What Are the Common Criteria (CC)?
by josheph bell
March 25, 2025
Learn how the Common Criteria (CC) serve as an international security standard for certifying and evaluating IT products.
Introduction
The Common Criteria for Information Technology Security Evaluation (CC), or simply Common Criteria, are an internationally recognized security standard for evaluating and certifying IT products and systems. They provide a structured security assessment framework and establish trust in the security features of hardware, software, and IT services.
The Common Criteria were developed to create globally consistent security evaluation methods, making it easier to compare and recognize security certifications across countries. Over 30 nations, including the USA, Germany, France, Canada, and Japan, officially use the Common Criteria as their national security standard.
Goals and Importance of the Common Criteria
1. Standardized Security Evaluation for IT Products
- The Common Criteria provide a universal assessment framework for testing the security features of IT products.
- Businesses and governments benefit from a globally recognized certification system, ensuring reliable product security.
2. Helping Organizations Choose Secure IT Products
- Companies and government agencies rely on CC-certified products to ensure that security requirements have been objectively evaluated.
- In critical sectors such as finance, healthcare, and defense, CC certification is often mandatory for IT deployment.
3. Enhancing IT Security Through Independent Assessments
- Common Criteria evaluations are conducted by independent, accredited testing laboratories that rigorously test security functions.
- Regular assessments and updates ensure that CC-certified products meet modern cybersecurity standards.
Structure of the Common Criteria
The Common Criteria consist of several key components that define the evaluation process:
1. Protection Profiles (PPs)
- Protection Profiles define general security requirements for a specific product category.
- For example, a PP for smart cards, firewalls, or operating systems outlines the necessary security functions these products must meet.
2. Security Targets (STs)
- A Security Target describes the specific security features of an individual product being evaluated.
- It defines the security functions and mechanisms that the manufacturer has implemented to meet security requirements.
3. Evaluation Assurance Levels (EALs)
- The EAL scale (EAL1 to EAL7) represents the level of confidence in a product’s security evaluation.
- The higher the EAL level, the more rigorous the security testing and verification process.
| EAL Level | Description | Typical Use Cases |
| EAL1 | Functionally tested | Low-security applications (e.g., basic software) |
| EAL2 | Structurally tested | Standard IT products with moderate security needs |
| EAL3 | Methodically tested and checked | Enterprise software, network devices |
| EAL4 | Methodically designed, tested, and reviewed | Firewalls, operating systems, secure networks |
| EAL5 | Semi-formal design analysis and testing | High-security chips, smart cards |
| EAL6 | Formally verified and tested design | Highly secure cryptographic systems, government IT |
| EAL7 | Fully verified and tested security architecture | Military and highly classified government systems |
Common Criteria Certification Process
The certification process for IT products under the Common Criteria follows several key steps:
1. Defining Security Objectives
- The manufacturer outlines the security goals in a Security Target (ST), detailing the security features the product is designed to meet.
- If a Protection Profile (PP) exists for the product category, it can be used as a reference.
2. Independent Security Evaluation by an Accredited Laboratory
- A CC-accredited testing laboratory examines the implementation of security mechanisms.
- The assessment includes documentation review, penetration testing, and source code analysis, depending on the EAL level.
3. Certification Issuance
- Upon successful evaluation, a national certification authority (e.g., the BSI in Germany or the NSA in the U.S.) issues a Common Criteria certificate.
- The product is then listed in a public CC database, allowing companies and governments to verify its certification status.
Applications of the Common Criteria
CC-certified products are widely used in security-sensitive areas:
1. Network Security and Firewalls
- Firewalls, VPN gateways, and Intrusion Detection/Prevention Systems (IDS/IPS) undergo Common Criteria evaluation to ensure they provide adequate protection against cyber threats.
- Organizations with high-security requirements rely on CC-certified solutions for network protection.
2. Cryptography and Smart Cards
- Encryption algorithms, Hardware Security Modules (HSMs), and smart cards (e.g., for digital signatures or banking applications) must pass rigorous security assessments.
- EAL5+ certification is often required for credit card chips and biometric ID systems.
3. Operating Systems and Mobile Devices
- Some versions of Windows, Linux, and macOS, as well as government-approved mobile devices, undergo CC certification to validate their security features.
- Highly secure smartphones for governmental use must often meet EAL4+ or higher.
Challenges and Future of the Common Criteria
Despite their advantages, the Common Criteria face several challenges:
1. High Costs and Time-Intensive Process for Manufacturers
- Certification is time-consuming and expensive, especially for EAL5+ and above, due to extensive testing and documentation requirements.
- Some companies opt out of certification despite having secure products because of the financial burden.
2. Slower Innovation Cycles
- Because the certification process takes time, some products become outdated before their certification is completed.
- This sometimes forces companies to use older, certified versions of products rather than newer, uncertified ones.
3. Adapting to New Threats
- With evolving threats such as quantum computing, AI-driven cyberattacks, and zero-day exploits, the Common Criteria must be continually updated.
- New certification models for cloud security and AI-based security systems may gain importance in the future.
Are the Common Criteria an Essential Security Standard?
The Common Criteria remain the world’s leading standard for IT security evaluation. They provide businesses, governments, and developers with a reliable framework to objectively assess and validate IT system security.
Despite challenges, the Common Criteria continue to be a crucial tool for securing modern IT systems and will play an essential role in cybersecurity as technology advances.