If you work in the field of cybersecurity or are interested in the subject, you have probably come across the concept of Common Criteria. But what exactly does it mean? What is the main purpose of Common Criteria evaluation and what are the most frequent EALs? Find your answers in our article below.
What is Common Criteria certification?
The Common Criteria for Information Technology Security Evaluation (often called Common Criteria or CC) ISO/IEC 15408 is an international set of standards for IT security certification. It ensures that the definition, implementation, and evaluation of a cybersecurity product or system was carried out in a standard, rigorous and repeatable way at a level suitable with the intended environment for use.
What are the benefits of having your product certified?
It’s important to keep in mind that Common Criteria certification is only for a niche segment of IT security products and solutions. In 2021 a total of 411 products and systems got certified globally, although this number keeps increasing each year.
If your product is eligible, you can gain numerous advantages by getting it certified.
Here are 3 of them:
- It improves your product or system: The rigorous assessment procedure may reveal vulnerabilities that can be fixed before releasing a product to the market, avoiding costly post-release updates.
- It keeps the business environment competitive: Common Criteria evaluation and certification is crucial in competing with other well-established cybersecurity solutions that have previously been evaluated.
- Certification opens the door to new business opportunities, like the governmental sector.
What is Common Criteria evaluation?
Common Criteria evaluation is the process that the IT product or system has to go through in order to get CC certified.
The Common Criteria (CC) evaluation methodology has 3 major components: the official Common Criteria and its supporting documents, the CC Evaluation Methodology (CEM), and a country-specific evaluation methodology known as an Evaluation Scheme or National Scheme.
There are four roles in the general Common Criteria evaluation model: sponsor, developer, evaluator and evaluation authority (certification body).
- The Sponsor’s responsibility is to request and support an evaluation and to provide the evaluator with the evaluation evidence.
- The Developer delivers the Target of Evaluation (TOE) and is responsible for providing the evidence needed for the assessment on behalf of the Sponsor. In some cases when large, international companies are involved, the Sponsor and Developer roles are not separated.
- The Evaluator is a competent and independent accredited Testing Laboratory who performs the evaluation and delivers the results to the Evaluation Authority.
- The Evaluation Authority (Certification Body) sets and maintains the scheme, observes the evaluation process, and issues related reports as well as Common Criteria certificates based on the results supplied by the Evaluator.
The Common Criteria evaluation process’ duration depends on multiple factors – including the product’s complexity or the chosen EAL-, but usually takes up to a few months.
What is Evaluation Assurance Level ?
Evaluation Assurance Level (EAL) represents how thoroughly a security product or system is tested. EALs range from 1 to 7, with 1 being the lowest degree of evaluation and 7 representing the highest level of evaluation. A higher-level rating does not imply that the product is more secure; rather, it indicates that the product has undergone more examinations.
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested, and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
Which is the most frequent assurance evaluation level?
Based on the latest Common Criteria Statistic Report 41.12% of the certifications were high-assurance (EAL4-EAL7) in 2021. That means 77 EAL4 evaluations, 51 EAL5 evaluations, 40 EAL6 evaluations and only 1 EAL7 Common Criteria evaluation. EAL2 was the most frequent low assurance level, with 71 certifications, followed by EAL3 with 19 certifications and EAL1 with 3.
Common Criteria evaluation is a procedure that the eligible IT system or product has to go through in order to be CC certified. The evaluation usually takes up to a few months depending on – besides of other factors – how complex the product is and which EAL level from the above list was chosen.
If you are thinking about getting your product or system evaluated but not sure about the process or need support to get ready, we recommend getting professional help through Common Criteria consultation.