WHAT: The Common Criteria (CC) is an international standard (ISO/IEC 15408) for IT leaders looking to evaluate systems/products or define security requirements: “it provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner” (R1)
WHY: The CC is primarily focused on a standards based evaluation of systems or products. To that end the CC was developed by six NATO countries: USA, UK, FR, CAN, NL, & DE. Its’ secondary role is for selecting and defining IT security requirements, and writing high-level system specifications. It has been criticized for not taking vital project data such as timelines and costs into account, thus it has not been universally adopted and has competitors such as FIPS-140 and the UK’s CESG.
The CC has seven measuring criteria via these Evaluation Assurance Levels (EALs):
(R2)
EXAMPLE: The CC maybe used to identify customer requirements for RFPs & RFQs. CC Paradigms
(R3)
DEFINITIONS:
PP: A Protection Profile is set of security requirements for a class of TOEs
TOE: Targets of Evaluations meet a specific need such as a product or system w/ its’ administration details & other documentation.
ST: Security Target is a a set of security requirements that includes product-specific information. It is often a refined PP, forming the basis for evaluation
REFERENCES:
(R1) https://en.wikipedia.org/wiki/Common_Criteria
https://www.commoncriteriaportal.org/index.cfm?
Current Version: https://www.iso.org/standard/50341.html
(R2) https://www.slideserve.com/dewei/security-models-and-architecture
https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf
(R3) https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/the-common-criteria
https://www.sans.org/reading-room/whitepapers/standards/common-criteria-iso-iec-15408-insight-thoughts-questions-issues-545