When you buy a secure IT product—say, a firewall, smart card, or encrypted storage system—you might assume it’s been tested and verified. But how do you know? Who actually confirms that a product does what it promises from a security standpoint? That’s where Common Criteria (ISO/IEC 15408) comes in.
This international standard defines a framework for evaluating and certifying the security properties of IT products. It’s like a quality assurance system—but for cybersecurity.
In this article, we’ll demystify Common Criteria. What is it really about? Why does it matter? And how can you apply it in practice, whether you’re a product developer, security consultant, or procurement officer?
What Are the Common Criteria (ISO/IEC 15402)?
Common Criteria (CC) is the international standard for IT security evaluation. Its full title is:
ISO/IEC 15408: Information Technology – Security Techniques – Evaluation Criteria for IT Security.
It’s the result of efforts from multiple governments to unify their national security evaluation schemes. The idea: create a shared, internationally recognized set of criteria for assessing whether IT products meet certain security claims.
Think of it as the security passport for IT products. If a product is “Common Criteria certified,” it has passed an independent evaluation based on defined, measurable requirements.
The Basics: How Common Criteria (ISO/IEC 15402) Works
At its core, Common Criteria provides:
A standardized evaluation methodology
A set of security assurance levels (EAL 1 to EAL 7)
A framework for defining security functional requirements and assurance requirements
Let’s break that down.
1. Protection Profiles and Security Targets
Two foundational concepts in CC are:
Protection Profile (PP): A template or blueprint that outlines security requirements for a product type. For example, a firewall PP defines what every certified firewall should be able to do.
Security Target (ST): A product-specific document describing the actual security features and assurances a vendor wants to be evaluated against.
2. Evaluation Assurance Levels (EALs)
There are seven levels, from EAL1 (lowest) to EAL7 (highest). Each level defines how rigorously a product has been tested:
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed (most common)
EAL5–7: High-assurance, formal verification (for highly critical systems)
Note: Higher is not always better. Going for EAL7 makes sense for military or national security systems—but is often overkill for commercial products.
3. Certification and Mutual Recognition
Common Criteria is backed by a network of certification bodies. Most countries involved are part of the Common Criteria Recognition Arrangement (CCRA).
This means: a product certified in one country (e.g., Germany or the US) is recognized in many others—reducing redundant certifications.
Why Common Criteria Matters
You might ask: “Do I really need to worry about Common Criteria?”
If you’re in one of the following roles, the answer is probably yes:
Security product vendor: Certification gives credibility and market access.
Government agency: Procurement policies often require CC certification.
Enterprise security team: Helps evaluate product trustworthiness.
Compliance officer: Proves that products meet specific assurance standards.
Let’s explore some of the practical benefits:
1. Transparent, Repeatable Security Claims
With CC, vendors must explicitly state what their product protects against. This improves transparency and allows buyers to compare apples to apples.
2. Independent Evaluation by Accredited Labs
No more blind trust. Common Criteria requires that independent, accredited testing labs (so-called Evaluation Facilities) validate the claims made by the vendor.
3. Structured Documentation and Rigor
The evaluation process includes detailed documentation and repeatable processes, reducing the chance of overlooked vulnerabilities.
Common Criteria (ISO/IEC 15402) in Practice: An End-to-End Overview
Let’s walk through the lifecycle of a CC certification process, from both the vendor and evaluator perspectives.
Step 1: Defining the Security Target
The vendor begins by writing a Security Target (ST), which includes:
Product description
Assumptions about the environment
Threat model and assets
Security objectives and countermeasures
Mapping to specific CC functional and assurance requirements
This is a crucial step. A poorly written ST can derail the whole evaluation process.
Step 2: Choosing an Evaluation Assurance Level
Most commercial vendors aim for EAL2–EAL4, balancing assurance and cost. Higher levels (EAL5–7) require formal design verification and are extremely expensive and time-consuming.
Step 3: Lab Evaluation
Once the ST is finalized, the product is submitted to an accredited testing lab. The lab performs:
Design and code reviews
Functional testing
Review of development processes and configuration management
The level of depth depends on the selected EAL.
Step 4: Certification Decision
If the product meets the criteria, the lab submits an evaluation report to the national certification body (e.g., BSI in Germany or NIAP in the US). The agency issues a certificate.
This certificate is then listed in public databases like the Common Criteria Portal.
Practical Challenges and Limitations
While Common Criteria provides a structured, internationally recognized approach, it’s not without its drawbacks:
1. Cost and Time
CC evaluations, especially at EAL4+, can take 6–18 months and cost hundreds of thousands of dollars. For startups and fast-paced development cycles, this may be a dealbreaker.
2. Static Nature
CC is based on a snapshot of the product. If your product evolves quickly, you may need to re-certify for even minor updates.
3. Focus on Assurance Over Innovation
Some argue CC encourages compliance over creativity. Security features not explicitly part of a ST may not be evaluated.
4. Complexity of Documentation
The ST, PP, and associated evidence must be very detailed and precise. Writing this documentation often requires specialized consultants.
Modern Adaptations and Alternatives
To address some of these concerns, several lightweight or sector-specific adaptations have emerged:
NIAP Profiles (US): Streamlined Protection Profiles for commercial products.
EUCC (Europe): A planned European scheme aligned with CC but tailored for EU markets.
CSA STAR (Cloud Security Alliance): Not CC, but an alternative assurance framework for cloud services.
These provide more agility without giving up too much assurance.
Common Criteria vs. Other Standards
|
Standard
|
Focus
|
Typical Use Case
|
|---|---|---|
|
Common Criteria (CC)
|
Functional product security
|
Firewalls, Smartcards, HSMs
|
|
ISO/IEC 27001
|
Information Security Management
|
Organization-wide security
|
|
FIPS 140-3
|
Cryptographic modules
|
Hardware encryption components
|
|
SOC 2
|
Operational controls and processes
|
SaaS and service providers
|
Common Criteria is not a management system standard. It’s about product-level assurance, not enterprise-level security posture.
How to Get Started with Common Criteria
For Vendors:
- Start with a Gap Analysis – Where are you vs. the required security functions?
- Decide on Your EAL – Aim for the minimum needed by your target market.
- Get Help – Engage consultants experienced with ST writing and labs.
- Choose the Right Lab – Based on cost, experience, and geographic recognition.
For Buyers:
- Check for Existing Certifications – Use the Common Criteria Portal.
- Understand What the ST Says – Don’t just look at the EAL. Read what’s actually evaluated.
- Match the PP – Ensure the product was tested against a relevant protection profile.
Conclusion: A Trusted but Demanding Path to Security Confidence
Common Criteria isn’t for everyone. But for certain products and sectors, it offers unmatched transparency, repeatability, and international recognition.
Think of it as a gold standard. Not the easiest, but the one that assures both vendors and buyers that security isn’t just a promise—it’s been tested and verified.
And that, in a world full of unverified claims and “trust us” marketing, is a big deal.
