Common Criteria FAQ

What is Common Criteria?

The Common Criteria for Information Technology Security Evaluation (Common Criteria) defines a language for defining and evaluating information technology security systems and products. The framework provided by the Common Criteria allows government agencies and other groups to define sets of specific functional and documentation assurance requirements (known as a Protection Profile or Security Target) they expect the product to meet. The Common Criteria also provides evaluation laboratories with procedures for the evaluation of products or systems against the specified requirements.

Why do I need Common Criteria?

There are several reasons to obtain certification:

Improve product security – A Common Criteria evaluation provides an independent review and analysis of a product’s or system’s security against a defined set of requirements (the Protection Profile or Security Target) for that product type or system type. The independent evaluation serves to improve, measure, and validate the product or system’s strength. For example, Common Criteria may uncover any product vulnerabilities before that version is released, avoiding costly corrections in the field. Common Criteria also examines the security and repeatability of the development practices the company followed to develop the product. Many companies that pursue Common Criteria evaluation see improvements in the documentation for development practices as well.

Sustain competitive advantage - As more vendors validate products, Common Criteria becomes an important requirement to enter or maintain a foothold in the security marketplace. Many vendors use Common Criteria as a market discriminator, even when marketing to non-government clients such as the financial industry.

Comply with other industry standards - Many best practices call out ways to ensure that data is protected. Common Criteria can also aid in compliance with best practices that do not name Common Criteria specifically. See Common Criteria Federal Directives page for examples of such standards.

Sell to the US Government -

All IT security products purchased by the US Government for National Security Systems, which handle classified and some non-classified information, are required to have Common Criteria certification under the Committee for National Security Systems Policy No. 11 (CNSSP #11). In addition, the Department of Defense 8500 directive and instructions (8500.1 and 8500.2) both indicate that DoD systems should be composed of evaluated products. The use of validated products aids DoD agencies with system level accreditations. As a result of this directive many government agencies, especially the DoD, write Common Criteria certification into their RFPs.

Also, the NIST Special Publication 800-23 directive contains guidelines for Federal organizations concerning the purchase or procurement of IT products. It states that products must be evaluated, and provides direction for selecting the appropriate level of certification.

Sell to international governments - The Mutual Recognition Agreement (MRA), signed by 26 countries; specifies that Common Criteria evaluations performed in one country (up to assurance level 4) are honored in all other participating countries. Several countries, including Russia and Italy, promote Common Criteria validation as criteria for government purchase of new products. Germany enacted legislature requiring Common Criteria for digital signatures. France has a regulation recommending the use of Common Criteria evaluations for public administration. Common Criteria is now a NATO standard. The Australian Defence Signals Directorate (DSD) requires that Commonwealth Government agencies purchase products from their Evaluated Products List as described in the Australian Communications-Electronic Security Instruction 33 (ACSI 33), which specifies ITSEC and Common Criteria evaluated products.

Each of these documents may be downloaded from our Common Criteria Documents and Federal Directives pages.

Which countries participate in the Mutual Recognition Agreement?

There are currently 26 countries that have signed the MRA: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Republic of Korea, Republic of Singapore, Malaysia, the Netherlands, New Zealand, Norway, Pakistan, Spain, Sweden, Turkey, the United Kingdom, and the United States. Additional countries are invited to sign the MRA as participation with Common Criteria increases. Common Criteria is also widely accepted among countries in the EU as well as Russia and the eastern bloc countries, regardless of whether they are part of the MRA. Please visit our Common Criteria Links page for links to these countries’ websites.

Where can I find a copy of the Common Criteria?

Download PDF’s of all three sections of the Common Criteria here:

Download the Common Evaluation Methodology, which explains what actions the lab will take to validate your products assurance here.

What is a scheme?

An evaluation scheme (scheme) is an organization that acts as the validating authority for a Common Criteria validation. The scheme is responsible for issuing accreditation to evaluation laboratories in the country in which they reside, and provides an evaluation validator who observes to make sure that the product meets requirements. In evaluation circumstances that require clarification, the evaluating lab or developer may submit an Observation Report (OR) to the scheme and they respond with the official interpretation of the issue in question.

The scheme is also ultimately responsible for issuing the Common Criteria Validation certificate and stating that a product vendor has completed the validation process. Each scheme maintains its own list of validated products. Visit our Common Criteria Links page for links to schemes in other countries.

What are EALs?

The Common Criteria defines a concept of a package, which is a grouping of requirements that are either Functional or Assurance groupings.

The Common Criteria defines seven assurance packages called Evaluation Assurance Levels (EALs) each building on each other from one to seven. Each list contains a minimal set of Assurance Requirements to be met to obtain that EAL.

Some purchasers will confuse EALs with functional testing. However, EALs do not correspond to any product or system functionality; they merely provide a statement of the degree of rigor involved in the evaluation of the product or system. A higher assurance level does not necessarily mean a more secure product or greater security functions than a lower EAL.

What is a Protection Profile?

