What is Common Criteria? With the help of the Common Criteria for Information Technology Security Evaluation, IT products can be evaluated according to general criteria regarding their security. Common Criteria (CC) is an internationally recognized standard.
“Curious about Common Criteria? Wondering how it boosts cybersecurity? Look no further!
This guide unpacks the what, why, and how of Common Criteria, your passport to ensuring tech products are as secure as Fort Knox.
Discover the magic behind certification levels, debunk myths, and learn how your business can ride the security wave. Dive in, and arm yourself with the ultimate cybersecurity know-how!”
Contents
- What is Common Criteria?
- Importance of Common Criteria in Cybersecurity
- History and Evolution of Common Criteria
- Key Concepts of Common Criteria
- Common Criteria Evaluation Process
- Benefits of Common Criteria
- Common Criteria vs. Other Cybersecurity Standards
- Challenges and Limitations of Common Criteria
- Future Trends and Developments
- Common Myths and Misconceptions
- Frequently Asked Questions
- What is the primary goal of Common Criteria?
- How does the evaluation process work?
- Are there different levels of certification?
- Can Common Criteria certifications be revoked?
- Is Common Criteria limited to software products?
- How long does the evaluation typically take?
- Can vendors influence the evaluation outcomes?
- Is Common Criteria recognized internationally?
- Are there any success stories of thwarted attacks due to Common Criteria?
- How can companies leverage Common Criteria to enhance their cybersecurity posture?
What is Common Criteria?
Common Criteria (CC) is an internationally recognized framework used for evaluating the security features and capabilities of information technology (IT) products and systems. It provides a standardized and comprehensive approach to assessing the security attributes of these products, helping organizations make informed decisions about their cybersecurity investments.
Importance of Common Criteria in Cybersecurity
Common Criteria plays a crucial role in enhancing cybersecurity by establishing a common language and set of criteria for evaluating the security of IT products and systems. It helps ensure that products meet specified security requirements and are evaluated through a consistent and rigorous process.
This evaluation process aids in building trust among users, customers, and stakeholders, as they can rely on the fact that products with Common Criteria certifications have undergone thorough security assessments. Additionally, Common Criteria promotes interoperability and international collaboration by providing a globally recognized standard for security evaluation.
History and Evolution of Common Criteria
Origins of Common Criteria
The roots of Common Criteria can be traced back to the 1980s when different countries and organizations recognized the need for a standardized approach to evaluating the security of IT products. The concept of Common Criteria emerged from the collaboration between several countries, including the United States, Canada, the United Kingdom, France, Germany, and the Netherlands.
Development and Adoption
The Common Criteria framework was developed to address the varying evaluation standards and practices that existed at the time. The goal was to create a unified set of criteria that could be applied to a wide range of IT products, such as hardware, software, and firmware, across different industries and sectors. The development process involved input from various stakeholders, including governments, industry experts, and academia.
Versions and Revisions
Common Criteria has evolved over time through different versions and revisions. Each version introduces enhancements and improvements to the framework, reflecting advancements in technology and changes in security threats. Some of the key versions and revisions include:
- Common Criteria 1.0: The initial version, released in 1996, laid the foundation for the framework.
- Common Criteria 2.0: Introduced in 1998, this version refined the evaluation process and criteria.
- Common Criteria 3.0: Released in 2005, this version marked a significant step forward with improved structure and coverage of security aspects.
- Common Criteria 3.1: An incremental update in 2009, focusing on clarifications and improvements to the evaluation process.
- Common Criteria 3.1 Revision 4: This version, released in 2012, further refined the framework and introduced more flexibility in evaluation.
These versions and revisions reflect the ongoing effort to adapt Common Criteria to the evolving landscape of cybersecurity, technology, and global collaboration.
Key Concepts of Common Criteria
Protection Profiles (PPs)
Protection Profiles define sets of security requirements and objectives for a specific type of IT product or system. PPs serve as standardized templates that vendors and developers can use to ensure that their products meet the desired security standards.
They specify security features, functions, and assurances that should be present in the evaluated product. PPs facilitate consistency and comparability in security evaluations by providing a common baseline for assessment.
Security Target (ST)
A Security Target is a document prepared by the product developer or vendor that describes the security properties and features of the specific product or system to be evaluated. It outlines the security requirements, functional capabilities, and the intended environment of use.
The ST serves as the basis for the evaluation process, providing the context and details necessary for the evaluators to assess the product’s security claims.
