Technology develops at an incredible speed, which eases and changes our personal and professional lives in countless areas. However, this rapid rise has its downsides: cybersecurity, national and international regulations are struggling to keep up with it to keep the online space, the connected networks and devices safe. Fortunately, however, there are more and more effective solutions available to solve this issue. If you work in the cybersecurity industry or develop software for governments and organizations under the governments, you have certainly heard about Common Criteria certification. This internationally accepted framework helps to make eligible IT products and systems more secure. In this article, we provide more insight into this topic.
What is Common Criteria certification?
The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international set of cybersecurity certification standards (ISO/IEC 15408). Common Criteria certification ensures that an IT product or system’s definition, implementation, and assessment were completed in a rigorous and repeatable manner at a level acceptable for the intended environment. Common Criteria certifications are internationally recognized by all CCRA member states which means 31 signatories at the moment.
Common Criteria evaluation refers to the assessment procedure performed by – an accredited and independent Testing Laboratory – that the evaluated IT product or system must go through in order to be Common Criteria certified.
What are the benefits of having your product CC-certified?
Common Criteria certification of a qualified IT product or system has many advantages for the Developer or Sponsor, the most important of which are the following:
- Improves the product or system and prevents future costs: Common Criteria certification improves your product or system through the rigorous assessment procedure which may reveal vulnerabilities that can be fixed before releasing a product to the market. That helps avoid costly post-release updates as well.
- Maintains competitiveness: Common Criteria certification is an effective tool to keep the business environment competitive. Common Criteria evaluation and certification are crucial processes in competing with other well-established cybersecurity solutions that have previously been evaluated.
- Further business opportunities: CC certification opens the door to new business opportunities, such as in bigger international tenders or procurements of the governmental sector.
- Provides a frame: Common Criteria evaluation is a repeatable and reproducible assessment process that gives sponsors and developers a stable framework for Common Criteria certification of any future product or system.
How can your product get a Common Criteria certification?
The very first question that needs to be answered is if your product needs Common Criteria certification and whether it is eligible.
Since 2010, a total of 1665 IT products got Common Criteria certified of which ICs, Smart Cards, Smart Card-Related Devices and Systems, Network and Network-Related Devices, Multi-Function Devices, Operating Systems, Databases, Access Control Devices, Boundary Protection Devices, and Systems were the most commonly evaluated.
What do you need to know about the evaluation?
We collected the most important information you need to know about Common Criteria evaluation in a nutshell:
The Common Criteria evaluation process has 3 main participants:
- Sponsors and developers who submit their system or IT product for evaluation
- An independent and accredited laboratory that performs the evaluation
- The Certification Body that issues Common Criteria certifications.
Evaluated Assurance Level
Before starting the procedure, the Evaluated Assurance Level has to be selected against which the Common Criteria evaluation will be performed.
There are 7 EAL levels:
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
Target of Evaluation
The IT product or system that gets evaluated is called the Target of Evaluation (TOE).
Basic steps of the Common Criteria certification process
Product development and testing
- Preparation of related developer documentation
- Contract the Laboratory
- Laboratory evaluation and testing process
- Common Criteria certification issued by the Certification Body
Obtaining Common Criteria certification serves many purposes for the sponsor or developer, their customers, and cybersecurity in general. Although the Common Criteria certification is becoming more known, it is important to remember that it may not be applied to any IT product or system.
Hopefully, we were able to provide useful information on the subject. If you have any further questions on the topic we recommend contacting a Common Criteria specialist for a consultation.