When organizations begin exploring Common Criteria, one of the first questions they face is whether their product aligns with an existing requirements framework – a Protection Profile. In environments where certification pathways appear structured around predefined requirements, products that fall outside those boundaries can seem difficult to analyze for evaluation.
This uncertainty frequently shapes early planning decisions. Teams may hesitate to initiate certification discussions if they believe their product does not align to an existing Protection Profile, assuming that evaluation pathways are limited to predefined product categories. In reality, Common Criteria was designed to support a wide range of technologies, including those that introduce new functionality or operate in evolving technical spaces.
This post is the third segment in our series, Deconstructing Common Criteria: 5 Myths and Realities, which examines the assumptions that most often shape how organizations approach Common Criteria certification. While each post is designed to stand on its own, together they provide a clearer view into the decisions that influence certification success across product, engineering, and leadership teams.
Myth 3: “My product does not align to a Protection Profile, so evaluation is not possible.”
Among the myths explored in this series, this assumption often emerges during early practicality discussions. When teams review Protection Profiles and fail to identify a direct match, certification can appear out of reach. This perception can lead organizations to postpone planning efforts or dismiss certification altogether, even when viable pathways exist.
Reality: Protection Profile alignment is not the only path to evaluation.
While Protection Profiles provide structured, widely recognized sets of security requirements for specific product types, they are only one component of the Common Criteria ecosystem. Products that do not align directly to an existing Protection Profile may still be evaluated using alternative approaches, most commonly through the development of a custom Security Target that defines the product’s security functionality and evaluation scope. This approach is evaluated against an Evaluation Assurance Level or EAL.
EAL evaluations allow organizations to describe their product’s intended security capabilities in a structured and testable manner. Rather than forcing alignment to predefined requirements, this approach enables evaluation based on the product’s actual design and implementation. In many cases, emerging technologies, specialized platforms, or products with unique architectural features are evaluated successfully through an EAL evaluation.
In addition, Protection Profiles themselves continue to evolve. As technology landscapes shift, new profiles are developed to address emerging product categories and security needs. Organizations participating in modern development cycles may find that today’s gap between their product and existing Protection Profiles becomes tomorrow’s standard alignment.
Early engagement in certification discussions can help teams understand whether alignment, adaptation or alternative evaluation strategies are possible. Learn more about identifying the right evaluation path with a with a Common Criteria Assessment. and start the conversation early to significantly improve program predictability and learn how structured planning can help define a clear evaluation path while supporting successful market entry.
Scope definition plays a critical role in evaluation feasibility.
When products appear misaligned with existing Protection Profiles, the underlying issue is often related to scope rather than eligibility. The defined Target of Evaluation (TOE)—which establishes the boundaries of what is included in the evaluation—can significantly influence how closely a product aligns with available requirements. Carefully defining system boundaries, security functionality, and operational context often reveals alignment opportunities that are not immediately obvious during initial reviews.
Modular architectures and clearly defined security components can also support flexible evaluation strategies. By isolating security-relevant functionality, organizations may be able to evaluate a portion of the system that aligns with known requirements, while maintaining flexibility for the broader product ecosystem. This approach can reduce complexity and create pathways to certification even when full-system alignment appears challenging.
Early planning reduces uncertainty around alignment.
Much like cost and scheduling considerations, alignment challenges are most manageable when addressed early in the development lifecycle. Organizations that engage in structured planning—reviewing product architecture, identifying security features, and assessing potential evaluation pathways are often better positioned to determine whether Protection Profile alignment is achievable or whether alternative strategies like an EAL evaluation are available.
Delaying these discussions can create downstream complications, particularly if architectural decisions are finalized without considering certification requirements. Early evaluation readiness assessments help clarify pathways, identify potential risks, and establish realistic expectations for scope, documentation, and timeline development.
For many organizations, the perception that evaluation is not possible reflects uncertainty rather than limitation. When teams gain visibility into the available certification approaches, they are better equipped to make informed decisions about product design, market positioning, and long-term certification strategy.
Organizations that engage experienced guidance early are often better positioned to navigate alignment decisions and maintain forward progress. From evaluating potential Protection Profile matches to developing custom Security Targets, structured planning helps transform uncertainty into actionable certification strategy.
Following this discussion, the series continues with additional misconceptions that frequently influence certification planning and long-term product strategy. Each reflects a different stage in the certification lifecycle and highlights how technical, operational, and regulatory assumptions can shape both timing and market readiness.
Continue to follow along as we examine the remaining two myths that continue to influence certification strategy:
Myth 4: If my product is no longer listed on the Common Criteria Portal, I can still access the same markets.
Myth 5: European Union Common Criteria (EUCC) is a completely new certification framework.
These assumptions often stem from practical challenges. A closer examination shows that they can instead highlight opportunities for more structured planning, clearer expectations, and stronger certification outcomes.