Common Criteria

Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology security products. The standard consists of several predetermined evaluation assurance levels, each one more stringent than the last. Common Criteria allows vendors to have their products tested against a chosen level by an independent third-party testing laboratory.

Common Criteria

Why Get Common Criteria Certification

The National Information Assurance Acquisition Policy, NSTISSP No. 11, requires agencies to purchase only those commercial security products that have met specified third-party assurance requirements and have been tested by an accredited national laboratory. Common Criteria provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security product was conducted in a thorough and standard manner. The U.S. government mandates Common Criteria certification of all security products sold to the FED.

Common Criteria Background

Twenty-seven countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), making Common Criteria an unparalleled measure of security for the international commerce of IT products. The Common Criteria Mutual Recognition Arrangement is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, gain recognition by all participating countries, regardless of where the evaluation was completed.

Common Criteria Questions

How Do I Get Certified?

There are three major phases to a Common Criteria certification.

Phase 1: Design and Documentation

The amount of time to properly design and document a product varies greatly, depending upon the nature of the changes required and the maturity level of the product being evaluated. However, this phase of the process is the one that product vendors have the most control over. Many products require only small changes to meet Common Criteria requirements and some product manufacturers are able to integrate the design and documentation phase into a regular product release cycle. Assuming ideal circumstances, Corsec recommends planning for approximately four to six months for this effort.

Phase 2: Laboratory Testing

The amount of time that laboratory testing of an individual product takes directly correlates with how well the product was designed and documented. A product that properly meets the requirements and is delivered to the testing laboratory with all required documentation written correctly can move through testing in two to three months. There is no maximum time it can take for a product to successfully complete testing. Corsec recommends ensuring your product meets all requirements prior to entering the testing phase.

Phase 3: Scheme Review

Once the testing laboratory completes its testing of a product, a report is submitted to the certifying Scheme for review. The amount of time this review takes varies and can range from anywhere between two weeks and two months. Additional time may also be required if problems with the product are discovered during the review.

How Much Does Certification Cost?

Common Criteria certification costs vary greatly, depending upon the complexity of the product and the level of certification sought. Additionally, poor planning and failure to properly execute a plan have resulted in some staggering sums being spent on certification efforts. Calculating how much a certification will cost is one of the most important activities when planning an evaluation effort.

How Long Does Certification Take?

A typical Common Criteria effort will take anywhere from twelve to sixteen months from start to finish. This will depend heavily on certain factors: ROI, Cost, Product Changes, Certification Options, Timing, Customer Requirements, New Business Areas, and a Competitive Analysis.


What Now

Corsec offers solutions to help clients better understand how and what certifications are right for each product. We can help determine the best path to Common Criteria certification given your product’s unique market drivers, competitive landscape and primary goals.

Corsec’s comprehensive set of services help answer all of your questions and can plan a successful path to Common Criteria certification.

Common Criteria

Call Corsec +1 703 267 6050