Evaluation Assurance Levels (EALs)
EALs represent a scale of increasing assurance levels used to describe the depth and rigor of the security evaluation. There are seven defined EALs, each with its set of security requirements and assessment procedures.
Higher EAL levels indicate a more comprehensive and rigorous evaluation process. EALs help stakeholders understand the level of confidence they can have in the security claims of a product.
Security Functional Requirements (SFRs)
Security Functional Requirements are specific security features and functions that a product must possess to meet the defined security objectives. SFRs are used to detail the specific security behaviors and capabilities that are expected from the evaluated product. They provide a granular description of how the product should behave in terms of security.
Target of Evaluation (TOE)
The Target of Evaluation refers to the specific IT product or system that is being evaluated for its security attributes. The TOE is the subject of the evaluation and is described in the Security Target. It encompasses the hardware, software, firmware, and any associated documentation that make up the product.
Common Criteria Evaluation Process
Phases of Evaluation
The Common Criteria evaluation process typically consists of the following phases:
- Initiation: The process begins with a formal request to initiate the evaluation, often initiated by the product developer or vendor.
- Security Target Definition: The vendor or developer creates a Security Target document that outlines the security properties of the TOE.
- Evaluation: The TOE is evaluated based on the criteria specified in the Security Target. This involves analysis, testing, and documentation to assess the product’s security attributes.
- Validation: The evaluation results are validated, ensuring that the process was conducted correctly and consistently.
- Certification: If the TOE meets the specified security requirements, it receives a certification from a recognized Certification Body.
- Maintenance: Periodic reviews and updates may be required to maintain the certification’s validity over time.
Role of Certification Bodies
Certification Bodies (CBs) play a crucial role in the Common Criteria evaluation process. They are independent organizations authorized to conduct evaluations and issue certifications. CBs review the evaluation documentation, conduct testing, and assess the product’s compliance with the specified requirements. If the product meets the criteria, the CB issues a certification.
Involvement of Developers and Evaluators
Product developers/vendors are responsible for creating the Security Target and providing necessary documentation for the evaluation. Evaluators, often from independent evaluation laboratories, assess the TOE’s security features based on the Security Target and applicable Protection Profiles. Evaluators follow a standardized methodology to analyze, test, and validate the TOE’s security attributes.
Benefits of Common Criteria
Global Recognition and Acceptance
Common Criteria provides a globally recognized and standardized framework for evaluating the security of IT products and systems. This international recognition helps vendors demonstrate their product’s security capabilities to a broader market and facilitates cross-border acceptance of security certifications.
Enhancing Product Security
By adhering to Common Criteria, vendors are encouraged to design and develop products with robust security features and functions. The evaluation process requires a comprehensive assessment of security requirements, leading to better identification and mitigation of potential vulnerabilities and threats.
Fostering Interoperability
Common Criteria promotes interoperability by defining Protection Profiles that establish common security requirements for specific types of products. This ensures that products from different vendors can be evaluated against the same standards, making it easier to integrate and use them in complex IT environments.
Building User Trust
Products that undergo Common Criteria evaluation and receive certification provide users and customers with a higher level of confidence in their security attributes. This trust is established through the rigorous and standardized evaluation process that the product has undergone.
Common Criteria vs. Other Cybersecurity Standards
Comparison with ISO 27001
ISO 27001 is a widely used international standard for information security management systems (ISMS). While both Common Criteria and ISO 27001 focus on cybersecurity, they serve different purposes.
ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an ISMS. It is broader in scope and covers organizational processes and practices. On the other hand, Common Criteria is specific to evaluating the security attributes of IT products and systems.
Contrasting NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a voluntary guideline developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks. It provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cyber threats. Unlike Common Criteria, which focuses on product evaluation, the NIST Cybersecurity Framework is designed to assist organizations in improving their overall cybersecurity posture.
Differentiating from FIPS 140-2
FIPS 140-2 (Federal Information Processing Standard Publication 140-2) is a U.S. government standard that specifies security requirements for cryptographic modules used in various systems. It defines four levels of security for cryptographic modules. While FIPS 140-2 focuses specifically on cryptographic modules, Common Criteria has a broader scope, covering a wide range of IT products and systems beyond just cryptographic modules.
Challenges and Limitations of Common Criteria
Complexity and Lengthy Evaluation
The Common Criteria evaluation process can be complex and time-consuming. It involves detailed documentation, analysis, testing, and validation, which can extend the time required for product development and release.
High Costs and Resource Intensive
Achieving Common Criteria certification can be expensive, particularly for smaller vendors or organizations with limited resources. The costs associated with evaluation, testing, and engaging with certification bodies can be substantial.
