The CC model begins with an individual risk assessment, which sets a Security Target for the product. Each security target is usually based on a specific protection profile (PP) addressing sometimes only a part of the product. This sets the Security Functional Requirements and the Security Assurance Requirements that will be assessed by a Third-Party Evaluator following the CC evaluation methodology.
The rise of IoT companies has highlighted just how slow and vague the framework is. But what can be done about it?