ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation
Also known as the Common Criteria (CC), this standard provides a comprehensive framework for evaluating the security features and capabilities of IT products and systems. Its primary goal is to ensure that IT products are specified, implemented, and evaluated in a consistent and repeatable manner, providing confidence in their security.
The Common Criteria was developed by national security organizations from the United States, Canada, France, Germany, and the United Kingdom. The Common Criteria Recognition Arrangement (CCRA) ensures that signatory countries recognize the results of evaluations performed by other members, reducing the need for multiple certifications.
Key Concepts
The Common Criteria framework is built around several key components:
| Term | Description |
|---|---|
| Protection Profile (PP) | Defines a set of security requirements for a specific category of products (e.g., firewalls, operating systems). |
| Security Target (ST) | Prepared by the product vendor, it specifies the security functions and assurance requirements of a particular product, known as the Target of Evaluation (TOE). |
| Security Functional Requirements (SFRs) | Specific security functions that a product must provide, such as user authentication or data encryption. The Common Criteria provides a standardized catalog of these functions. |
| Security Assurance Requirements (SARs) | Measures taken during development and evaluation to ensure that security functions are implemented correctly. |
| Evaluation Assurance Level (EAL) | A rating from EAL1 (functionally tested) to EAL7 (formally verified design and tested) that measures the depth and rigor of the evaluation process. A higher EAL indicates a more thorough evaluation but does not necessarily mean the product is inherently more secure. |
Quality Attributes
The Common Criteria addresses a broad range of security-related quality attributes. These can be grouped into three main categories:
- Core Security (CIA Triad):
- Security: The protection of assets from unauthorized access, use, disclosure, alteration, or destruction.
- Confidentiality: Ensuring that information is not disclosed to unauthorized individuals, entities, or processes.
- Integrity: Maintaining the accuracy and completeness of data over its entire lifecycle.
- Availability: Ensuring that authorized users have access to information and associated assets when required.
- Assurance Requirements:
- Authenticity: Verifying the identity of a user, process, or device.
- Auditability: The ability to create and maintain a record of system activities.
- Traceability: The ability to trace actions to their source.
- Testability: The degree to which a system or component can be tested.
- Evaluation Outcomes:
- Compliance: Adherence to a set of standards, policies, or regulations.
- Reliability: The ability of a system to perform its required functions under stated conditions for a specified period.
Evaluation Process
- Security Target Preparation: The vendor creates a Security Target document detailing the product's security features and the desired EAL.
- Laboratory Evaluation: An accredited independent testing laboratory evaluates the product against the claims made in the Security Target.
- Certification Issuance: If the evaluation is successful, the product receives Common Criteria certification.
In the United States, the National Information Assurance Partnership (NIAP) administers the Common Criteria program.