With the help of the Common Criteria for Information Technology Security Evaluation, IT products can be evaluated according to general criteria regarding their security. Common Criteria (CC) is an internationally recognized standard.
What is Common Criteria?
The term Common Criteria (CC) stands for the long-form Common Criteria for Information Technology Security Evaluation and translates into German as “Common Criteria for Information Technology Security Evaluation”. It is an internationally valid standard that can be used to evaluate and test the security of IT products according to general criteria.
Initial work on the standard was carried out as early as 1993 by the Common Criteria Editorial Board (CCEB), which was made up of members from various countries such as Germany, France, Great Britain, Canada, and the USA. The first version of the CC was published in 1996. In 1999, the CC became a globally recognized standard with the adoption of ISO/IEC 15408. Currently, they are published in version 3.1.
Basic model and structure of the Common Criteria
The basic model of the CC distinguishes between the functional scope and the quality (trustworthiness) of an IT product. The trust arises from the testing of the product by an independent authority. The structure of the CC is divided into three sub-areas. These are:
- Introduction and general model
- Functional security requirements
- Trustworthiness requirements
The introduction part of the CC describes the general scope and the basics of security evaluation. The functional security requirements include a comprehensive catalog that can be used to describe the functionality of the product under evaluation. Finally, the third part lists the requirements for the trustworthiness of the test object.
Objectives of the Common Criteria for Information Technology Security Evaluation
The goal of the Common Criteria is to prove, through certification by an independent body, that the product fulfills the required security functions according to a certain evaluation level. This increases the competitiveness of a product and, in the case of liability issues, the required due diligence can be demonstrated.
Another goal of CC certification is integration into international agreements. This eliminates the need to certify IT products multiple times according to different national standards. There is an official list of countries that recognize certification according to CC.
The various EAL levels of the CC
The Common Criteria define different levels of assurance. These are called Evaluation Assurance Level (EAL) and range from EAL1 to EAL7. While level EAL1 certifies only functional verification, the highest evaluation level EAL7 means “formally verified design and tested”. As EAL numbers increase, so does the effort and depth of testing to be performed.
Certification according to CC
The Common Criteria use the four-eyes principle for testing security features. First, an evaluation is performed by an accredited testing body. Then certification takes place by a recognized institution. In Germany, the Federal Office for Information Security (BSI) is an accredited certification body.
The BSI fulfills the task of issuing security certificates for IT products. For this, the manufacturer or the distributor of the product must initiate the certification. The testing is carried out by a BSI-approved testing body. The result of the certification is recorded in a detailed report. It contains a detailed certification report and a summary assessment (the security certificate).