ISO/IEC 15408
Generated by GPT-5-miniExpansion Funnel Raw 74 → Dedup 0 → NER 0 → Enqueued 0
| ISO/IEC 15408 | |
|---|---|
| Title | ISO/IEC 15408 |
| Other names | Common Criteria |
| Status | Published |
| First published | 1999 |
| Family | ISO standards, IEC standards |
ISO/IEC 15408 ISO/IEC 15408 is an international set of standards defining security evaluation criteria used to assess the assurance and functionality of information technology products and systems. The standard was influenced by earlier initiatives such as the Rainbow Series, ITSEC, CCEB and coordinated among bodies including ISO, IEC, CEN, CENELEC and national laboratories like NIST and GCHQ. Implementations and certifications under the standard have involved vendors like Microsoft, IBM, Cisco Systems, and governments such as the United States Department of Defense, Government of Canada, and Australian Signals Directorate.
Overview
ISO/IEC 15408 defines a framework of protection profiles, security functional requirements, and security assurance requirements used to evaluate products ranging from operating systems to smart cards and virtualization platforms. The standard separates security functionality from assurance so that developers such as Intel Corporation and ARM Holdings and evaluators like BSI (Germany), Common Criteria Recognition Arrangement, and Common Criteria Testing Laboratorys can apply consistent criteria. Evaluations result in certificates that are recognized through arrangements involving nations including United Kingdom, France, Japan, and Netherlands.
History and development
Work on ISO/IEC 15408 synthesized concepts from the Rainbow Series (notably the Orange Book), European ITSEC protocols and national efforts such as TCSEC in the United States Department of Defense. Early contributors included agencies like Communications-Electronics Security Group and research institutions such as Fraunhofer Society and RAND Corporation. The first edition formalized in the late 1990s was followed by revisions and maintenance by joint technical committees including ISO/IEC JTC 1 and subcommittees such as SC 27.
Structure and components
The standard is organized into three parts: a general introduction and general model, security functional requirements (SFRs), and security assurance requirements (SARs). Components include protection profiles, security targets, and evaluation assurance levels; these elements link to development artifacts from vendors such as Red Hat, Oracle Corporation, or Samsung Electronics when producing security targets. The structure references methodology from bodies like ITU and testing practices used at laboratories such as CSAIL and SRI International.
Evaluation assurance levels and profiles
ISO/IEC 15408 defines Evaluation Assurance Levels (EAL1–EAL7) which represent increasing rigor in assurance evidence and testing, used in protection profiles for categories like smart card payment systems, trusted platform module designs, and network devices from companies including Juniper Networks and Arista Networks. Protection profiles have been published for domains such as banking, ePassport implementations, and SCADA components, and are referenced by national schemes like the Common Criteria Recognition Arrangement and agencies including CSE (Canada) and ANSSI.
Certification process and governance
Certification under ISO/IEC 15408 is administered by national certification bodies such as BSI (Germany), CCN (Spain), NIAP (United States), and evaluation laboratories accredited by organizations like ILAC. The governance model involves the Common Criteria Management Board and mutual recognition via the Common Criteria Recognition Arrangement, with oversight and policy inputs from governments such as Germany, United States, Japan, and international groups like OECD in procurement and interoperability discussions. Evaluators follow methodologies similar to those used by ISO/IEC 17025 laboratories and report findings to certification bodies.
Adoption and impact
Adoption of ISO/IEC 15408 has affected procurement policies in organizations such as NATO, national ministries including Ministry of Defence (United Kingdom), and corporations like Siemens and Thales Group. The standard influenced product roadmaps at vendors such as Apple Inc. and Google where certified components feed into broader security architectures used by enterprises including Goldman Sachs and HSBC. International trade and export controls, involving entities like Wassenaar Arrangement participants, have been shaped by certification expectations around cryptographic modules and key management systems.
Criticisms and limitations
Critiques of ISO/IEC 15408 include concerns about the cost and duration of evaluations for vendors from Taiwan and India, the potential for certifications to lag behind threats identified by CERT teams and agencies like NSA, and debates about the standard’s suitability for emerging paradigms such as cloud computing and Internet of Things. Scholars and think tanks including Chatham House and Brookings Institution have noted that assurance levels emphasize development documentation and testing artifacts over adversary modeling, and that coordination among national bodies like ANSSI and NCSC can produce divergent interpretations.
Category:Information security standards