The Common Criteria for Information Technology Security Evaluation is an international standard set to assist organizations in assessing the computer security certification of a product.
Common Criteria provides assurance that an IT system can be trusted according to a set of predefined requirements. These requirements specify how well a product or service meets certain security demands such as confidentiality, integrity, availability, authentication, and non-repudiation.
To achieve this Common Criteria certification, vendors must demonstrate conformance with all applicable regulations, policies, standards, and guidelines. Certification ensures confidence on the part of users, purchasers, and regulators regarding the product’s compliance. It is also a way for customers to make informed choices based upon the certifications products have obtained.
What Is Common Criteria?
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) in a Security Target (ST), and maybe taken from Protection Profile (PP).
The ST contains information about what the user wants to protect against, including threats, vulnerabilities, and risks. PPs contain information about how to implement the SFRs and SARs in a particular technology. A full PP may include one or more smaller PP, each describing a specific technology used to protect against a threat or vulnerability.
The Common Criteria defines a framework for carrying out evaluations under which products and services may be certified against specific security functional requirements. It establishes procedures for performing independent reviews and audits of evaluated systems and methods. In addition, it sets out a common language for describing these processes and results.
How Does Common Criteria Work?
In order to achieve Common Criteria certification, a vendor needs to provide documentation demonstrating that its products meet the required SFRs and SARs. The vendor then submits the documentation for review.
Certificate Authorizing Schemes can certify the security properties of an evaluated product based on the results of the evaluation. These certificates are recognized by all signatories of the Common Criteria Recognition Arrangement (CCRA), officially acknowledging Common Criteria certificates as the global standard.
Why Should I Evaluate My Product?
If your organization has purchased a product or service from another company, you might want to know if the product or service complies with the security requirements stated on the label or packaging. This way, you can ensure that the product or service meets your own organization’s security requirements.
In the US, the Committee on National Security Systems (CNSS) releases policies binding upon all US Government departments and agencies. CNSS policy requires that all classified networks use equipment certified by Common Criteria. The National Information Assurance Partnership (NIAP) also provides guidance for evaluating software products and services. NIAP recommends that organizations conduct a pre-purchase assessment of the suitability of the product or service being considered.
Common Criteria evaluations can be performed against a set of predetermined Evaluation Assurance Levels (EALs). EALs define different levels based on how the product satisfies various functional and assurance security requirements. By using the Common Criteria evaluation process, organizations can determine whether a product’s security features is compliant with the claimed security functionality.
Accelerated Memory Validation Support
Our team at Accelerated Memory Production, Inc. offers full support throughout the complicated validation process of Common Criteria with the National Information Assurance Partnership (NIAP), which can take up to 6 months.
We offer a complete solution for Common Criteria evaluation and validation. If you would like more information about our services please contact us today.