It has been said Common Criteria solves a "Compliance problem, and not a security problem". Can someone explain where CC certification is required or benefits an industry?
Is it simply a marketing angle that helps sell a product to less-informed VPs/execs? What are the practical benefits of it, or where is it beneficial?
Common Criteria is a checkbox on DoD and other government department procurement processes. As you are probably aware, CC evolved from TCSEC in the states and combined ITSEC (Europe) and CTCPEC (Canada). So there are those that argue that Common Criteria sets down a standard model of security awareness for any product that goes through its process.
With that said, and as a Canadian Common Criteria evaluator, I can tell you that there are constant disagreements within the CC industry as to whether the process helps provide any assurance or whether it is merely an unsatisfactory checkbox.
Ultimately the big end-vendors -- your Microsoft's, your HP's, your Oracle's -- all want to sell to the government. They cannot do this without the CC certificate, so they consent to have their system evaluated. They are interested in the final certificate (technically, as long as they are "in-evaluation" that may be all they need to sell).
Assurance is a two-dimensional beast in CC. On one axis, you have the security functions that the product is claiming to offer (eg. smart-card identification and authentication for workstations). On the other dimension, you have the level of rigour and effort put into testing that those claims work and are securely implemented.
The CC industry has decided to force to reduce the rigour of the evaluation (you can only go up to Evaluation Assurance Level 2 instead of 4 [higher the number, more rigour applied]). The idea is to speed up the evaluations, make them cheaper, and allow more vendors to seek them.
The question that always comes up within CC is: does the process make a difference? It does, and it doesn't. CC is mostly about analysing the security of the architecture and end-to-end development process. Only a very small component of the overall assurance is related to testing and vulnerability analysis. It is this lack of testing which many people (including myself) see as a problem within CC. There are changes coming through now which aim to increase the focus on testing while reducing the amount of effort spent on analysing documentation. This is a good thing.
Does it help other industries? It can, but it certainly isn't mandated. Many industries have their own certification processes. CC has been attempted to be applied to health care (the BITS framework) and also for industrial control and analysis systems (eg. SCADA systems).
