Common Criteria Certification 101 and Current Tendencies

The Common Criteria for Information Technology Security Evaluation, shortly referred to as Common Criteria or CC, is an international standard for independent security evaluation and certification of IT products implemented as hardware, firmware or software. This certification scheme has been gaining more and more popularity for the past 20 years as it ensures the security capabilities of products used in various governmental institutions and organizations with critical infrastructure.

Common criteria

Under Common Criteria, various types of IT products can be evaluated and certified by independent security evaluation facilities and certification bodies. The products which can be certified based on the methodology include SW products (e.g. data erasure, antiviruses, databases, operating systems, etc.), as well as hardware and embedded products (smart cards, ICs, IoT devices, medical devices, smart meters, network devices, etc.). A product can be evaluated based on seven possible levels of assurance (Evaluation Assurance Level – EAL), increasing in the depth and coverage of testing.

A Common Criteria evaluation strictly follows a set of security requirements and evaluation requirements defined in the methodology. This methodology consists of several documents, as follows:

  • Part 1: Introduction and general model
  • Part 2: Security functional components
  • Part 3: Security assurance components
  • Common Methodology for Information Technology Security Evaluation (CEM)

The requirements defined in “Part 2: Security functional components” serve as a basis for the evaluation of products. These requirements define the expected (claimed) security capabilities of the product in the scope of the evaluation. Examples of such capabilities include cryptography, authentication, authorization, physical protection, logging of events, etc. In this way, all the products evaluated based on Common Criteria need to select relevant capabilities from the list defined in Part 2, with also the possibility to define custom capabilities if needed. In this way it is ensured that the same expectations in terms of security are in place, no matter of the type, make or category of the product. This ensures uniformity and international recognition of the results.

Adobe Stock 375375601

From an evaluation point of view, the necessary requirements are also standardized in “Part 3: Security assurance components”. The requirements included in this part provide a clear way in which a security evaluation lab should perform the assessment activities in scope. Typically, these include a combination of documentation review, process review, validation and penetration testing. The way in which the conclusions of the conducted evaluation are interpreted and reported is also defined in the requirements from Part 3. This ensures that every licensed laboratory will test the product and interpret the results in the same way.

Security organization training courses

A Common Criteria certificate can currently be issued by various certification bodies, members of national certification schemes. Various national schemes are grouped into mutual recognition agreements, based on which they directly recognize the results and certificates of products evaluated by one another. The most relevant mutual recognition agreements in the domain of CC are CCRA (global agreement recognizing certificates up to level 2 – EAL2), and SOGIS (European based agreement recognizing certificates irrespective of the level).

Companies certify their products to gain various benefits which include but not limited to:

  • International mutual recognition of the certificate
  • Strong demonstration of claimed security capabilities in a product
  • Strong basis for obtaining strategic partnerships with local governments or product integrators and bringing the product to the new markets
  • Advantage over similar uncertified competitor products
Adobe Stock 284764382 resized

In the last several years, CC evaluations and certifications have been especially popular in the world of smart cards and integrated circuits. However, recently the tendencies are shifting towards a bigger variety of products that companies are willing be certify. Product lines that are starting to get specific interest with respect to CC include, for example, software threat protection applications, network devices and software, multi-functional printers and even consumer IoT devices. For the domain of smart cards or ICs, typically an evaluation goes in line with higher levels of assurance (EAL5 or higher) to reflect the high risks associated with these products.

Such a high EAL evaluation
will be relatively challenging on the other hand for an IoT device for example, given its duration and cost. IoT products (and embedded devices in general) need quick and smooth certification options, which are much more in line with CC evaluation levels such as EAL1, EAL2 or EAL3. An evaluation in line with these lower assurance levels provides the high recognition of a CC certificate, while on the other hand keeps the duration, budget and customer interaction lower.

About Secura CC Lab

Secura is currently licensed as a CC laboratory under the Dutch Common Criteria scheme – NSCIB. Despite challenging times of COVID-19, the Dutch NSCIB scheme has secured an impressive position on CC market with the 3rd place in the number of certified products in 2020. As the majority of countries have faced an overall decline in numbers, the Netherlands was able to significantly grow the number of issued certificates in the past few years including 2020. Advantages of the NSCIB scheme include a clear and predictable process for the evaluation, as well as clear planning of activities, thus avoiding possible delays.

Adobe Stock 141375321

Secura is specialized in performing CC evaluations on a broad range of product categories, including SW and application products, IoT devices, medical and industrial products, smart meters, network and telecommunication equipment, etc. By using our 20+ years of experience in software and embedded security, combined with the rigorousness of the CC methodology, a smooth evaluation process is guaranteed. Secura is able to support interested companies in the whole journey towards achieving a CC certificate – including initial consultation and document preparation, the evaluation itself and support with achieving a certificate in a quick manner.

Feel free to reach our for more details, or access our dedicated page on Common Criteria here.

Fact sheets

Common Criteria

Overview of Common Criteria and our services.

Download fact sheet file_download

White papers

Implementation Guide Common Criteria for Software and Embedded Products

Download white paper file_download