The Common Criteria for Information Technology Security Evaluation is an internationally recognized set of technical standards (ISO/IEC 15408-1:2009) for assessing the security capabilities of information technology products. Dozens of countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), officially recognizing Common Criteria certificates as the global standard. Each country has its own organization that oversees and implements Common Criteria certification. In the United States, it is the National Information Assurance Partnership (NIAP); in Canada, it is the Canadian Centre for Cyber Security (CCCS).
There are two paths to Common Criteria certification: Evaluation Assurance Levels (EAL) and Protection Profiles (PP). Each is achieved through an accredited third-party commercial testing laboratory, which tests products against standardized security requirements.
- Evaluation Assurance Levels (EAL) are ratings based on how the product satisfies various functional and assurance security requirements. Seven levels describe the rigor and depth of the assessment, with EAL1 being the most basic and EAL7 the most stringent. The CCRA has agreed that EAL1 and EAL2 evaluations are to be recognized by all participating countries regardless of where the evaluation was completed.
Although EAL evaluations are no longer performed in the United States and are not listed on the NIAP Product Compliant List, EAL certifications may still be required by U.S. public sector entities in procurement actions. However, EALs are still performed in other countries that are CCRA signatories and they are listed on the Common Criteria website.
A Protection Profile is a set of Common Criteria technical standards or configurations developed for specific technology types, such as mobile devices or firewalls. The Protection Profile specifies security criteria for that type of product, against which the product is evaluated for conformance.
There are two types of Protection Profiles: Country-specific Protection Profile (PP) requirements, for which there is no guarantee of mutual recognition; and Collaborative Protection Profiles (cPP), recognized by all participating CCRA countries. As of March 2020, the Common Criteria Collaborative Protection Profiles listed versions of four basic cPPs: Stateful Traffic Filter Firewalls; Full Disk Encryption – Encryption Engine; Full Disk Encryption – Authorization Acquisition; and Network Device.
When a certifying body awards a Common Criteria certificate, it asserts that the product meets the security requirements that the company specified in the related security target. (A security target is a set of requirements that specifies the scope of the evaluation.) Purchasers of certified products must review the security target to understand the assumptions made as part of the evaluation, the product's intended environment, and the security functionality that was assessed.