If you develop or sell IT products or systems for governments and governmental organizations, you have certainly heard about Common Criteria. In 2021 a total of 411 IT products that went through the Common Criteria evaluation process got successfully certified and this number shows a slow but steady increase compared to previous years.
In our article below, we have collected all the essential information about the Common Criteria evaluation process’s steps to help those who plan to get their product certified or are interested in the process.
Common Criteria Evaluation: The Basics
The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is a framework of internationally acknowledged and scalable cybersecurity certification standards (also known as ISO 15408). The framework ensures that the definition, implementation, and evaluation of an IT product or system was performed in a rigorous, standard, and repeatable way at a level appropriate to the intended environment. Common Criteria certifications are recognized by all 31 CCRA member countries.
Common Criteria evaluation is the procedure that an eligible IT product or system has to go through in order to get CC-certified.
What are The Main Steps of The Common Criteria Evaluation?
The majority of the steps and processes listed below are from OCSI (the Italian Scheme). These procedures may alter in various schemes, but the basic technique must be implemented consistently throughout all Common Criteria schemes.
Before starting the evaluation
As step 0 before starting the Common Criteria evaluation process, it is highly recommended to hire a CC expert that can get your product or system ready and support you throughout the project.
1. Choose the National Scheme
The first step of the Common Criteria evaluation is to choose the National Scheme. 17 countries established Common Criteria Certificate Authorizing Schemes were established by 17 countries which means that different nations set their own national programs, standards, regulations, and Certification Bodies. The Certification Body issues the CC Certification upon successful evaluation.
2. Choose the Target of Evaluation
The next step of the process is to choose the Target of Evaluation (TOE). The TOE is the subject of the Common Criteria evaluation which can be:
- an IT product / a set of it / a part of it
- a unique technology that may never be added to a product
- or a combination of the above.
3. Pick an EAL level
The next step is to choose the Common Criteria Evaluation Assurance Level (EAL). EAL indicates how comprehensively an IT security product or system has been verified. EALs range from 1 to 7 which represents the lowest degree of evaluation and 7 represents the highest.
The EAL levels are the following:
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
4. Choose the Protection Profile (Optional)
Using Protection Profile (PP) is optional during Common Criteria evaluation. PP is a document that describes the security requirements for a class of security devices. It is often established by a user or user community.
5. Prepare the Security Target
The Security Target (ST) is an implementation-dependent statement of security needs for a specific identified Target of Evaluation. Creating an ST is definitely a priority in the Common Criteria evaluation project.
6. Prepare the Evaluation Work Plan
The Evaluation Work Plan must be designed by the contracted Common Criteria Test Laboratory and approved by the Certification Body (CB) before the process starts.
After completing all steps above, the Common Criteria evaluation starts once the CB approves the EWP and formally recognizes the evaluation into the scheme after analyzing the documents presented.
During the evaluation
The Activity Reports (AR) and the Observation Report are two essential reports that are important to mention regarding the Common Criteria evaluation process:
Activity Reports: these Reports show the findings of each Class’s evaluation using the Common Methodology for Information Technology Security Evaluation (CEM). There are 3 possible results here: pass, fail, and inconclusive. The ARs are only submitted to the Certification Body.
Observation Report: it contains the “inconclusive” and “fail” work units as well as an explanatory verdict paragraph, explaining the Evaluator’s decision on the project.
An IT product or system has to go through a comprehensive Common Criteria evaluation process to get CC-certified. The length of an evaluation project depends on numerous factors, including the complexity of the product and the EAL chosen. The evaluation must be completed by an independent, experienced, and accredited Testing Laboratory.
Supporting documents listed above are used throughout the Common Criteria evaluation process to define how the metrics and assessment techniques should be utilized for evaluating and certifying a given IT product.