Adaptation to Rapid Technological Changes
The fast pace of technological advancements poses a challenge for Common Criteria. It may struggle to keep up with the rapid evolution of IT products and systems, potentially leading to delays in evaluating cutting-edge technologies.
Future Trends and Developments
Integration with Cloud Security
As more businesses migrate to cloud-based services, Common Criteria will likely need to evolve to address the unique security challenges and considerations associated with cloud computing.
Emphasis on Supply Chain Security
Given the increasing focus on supply chain security and the potential risks posed by third-party components, Common Criteria might incorporate more robust requirements for assessing and mitigating supply chain vulnerabilities.
Role in Emerging Technologies
Common Criteria will need to adapt to emerging technologies such as artificial intelligence (AI), Internet of Things (IoT), and quantum computing, ensuring that it remains relevant and effective in evaluating the security of these new innovations.
Common Myths and Misconceptions
“Common Criteria Guarantees Unbreakable Security”
Common Criteria provides a rigorous evaluation process, but it does not guarantee absolute security. It ensures that a product meets specific security requirements at a certain point in time, but new vulnerabilities may emerge after certification.
“Only Government Agencies Benefit”
While governments often use Common Criteria to assess products for their security needs, the framework benefits a wide range of industries, including private enterprises and critical infrastructure providers seeking to enhance their cybersecurity posture.
“Too Complex for Small Businesses”
While Common Criteria can be resource-intensive, efforts are being made to streamline and make the evaluation process more accessible, enabling smaller businesses to participate and benefit from the framework.
Frequently Asked Questions
What is the primary goal of Common Criteria?
The primary goal of Common Criteria is to provide a standardized and internationally recognized framework for evaluating the security attributes of information technology products and systems. It aims to enhance cybersecurity by ensuring that products meet specified security requirements and by fostering trust among users and stakeholders.
How does the evaluation process work?
The evaluation process involves several phases, including initiation, security target definition, evaluation, validation, certification, and maintenance. During evaluation, independent assessors review documentation, conduct testing, and assess compliance with specified security requirements and assurance levels.
Are there different levels of certification?
Yes, Common Criteria defines Evaluation Assurance Levels (EALs) that represent increasing levels of assurance. There are seven defined EALs, with higher levels indicating more rigorous evaluation and higher confidence in the product’s security attributes.
Can Common Criteria certifications be revoked?
Yes, certifications can be revoked if it is discovered that the certified product does not meet the specified security requirements, or if the product’s security is compromised due to vulnerabilities or other reasons.
Is Common Criteria limited to software products?
No, Common Criteria is not limited to software products. It covers a wide range of information technology products, including hardware, firmware, software, and systems.
How long does the evaluation typically take?
The duration of the evaluation process varies based on factors such as the complexity of the product, the assurance level being sought, the quality of documentation, and the availability of resources. Evaluations can take several months to a year or more.
Can vendors influence the evaluation outcomes?
Vendors can influence the evaluation outcomes by providing comprehensive and accurate documentation, engaging with evaluators, and ensuring that their product meets the specified security requirements. However, the evaluation process is conducted by independent assessors to maintain objectivity.
Is Common Criteria recognized internationally?
Yes, Common Criteria is internationally recognized and accepted. It is used by many countries and organizations as a basis for evaluating and certifying the security of IT products.
Are there any success stories of thwarted attacks due to Common Criteria?
While specific instances may not always be publicly disclosed due to security considerations, Common Criteria has contributed to identifying and mitigating vulnerabilities in various products, which can potentially prevent or minimize the impact of cyberattacks.
How can companies leverage Common Criteria to enhance their cybersecurity posture?
Companies can leverage Common Criteria by having their products evaluated and certified, which demonstrates a commitment to robust security practices. Additionally, using Common Criteria-certified products in their IT infrastructure can enhance their overall cybersecurity posture and build trust with customers and stakeholders.
In conclusion, Common Criteria stands as a foundational framework for evaluating and certifying the security of IT products and systems. Its evolution, key concepts, evaluation process, benefits, and real-world examples highlight its significance in today’s rapidly evolving cybersecurity landscape.
As technology advances, Common Criteria is expected to adapt and play a pivotal role in ensuring the security and trustworthiness of emerging technologies. Addressing myths and misconceptions, along with clarifying frequently asked questions, further underscores the importance of Common Criteria in fortifying digital defenses and fostering a more secure digital world.
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.