LLMpediaThe first transparent, open encyclopedia generated by LLMs

Common Criteria

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: iPhone Hop 4
Expansion Funnel Raw 108 → Dedup 14 → NER 12 → Enqueued 7
1. Extracted108
2. After dedup14 (None)
3. After NER12 (None)
Rejected: 2 (not NE: 2)
4. Enqueued7 (None)
Similarity rejected: 5
Common Criteria
Common Criteria
source
NameCommon Criteria
Established1999
JurisdictionInternational
RelatedInternational Organization for Standardization, International Electrotechnical Commission

Common Criteria The Common Criteria is an international framework for specifying, evaluating, and certifying the security properties of information technology products and systems. It provides standardized terminology and criteria to enable mutual recognition of security evaluations among signatory nations and to inform procurement decisions by agencies and corporations. The framework influences certification policies across agencies such as National Institute of Standards and Technology, European Union Agency for Cybersecurity, Department of Defense (United States), and corporations including Microsoft, IBM, Cisco Systems.

Overview

The Common Criteria defines a set of security functional requirements and assurance measures used by evaluators from laboratories like National Information Assurance Partnership, CESG (now part of National Cyber Security Centre (United Kingdom)), and private firms including BSI Group, TÜV Rheinland, NCC Group. It interfaces with standards such as ISO/IEC 15408, ISO/IEC 17799, ISO/IEC 27001, ISO/IEC 18045 and aligns with procurement regimes in jurisdictions represented by Canada, Japan, Australia, New Zealand. Large vendors such as Intel, ARM Holdings, Honeywell, Schneider Electric submit Protection Profiles and Target of Evaluation documentation for products ranging from Windows NT–era systems to Android (operating system), Red Hat Enterprise Linux, VMware ESXi, Oracle Solaris.

History and Development

Origins trace to national evaluation schemes like the Trusted Computer System Evaluation Criteria used by United States Department of Defense, and European initiatives such as the European Union's ITSEC. Key milestones include adoption of the international standard ISO/IEC 15408 and formation of the Common Criteria Recognition Arrangement among signatories including United States, United Kingdom, Germany, France, Netherlands, Spain, Italy and later South Korea, Brazil, India. Influential organizations in development included NATO and intergovernmental bodies such as Organisation for Economic Co-operation and Development. High-profile evaluations have involved products from Apple Inc., Google, Siemens, Ericsson, and BlackBerry Limited.

Structure and Components

The Common Criteria framework comprises Protection Profiles (PPs), Security Targets (STs), and Evaluation Assurance Levels (EALs). Protection Profiles are authored by consortia and agencies like National Security Agency, Communications-Electronics Security Group, European Commission, industry groups such as Trusted Computing Group and Open Group. Security Targets are produced by vendors such as Juniper Networks, Fortinet, Palo Alto Networks, Check Point Software Technologies to specify TOE scope. Laboratories accredited by national bodies like Counsel of the European Union's national accreditation bodies, ANAB (formerly ANSI-ASQ National Accreditation Board), DAkkS perform testing guided by methodologies in ISO/IEC 18045. The framework references cryptographic standards created by International Organization for Standardization, International Electrotechnical Commission, and algorithm suites standardized by National Institute of Standards and Technology and adopted in protocols from Transport Layer Security to IPsec implementations by vendors like Cisco Systems.

Evaluation Assurance Levels (EALs) and Protection Profiles

EALs range from EAL1 through EAL7, representing ascending depth of design and testing evidence. Governments and agencies including Department of Homeland Security (United States), Ministry of Defence (United Kingdom), Bundesamt für Sicherheit in der Informationstechnik set policy about acceptable EALs for procurements. Protection Profiles exist for categories such as firewalls, smart cards, mobile devices, virtualization and cloud components produced by standards bodies like ETSI, industry consortia such as PCI Security Standards Council, and vendors including Gemalto, Infineon Technologies. Examples of targeted technologies evaluated under specific PPs include hardware security modules by Thales Group, secure elements used by Apple Pay and Android Pay ecosystems, and network appliances by F5 Networks.

Certification Process and Accreditation

Certification involves vendor submission of an ST, independent evaluation by an accredited laboratory, and adjudication by a national certification body such as Communications Security Establishment (Canada), ANSSI (France), Federal Office for Information Security (Germany), National Information Technology Board (Pakistan). Laboratories follow methodologies from ISO/IEC 17025 and accreditation from bodies like ILAC, IAF. Mutual recognition arrangements like the Common Criteria Recognition Arrangement enable certificates issued by Canada, Taiwan, Singapore, New Zealand to be accepted by other members. High-assurance certifications have been part of procurement for NATO communications, European Central Bank infrastructure, and critical infrastructure vendors such as ABB and Schneider Electric.

Adoption, Implementation, and Criticism

Adoption spans national agencies, financial institutions such as SWIFT, defense contractors including Lockheed Martin, Raytheon Technologies, and telecommunications firms like Nokia, Ericsson. Critics from academia—researchers at institutions such as Massachusetts Institute of Technology, University of Cambridge, Carnegie Mellon University—and industry argue that certification can be costly and slow, potentially stifling innovation noted by analysts at Gartner and Forrester Research. Debates have compared Common Criteria to alternative approaches like FIPS 140, PCI DSS, OWASP guidance, and modern assurance proposals by Internet Engineering Task Force working groups. Reform discussions have involved European Commission policy makers, US Congress committees, and standards bodies such as ISO to improve responsiveness to emerging threats exemplified by incidents involving Stuxnet, WannaCry, and supply-chain compromises linked to vendors like SolarWinds.

Category:Information security standards