A Protection Profile (PP) is a document that is written for a particular group of IT products (i.e. Firewalls, Virtual Private Networks, etc.). The PP provides specific threats, assumptions, and functional requirements that are applicable for that specific IT product type. When a PP is generated, it is created according to a specific Evaluation Assurance Level (EAL). Products claim “conformance” to a PP by fulfilling all the functional and assurance requirements called out by the PP.

A product may also augment a PP by adding additional threats, assumptions, and requirements; as long as all of the requirements in the PP are satisfied, the product can still claim conformance. For example, if a product is conforming to a PP rated at EAL2, the product must satisfy all the functional requirements stated in the PP and pass the evaluation steps required at Evaluation Assurance Level 2. The product could claim to augment the requirements in the PP by selecting a higher assurance level and being evaluated at EAL4, which is a superset of the EAL2 assurance requirements.

A Protection Profile contains a set of Functional and Assurance requirements for a product or system written to be implementation independent. The product categories that published Protection Profiles presently cover include:

  • Switches and routers
  • Firewalls
  • VPNs
  • Remote access
  • Operating systems
  • Biometrics
  • Tokens
  • Smart cards
  • Certificate management
  • Key recovery
  • Databases
  • IDS
  • Role-based authentication

What is a Security Target?

A Security Target contains a statement of the requirements for which a specific product or system under evaluation must conform; written to be implementation dependent. A Security Target can be authored to conform (meet all the functional and assurance claims) to a Protection Profile or it can be authored to simply state the security functional requirements that the product offers and the assurance levels for the evaluation.

A Protection Profile is similar to a Request For Proposal(RFP) that specifies what the requirements are, for that case of products, while the Security Target is similar to a Response to the RFP because it details how the specific product or system address the RFP’s requirements.

What are the Seven Corsec Common Criteria Certification Milestones?

There are seven milestones that must be met in order to receive Common Criteria certification:

  1. Learn about the Common Criteria (Common Criteria) process. Corsec’s Common Criteria Planning Package can help you do this in a short amount of time.
  2. Determine which (if any) Protection Profiles you will be validated against.
  3. Ensure your product meets the requirements specified in the selected Protection Profile(s).
  4. Develop a Security Target that details how your product or system meets requirements.
  5. Produce all the Common Criteria-required Assurance documentation.
  6. Submit the product and documentation to an accredited testing laboratory.
  7. Receive certification from the appropriate scheme (validation body).

Corsec Security can help you achieve each of these milestones and receive certification.

How long does the evaluation take?

There are many factors that determine the length of the evaluation process, such as which Protection profile (PP) the product is tested against, which Evaluation Assurance Level (EAL) you seek, the state of your product or system documentation, back logs at the lab and scheme.

Products testing for lower EALs may complete the validation process in 6-9 months; others may take 12 –24 months.

How much does the evaluation cost?

There are seven factors that affect the cost of your evaluation effort:

  1. Each evaluation lab has its own testing fees.
  2. Preparation of the assurance document submission packages.
  3. The quality and organization of your documentation.
  4. Modification of your product to meet government requirements.
  5. Any government validation fees. (The US scheme does not charge for its services, however other local validation bodies do charge for their time).
  6. The level of evaluation for which you apply (EAL 1-7 for Common Criteria).
  7. The complexity of your product.

Each evaluation lab has its own fee structure. Many charge by the hour, which adds up quickly during the inevitable communications over the course of the testing process. Corsec can perform price negotiation with the lab as part of your complete Common Criteria evaluation package.

One effective way to control costs during your Common Criteria evaluation is to incorporate evaluation considerations before designing the product. Making changes afterwards to comply with government requirements can be costly. Corsec is highly experienced in analyzing product designs before they get to the lab to ensure they pass the testing stage.

Existing product documentation also affects the price of Common Criteria validation. Document preparation costs vary depending on the quality and content of the product documentation, as well as the preparer’s familiarity with Common Criteria requirements and the evaluation of the vendors’ class of products. Corsec can prepare all your Common Criteria documentation for you, freeing up your engineers to tackle other important projects.

There is a great deal of documentation required for Common Criteria evaluation, even at lower Assurance levels, and become more complex at higher EAL levels. Preparing documents correctly the first time saves money because it cuts down on lab fees.

The highest costs are your costs which come from internal resources tied up in the validation process: engineers who manage the process, documentation and communications with the lab and scheme, and time spent on product redesigns.

These costs pale in comparison to the cost of evaluation delays and lost opportunities due to stalled evaluations, not to mention the cost of losing market share to a competitor who attains validation first.

How do I select an Evaluation Assurance Level?

If you seek validation against a specific Protection Profile, this step may already be completed for you. Many Protection Profiles specify the Evaluation Assurance Level required for conformance. Additional factors can also affect your decision. Individual customers may require a higher level of assurance than defined by a Protection Profile.

You may encounter an augmented or “+” evaluation; many times demonstrated as “EAL2+” or “EAL4+.” The “+” indicates that the product vendor has completed all Assurance requirements at the Assurance Level, PLUS at least one requirement that is above or not part of the assurance requirements specified for that Assurance Level.

