The Evolution of Common Criteria Standards

In the ever-evolving realm of information technology (IT) security, the need for a standardized, globally recognized framework to evaluate and certify security measures has become increasingly critical. This led to the development of the Common Criteria for Information Technology Security Evaluation, commonly known as Common Criteria (CC). Since its inception, CC has evolved significantly.

Origins and Foundation

The origins of Common Criteria can be traced back to the late 1980s and early 1990s, a period marked by the rapid growth of IT and the subsequent realization of the need for standardized security evaluation criteria. During this time, several countries, including the United States, Canada, France, Germany, Japan, and the United Kingdom, recognized the challenges posed by the necessity of a unified approach to IT security evaluation. Each of these nations had developed their national security evaluation criteria, which, while effective within their respective borders, created a fragmented and often inconsistent global landscape.

The impetus for a unified standard came from recognizing that a common framework could streamline and standardize the evaluation process across different countries and industries, enhancing interoperability and trust in IT security products and systems. This realization led to collaborative efforts among the nations above, culminating in the first version of the Common Criteria standard in 1996.

The development of CC was driven by the primary objective of providing a transparent and repeatable process for evaluating the security properties of eligible IT products against specified security requirements. By establishing a common language and set of criteria, the standard aimed to improve confidence in the security features of these products, thereby facilitating informed procurement decisions by governments and organizations. The impact of Common Criteria was prominent not only in creating a globally harmonized framework but also in fostering international cooperation in the field of cybersecurity.

Evolution of Versions and Revisions

The early 2000s saw the introduction of CC Version 2.x, which brought about a notable shift in focus towards security assurance and evaluation methodologies. This version introduced structured assurance levels, providing a more detailed and comprehensive approach to assessing the security functionalities of IT products.

The subsequent release of CC Version 3.x in the mid-2000s further refined the evaluation processes, integrating more rigorous testing methodologies and accommodating technological advancements and cybersecurity threats. 

This evolution was about improving the evaluation process and aligning Common Criteria with other prominent international cybersecurity standards, such as ISO/IEC 15408 and NIST SP 800-53. Harmonization was crucial in reducing redundancy, enhancing interoperability, and fostering a unified approach to evaluating and certifying IT security products globally.

Initially focused on traditional IT products like operating systems and network devices, CC expanded its purview to include emerging technologies such as cloud computing  and mobile platforms, and in some instances – depending on the specific protection profiles – also consumer IoT devices.

The most recent evolution of the standard is represented by Common Criteria 2022 (CC2022), which emphasizes improved clarity and consistency in security requirements and evaluations. The European Union Common Criteria (EUCC) scheme, although a new and distinct scheme, will be closely related to CC2022. With the phasing out of CCv3.1, any new assessments under the EUCC scheme will exclusively utilize the CC2022 methodology.

Adoption and Implementation Challenges

One of the primary challenges was the limited availability of skilled evaluators and assessors capable of conducting evaluations according to Common Criteria standards. This need for more expertise made it difficult for organizations to undergo the certification process, further contributing to the slow adoption. Variance in interpreting assessment criteria among different certification bodies and evaluators also led to inconsistent outcomes.

Despite these challenges, the value of CC became increasingly recognized over time, leading to a gradual increase in its adoption across various industries and countries. Establishing certification bodies and training skilled evaluators helped mitigate some of the early challenges, paving the way for more widespread implementation.

Global Acceptance and Recognition

The establishment of the Common Criteria Recognition Arrangement (CCRA) among participating countries was a key milestone in the global acceptance and recognition of CC.

The CCRA facilitated the mutual recognition of Common Criteria certificates, meaning that a product certified in one CCRA member country would be recognized as certified in all other member countries. This step significantly enhanced the international acceptance of Common Criteria, making it a truly global standard for IT security evaluation.

The alignment of CC with ISO/IEC 15408 further bolstered its international recognition. ISO/IEC 15408, known as the “Common Criteria for Information Technology Security Evaluation,” provided a standardized framework for evaluating the security of IT products, and its alignment with CC ensured that the two standards complemented each other, reducing redundancy and fostering a unified approach to IT security evaluation. The endorsement of CC by leading industry players and its integration into procurement policies also played a significant role in its global recognition.

Summary

Independent cybersecurity labs, such as CCLab, offer extensive support to businesses, delivering services like CC consultation for ISO 15408 compliance and Common Criteria evaluations under EUCC. These services enable manufacturers to effectively navigate the complexities of cybersecurity assessments, contributing to a safer digital landscape. As technology evolves, obtaining CC certification for products is crucial for manufacturers, ensuring robust product security and boosting their competitiveness in the global market.

Leave a Comment