Common Criteria (CC) is an international standard defining a framework for IT security evaluation and certification. It is used specifically to ensure that IT products meet standard security requirements for government or specific market deployments.
Indeed, end users need to have confidence in that the products they purchase and use will meet the claimed security requirements. CC certification provides value to that user by having independent third party examining and validating these security requirements against recognized industry standard metrics and criteria. Moreover, the confidence increases if that third party is credible and accredited by a government certification scheme which is the case in the CC.
The CC is not as common as the name suggests, and many manufacturers are not familiar with all of its parts. With that in mind, we wanted to give you a quick list of the top things you need to know about so you'll be better prepared in the future.
1- Many Countries and Users Value the CC Certification
CC has a long standing history with respect to its recognition by 31 countries. This means that their Federal and Government entities value this certification. Recognition is unfortunately limited to a claimed maximum level of security assurance (EAL 2). However, it is also highly sought in all regulated industries with critical infrastructure and at a high level of security assurance. In addition, more than 4500 products have been already CC certified and used by billions of users all over the world.
2- The CC Enables Consumers to Have an Impartial Assessment of an IT Product
Such an assessment is also a security evaluation, as the CC includes an analysis and testing of the product for conformance to specific security requirements. This increases the consumer’s level of confidence in the IT product.
3- Three Vital Bodies Are Involved in a CC Evaluation
These include: 1) a validation body that’s typically a government agency; 2) the CC evaluation lab; 3) the sponsor, which is the company that has requested the evaluation. Sometimes, a CC consultant is used when a CC expert is necessary.
4- A Total of Seven Levels of Assurance Are Defined in the CC
Generally, the higher the level of assurance the product has, the more proof there is for its security. That's because each level has a more rigorous method of testing. The idea here is that the customer can look at the EAL of an evaluated product and tell at a glance how much effort went into the assessment of the security claims made by the vendors. More in depht evaluation will give customers greater confidence
5- CC has a European Cluster of Users Recognizing Higher Level of Security Assurance
This is governed by the Senior Official Group-Information Security (SOG-IS) agreement, which addresses the European region’s directives and common goals. With the adoption of the EU Cybersecurity Act back in September 2019, ENISA is currently working with ad hoc group of experts to translate the SOG-IS CC scheme into a EU cybersecurity certification scheme. This will result in a wider recognition by the 27 EU member states.
6- The Time Schedule and Cost Is Different for Each Assurance Level of the CC
The general rule is the higher the evaluation assurance level (EAL), the higher the cost and the time required to complete the assessment. In general, EAL 2 takes 4-6 months and costs $80K-150K, EAL 3 takes 6-9 months and costs $120K-200K, and EAL 4 takes 7-12 months and costs $175K-300K. A more complex EAL 4 is 12-24 months and costs $300-750K.
7- The Sponsor Always Has a Person Communicating with the Governing Body Doing the Evaluation
This person is the point of contact for the sponsor, i.e., the company requesting the evaluation. They are responsible for the entirety of the communication between the two bodies during the evaluation period.
8- The CC Documentation Coordinator does the Bulk of the Work
Many people can do the main work in the evaluation, but the CC documentatoin coordinator is the person doing the majority of it in most evaluation processes. Technical Writers are also highly appreciated in this process.
9- The CC Evaluation Engineer Is the main Person with the Technical Knowledge Needed in the Process
The CC Evaluation Engineer can be a Software/Hardware Engineer, a Product Marketing Engineer, a QA Tester, or a CC Expert/Consultant.
10- A Demand for Higher Assurance remains the Main Driver for CC Adoption
The technological advancements and the further development of smart products are requiring more and more higher security assurance levels due to the huge cybersecurity risks at stake. CC is tailored for such market on both the industrial and governmental levels.