The Common Criteria for Information Technology Security Evaluation (CC for short)
The Common Criteria are an international standard for information technology security certification.
A product is evaluated against a security target which specifies what security properties the product must meet. The security target may be based on a protection profile. The evaluation is performed by a government-accredited laboratory from a participating country.
A CC evaluation is based on a combination of assurance factors (security assurance requirements):
- Evaluation documentation (ASE): security target, security objectives, conformance claims, etc.
- Lifecycle considerations (ALC): tools used during development, delivery methods, etc.
- Design considerations (ADV): functional and security architecture, modularity of design, documented interfaces, etc.
- User guidance (AGD)
- Tests (ATE): coverage and depth by the developer, and independent testing by the evaluator
- Vulnerability analysis (AVA): penetration testing by the evaluator
Which security assurance requirements are needed for an evaluation depends on its evaluation assurance level (EAL). Standard numerical EALs range from 1 (which provides basic confidence in correct operation when there are no security threats) to 7 (which involves formal verification for high-security applications). Custom EALs are also possible.
The Common Criteria are so called because they are an international standard for security evaluation; all participating countries use the same set of criteria. Participating countries also recognize evaluations performed in other countries for assurance levels up to EAL4.
As of 2013, a Common Criteria reform is in progress, to address criticism that CC evaluations are too heavyweight and do not always provide the expected assurances. The transition is expected to take several years, with reduced international recognition of evaluations in the meantime.
