC focuses on IT
security measures in hardware, firmware, or software that protect information
from unauthorized disclosure, alteration, or loss of use due to malicious or
non-malicious human activities. In other words, it seeks to protect the
confidentiality, integrity, and availability of information, and thus to
increase confidence in IT security. The CC’s common
evaluation language and categories make it possible to compare security
between products from different companies and even different countries. The
evaluations are standard and mutually accepted, so once a product or system
has been evaluated, future purchasers can rely on that evaluation and avoid
having to reevaluate it.

The CC comprises three
parts. Ensuring that an IT product or system achieves a certain level of
security requires not only a functional design that addresses the relevant
security risks, but also some assurance that the design is correctly
implemented and provides effective protection in practice as well as in
theory. The CC separates these two aspects of IT security into functional
components and assurance components.

  • Part 1 defines the concepts and principles of IT security evaluation, and
    offers a structured way to express IT security objectives, to select and
    define IT security requirements, and to create high-level specifications for
    products and systems.
  • Part 2 defines functional
    components, families, and classes that express the requirements for
    security in the design of a product or system.
  • Part 3 defines assurance
    components, families, and classes that address the need to assure that a
    product or system is well implemented and effective. The CC also defines
    reusable packages of commonly occurring security requirements and
    provides seven predefined evaluation assurance levels to increase
    consistency and reduce redundant effort.

Current
View

[return to top of this report]

Target of Evaluation

The CC is flexible in terms of what to evaluate, and is not tied to specific
IT products or product types. Therefore, the CC uses the term "Target of
Evaluation" (TOE). Examples of TOEs include:

  • A software application
  • An operating system
  • A software application in combination with an operating system
  • A software application in combination with an operating system and a
    workstation
  • An operating system in combination with a workstation
  • A smart card integrated circuit
  • The cryptographic co-processor of a smart card integrated circuit
  • A local area network (LAN) including all terminals, servers, network
    equipment, and software
  • A database application excluding the remote client software normally
    associated with that database application1

Target Audience

The target audience for
the CC includes consumers, developers, evaluators, and others.

  • Consumers can use
    the CC for guidance in stating their IT security requirements, and to help
    determine whether a system meets their needs. 
  • Developers can use the CC for
    help in interpreting customers’ statements of IT security requirements, and in
    formulating the specifications of the system being developed.
  • Evaluators can
    use the CC for guidance in evaluating predefined security profiles, and to
    determine whether a system meets the security functions specified for it. 
  • Others
    who may find the CC useful include system custodians, internal and external
    auditors, security architects and designers, and IT product vendors and
    resellers.

Current Version

The current version of the CC is Release 3.1, Revision 5, unveiled in May 2017. The following governmental organizations contributed to the
development of this release:

  • Australia: The Australian Signals Directorate
  • Canada: Communications Security Establishment
  • France: Agence Nationale de la Sécurité des Systèmes d’Information
  • Germany: Bundesamt für Sicherheit in der Informationstechnik
  • Japan: Information Technology Promotion Agency
  • Netherlands: Netherlands National Communications Security Agency
  • New Zealand: Government Communications Security Bureau
  • Republic of Korea: National Security Research Institute
  • Spain: Ministerio de Administraciones Públicas and Centro Criptológico
    Nacional
  • Sweden: Swedish Defence Materiel Administration
  • United Kingdom: National Cyber Security Centre
  • United States: The National Security Agency and the National Institute
    of Standards and Technology

Outlook

[return to top of this report]

Validation

Under the Common Criteria Evaluation and Validation Scheme, commercial
testing laboratories conduct CC-based evaluations of IT products on a
fee-for-service basis. This allows consumers to obtain impartial assessments
of IT products by an independent entity, in accordance with recognized
standards and procedures.

The National
Information Assurance Partnership (NIAP) maintains an ongoing program of
approving CC testing laboratories, each accredited by the National Institute of
Standards and Technology (NIST) National Voluntary Laboratory Accreditation
Program (NVLAP).

To increase confidence in
IT security evaluations, and promote consistency and comparability,
evaluation results can further be reviewed by an independent party to
ascertain whether an evaluation was conducted appropriately and whether the
conclusions of the testing laboratory are consistent with the facts presented
in the evaluation. The independent validation of evaluation results provides additional
confirmation for consumers about the security of IT products.

