What Is Common Criteria:
Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology security products. Once completed, it provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security solution was conducted in a thorough and standard manner.
The National Information Assurance Acquisition Policy, NSTISSP No. 11, requires government agencies to purchase only those commercial security products that have met specified third-party assurance requirements and have been tested by an accredited national laboratory.
Completing your Common Criteria evaluation allows you to sell your solutions to the U.S. Federal Government, International Governments, and other highly regulated industries around the globe. It is not only required for access to government markets, but also serves as a competitive differentiator.
Timeframe and Process:
A typical evaluation can take anywhere from twelve to fourteen months and is valid for two years. With Corsec’s regularly scheduled maintenance, your team will avoid common pitfalls to revalidation, including being added to the unprocurable archived list.
Common Criteria consists of several predetermined evaluation assurance levels, each one more stringent than the last. Corsec’s turnkey solution helps you plan and execute on a successful evaluation given your product’s unique market drivers, competitive landscape, and primary goals.
Twenty-seven countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), making it an unparalleled measure of security for the international commerce of IT products.
The CCRA is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, gain recognition by all participating countries, regardless of where the evaluation was completed.
All evaluations completed in the U.S. must adhere to a Protection Profile, which is accepted internationally at an EAL 2+.
The requirements and features of your solution will dictate which path to certification is more suitable for your company.