If you wish to have your certification internationally recognized, the Assurance Level must not be greater than EAL 4 and cannot include any other assurance requirements that are not part of the EAL structure. The international agreement of acceptance is defined in the Common Criteria Recognition Agreement.

Base your choice of assurance level on what your customers want, what your competitors are already doing, how soon you need to complete the certification, and your budget. The higher the level, the more time and money required. Corsec can help you determine which EAL level makes the most sense for your sales strategy.

Do I need to test against a Protection Profile (PP)?

No, a product or system is tested against the requirements written in a Security Target, which may not conform to a Protection Profile. The Common Criteria only specifies that the product or system be validated against a Security Target; it is within the Security Target author’s discretion whether to have that Security Target conform to a Protection Profile.

How do I get on the In-Evaluation list while pursuing Common Criteria?

Because of the significant amount of time required to achieve Common Criteria, many companies choose to participate in the voluntary In-Evaluation list posted on the NIAP website. Inclusion on the in-evaluation list proves to customers that vendors are in the evaluation process and committed to achieving validation. Be aware that your inclusion on the list alerts competitors of your certification plans; for that reason some companies choose not to be included on the list.

If you decide to be included on the In-Evaluation list, it is important to understand that addition to the list takes time. You must prove that you’re doing actual work in order to be posted on this list. Corsec has great success in facilitating quick addition to this list by following and monitoring these steps:

  1. Perform a product assessment against the Common Criteria requirements
  2. Develop a Security Target (ST) for that specific product
  3. Submit ST to evaluation lab for review
  4. Evaluation lab creates Evaluation schedule (EAP).
  5. Evaluation lab submits ST and EAP to the scheme (NIAP in the US).
  6. NIAP assigns a government validator to the project within two weeks.
  7. The validator reviews ST and the EAP.
  8. If the documents are acceptable, the evaluator schedules kick off meeting to begin the project.
  9. Corsec attends kick off meeting with the client, evaluation lab and government validator to answer questions and confirm that the project proceeds smoothly.

Only after the kickoff meeting will NIAP consider adding a vendor to the in-evaluation list. The vendor must then demonstrate that consistent progress is made in order to stay on the list.

How do I begin?

With effective planning. Common Criteria can be a long and expensive process, so the imperative first step is to assemble a defined plan to achieve validation. Corsec offers a Common Criteria Planning Package to educate your team on the specifics of Common Criteria, Contact us to schedule a planning meeting: info@corsec.com.

If I hire a consultant to help with my Common Criteria evaluation, will my evaluation proceed more quickly and efficiently?

Yes, if you choose your consultant wisely. An independent consultant must have considerable experience in the field of interest. Corsec has more than a decade of successful validation experience. Other consultants may try to emulate our approach, but they lack our depth of experience.

Be sure your consultant has solid relationships with testing labs and schemes, and a proven track record of evaluation success. Corsec delivers both experience and the references necessary to ensure your smooth and efficient evaluation.

If I hire Corsec, can I avoid having to use any internal resources during the process?

Not necessarily. No one entity can take on the entire work load for a successful validation. Your team may have limited experience regarding the Common Criteria standard, and labs and consultants do not have the extensive product knowledge needed to complete the validation that you do. However, an experienced consultant can alleviate some of the most critical aspects of the effort such as project and time management, document development, and lab/government interaction.

Having a plan that accurately defines roles clearly identifies the path towards a successful validation and is critical. At a Corsec 2-day scoping service, our experts analyze your product readiness and prepare your team for the work required, review evaluation process timelines, and discuss how to provide appropriate information to the lab and scheme. This allows you to set expectations with all parties involved including the lab, your sponsor and your internal resources.

If labs can also provide consulting, then why should I hire an independent consultant?

All accredited Common Criteria Testing Laboratories (CCTLs) listed on the NIAP CCEVS website can provide consulting as well as testing services. However, a lab’s core competency and resources typically reside in the testing aspect of the process; some labs are more skilled in consultation than others.

At Corsec, validation consulting is our core competency, and as an independent third party we make sure that everything that happens before and during validation is in your best interest. Our fixed price services ensure a non-biased evaluation environment and a timely, successful, validation for you.

Is there an accreditation process for consultants such as Corsec?

NIAP, the U.S. Common Criteria evaluation scheme, and other schemes around the world do not require an official accreditation process for independent consultants. Absent this official designation, it’s crucial to select a consultant with extensive validation experience and success. Corsec has the most successful track record in the industry.

What should I look for when choosing a consultant and Common Criteria TL?

Choosing an appropriate consultant is similar to choosing a testing lab. Always check two to three references and make sure that the validations were completed successfully and efficiently. An experienced consultant like Corsec will have years of validation experience and an intimate knowledge of your specific product technology.

Labs should have sufficient experience working with consultants; they can provide you with references of those they have worked with. Please contact Corsec representatives for any Security Target evidence or other references.

Can I copy this FAQ?

This FAQ is ©2012 Corsec Security, Inc.; all rights reserved. If you contact us and tell us how you wish to use the FAQ, we will almost certainly grant you permission in writing to do so.