International Support

The CC has gained broad
international support. The 30 countries recognizing Common Criteria certificates
are:

  • Australia
  • Austria
  • Canada
  • Czech Republic
  • Denmark
  • Ethiopia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • India
  • Indonesia
  • Israel
  • Italy
  • Japan
  • Republic of Korea
  • Malaysia
  • the
    Netherlands
  • New Zealand
  • Norway
  • Pakistan
  • Poland
  • Qatar
  • Singapore
  • Spain
  • Sweden
  • Turkey
  • United Kingdom
  • United States

These nations – collectively, the Common Criteria Recognition Arrangement (CCRA)
– establish high and consistent standards for validating IT products and
protection profiles, and specify that once an IT product or protection
profile has earned a CC certificate, it can thereafter be used without being
evaluated again. This eliminates the waste of duplicate evaluations of IT
products and profiles, especially for manufacturers who seek to sell their
products globally.

CCRA Vision

In September 2012, the CCRA Management Committee (CCMC) cooperated on a
"vision statement for the future direction of the application of the CC and the
CCRA."

Importantly, the CCMC agreed that:

  1. "The general security level of general ICT
    [Information and Communications Technology] COTS [Consumer Off-The-Shelf] certified products needs to be raised without severely impacting price and timely availability of these products.
  2. "To support that goal, the level of standardization has to be increased by building Technical Communities (TC) developing collaborative Protection Profiles (“cPPs”) and supporting documents, in order to reach reasonable, comparable, reproducible and cost-effective evaluation results.
  3. "Protection Profiles (“cPPs”) and/or supporting documents will address vulnerability analysis requirements to ensure certified products achieve an expected level of security."2

Another View

Seeking to strengthen the CC standard, in June 2011, Intel’s David Hoffman,
director of Security Policy and Global Privacy Officer, proposed the following:

  1. Use the Common Criteria Forum to drive mutual recognition and reduce
    or eliminate the need for geography specific certification. In turn, this
    will reduce cost to vendors from having to certify the same product in
    multiple geographies and allow vendors to more rapidly deliver the assurance
    and certifications that customers demand.
  2. Establish and work through technical communities to develop new
    Protection Profiles to drive mutual recognition of certified products.
  3. Accelerate and enhance Protection Profile development, through a
    community led process, to cover the needed product categories and enhance
    mutual recognition of certifications across participating schemes.
  4. Improve the consistency and efficiency of evaluations to drive
    increased value in the certification and more trust and confidence in
    certified products.
  5. Expand Common Criteria to address manufacturing process integrity
    aspects of the supply chain.3

Recommendations

[return to top of this report]

Lacking specialized knowledge, expertise, or resources, consumers may find it difficult to assess
whether a proposed IT product or system is sufficiently secure for their
needs. The CC provides an unbiased, organized system that can help companies
assess and express their IT security needs, then compare the security
capabilities of various products or systems and choose the one that meets
those needs. The CC also helps developers and evaluators assess, compare, and
improve the security of IT systems and products.

Organizations with an
interest in IT security should make use of the Common Criteria website, which
serves as a support environment and information portal for international evaluation
laboratories, sponsors, developers, and users. It includes a discussion
board, as well as a list of evaluation laboratories. It also lists companies
that provide help with pre-evaluation development, training, security target
development, and other CC-related functions. The CC is available for public
use and can be downloaded at no charge from the Common Criteria Portal.

On the Common Criteria
website, visitors can view a list of products and protection profiles that
have satisfied the CC, as well as the list of seven evaluation assurance
levels. Organizations can save money and time by using predefined protection
profiles and evaluation assurance levels wherever possible, and by choosing
products that have already been CC certified.

CC security evaluations
are described in evaluation technical reports produced by Common Criteria
Testing Laboratories, and summarized in associated validation reports and
Common Criteria certificates. It is important
to keep in mind that an IT product has typically been evaluated in a generic
laboratory setting, and results are applicable only to the particular product
version and configuration environment that were evaluated. Operating the
product in a different version or configuration environment may change its
security. Before placing trust in a particular system, a company should carefully
review its CC security evaluations and determine their applicability to the
situation in which the product will be used.

References

1 "Common Criteria for Information Technology Security
Evaluation: Part 1: Introduction and General Model." Version 3.1 Revision 5, Document Number:
2017-04-001. CCMC. April 2017:34.

2 "Common Criteria Recognition Arrangement: Common Criteria
Management Committee Vision Statement," Version 2.0, Document Number:
2012-09-001. CCMC. September 2012:2.

3 David Hoffman. "Intel Draft Proposal to Reform
Common Criteria." Intel. June 9, 2011.

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and business writer
with more than 30 years’ IT experience. A member of "Who’s Who in
Finance and Industry," Mr. Barr has designed, developed, and deployed
business continuity plans for a number of Fortune 500 firms. He is the
author of several books, including How to Succeed in Business BY Really
Trying
, a member of Faulkner’s Advisory Panel, and a senior editor for
Faulkner’s Security Management Practices. Mr. Barr can be reached
via e-mail at jgbarr@faulkner.com.

[return to top of this report]