LLMpediaThe first transparent, open encyclopedia generated by LLMs

Common Criteria

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Transport Layer Security Hop 4
Expansion Funnel Raw 48 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted48
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Common Criteria
TitleCommon Criteria
StatusPublished
Year started1999
Version3.1 Release 5
Related standardsISO/IEC 15408, ITSEC, TCSEC
OrganizationInternational Organization for Standardization
DomainInformation security, Computer security

Common Criteria. The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It provides a framework in which computer system users can specify their security requirements, vendors can then implement security features, and testing laboratories can evaluate products to determine if they meet the claimed security assurances. The standard is formally recognized as ISO/IEC 15408 and is used globally by governments and corporations to assess the security of information technology products and systems.

Overview

The framework establishes a common set of requirements for the security functions of IT products and for assessing assurance measures. It allows comparability between the results of independent security evaluations, which is crucial for entities like the National Security Agency or the Bundesamt für Sicherheit in der Informationstechnik. The core concepts involve **Protection Profiles**, **Security Targets**, and **Evaluation Assurance Levels**, which define a standardized language for security specifications. This approach is designed to replace older, region-specific criteria such as the Trusted Computer System Evaluation Criteria used in the United States and the Information Technology Security Evaluation Criteria from Europe.

History and development

The development was driven by the need to harmonize various national and regional evaluation criteria that emerged in the late 1980s and early 1990s. Key precursors included the U.S. Department of Defense's **Orange Book** (TCSEC), the European **ITSEC**, and the Canadian **CTCPEC**. In 1990, the International Organization for Standardization began work to unify these efforts. A pivotal agreement, the **Common Criteria Recognition Arrangement**, was signed in 1998 by nations including Germany, the United Kingdom, France, Canada, and the United States, leading to the formal publication of the first version in 1999. The standard is maintained by the **Common Criteria Development Board**.

Structure and components

The documentation is divided into three distinct parts. Part 1 introduces the general model and defines key concepts like the **Target of Evaluation**. Part 2 contains a catalog of standardized security functional requirements, which can be used to build a **Security Target** for a specific product like a firewall or smart card. Part 3 provides a catalog of assurance requirements, which are grouped into pre-defined **Evaluation Assurance Levels** ranging from EAL1 to EAL7. These components allow for the creation of a **Protection Profile**, a reusable specification for a category of devices, such as those used in NFS or PKI systems.

Evaluation process

An evaluation is conducted by an independent, accredited commercial testing laboratory, known as a **Common Criteria Testing Laboratory**. The process begins when a vendor sponsors a product for evaluation against a specific **Security Target**. The laboratory then conducts a rigorous assessment, examining design documentation, conducting penetration testing, and analyzing the development lifecycle. The outcome is a formal validation report, which is submitted to a national **Certification Body**, such as the National Institute of Standards and Technology in the U.S. or the Communications Security Establishment in Canada, for final certification. Successful products are listed on an official **Certified Products List**.

International recognition and use

The standard is recognized under the **Common Criteria Recognition Arrangement**, which allows certificates issued by one member nation to be recognized by all others. Signatories to this arrangement include many nations within the European Union, as well as Australia, New Zealand, Japan, and South Korea. It is extensively used for certifying products intended for government and critical infrastructure use, such as cryptographic modules, operating systems like Microsoft Windows, and data encryption devices. Major procurement policies, including those of the U.S. Department of Defense, often mandate certification for sensitive systems.

Criticisms and limitations

Critics argue that the process can be prohibitively expensive and time-consuming, potentially stifling innovation and favoring large corporations like IBM or Cisco Systems. The focus on extensive documentation has been labeled as promoting "paper security" over practical resilience. Furthermore, the static nature of an evaluation provides only a snapshot in time and does not guarantee security against future threats, such as those from advanced persistent threats. Some experts, including those from the IETF and the ACM, contend that alternative assurance methods, like continuous red teaming and open-source audits, may be more effective for dynamic environments like cloud computing.

Category:Computer security standards Category:International standards Category:Information technology management