What is
Common Criteria?

Common Criteria or CC is an international standard for computer security. It is a framework that computer users can employ to specify functional and assurance requirements for security.

The US, Canada, the Netherlands, Germany, France, and the UK developed the Common Criteria for Information Technology Security Evaluation in 1994. They defined a set of security requirements that products and systems must meet for government deployments. Since then, many other countries have signed the agreement.

What Is Common Criteria Certification?


Common Criteria is the model that governments use as a certification scheme for the products they choose to use in government agencies and critical infrastructure. Many enterprises also use Common Criteria in their software selection process because of the quality that Common Criteria Certification guarantees.

The Common Criteria Recognition Arrangement (CCRA) is defined in The Common Criteria for Information Technology Security Evaluation and the Common Methodology for Information Technology Security Evaluation (CEM). These are very generic standards and do not guarantee security.

However, a Common Criteria Certification can make sure that the security claims of a vendor were evaluated independently.

CC certification makes products that have been evaluated available to a wider group of users, ensures that product lives up to the vendor's claims, and removes the burden and cost of evaluating software from software customers.

Key Common Criteria Concepts


Here are some concepts you may need to know when you are trying to understand Common Criteria:

  • Target of Evaluation (TOE): This is the product or system that is being evaluated.
  • Security Target (ST): This document defines the security properties of the product being evaluated. It allows software vendors to customize the evaluation to the specific capabilities of their product. It also helps potential customers determine what security features of the product have been tested, so they can make more informed decisions.
  • Protection Profile (PP): This is a document the user community creates to identify the security requirements for a specific class of security devices like digital signatures or firewalls. Vendors can choose to manufacture products that comply with one or more PPs and then have their products evaluated against them. Vendors can also use PPs as a model to create their own Security Targets.
  • Security Functional Requirements (SFRs): These list the unique security functions provided by a product.
  • Security Assurance Requirements (SARs): These are used in the quality assurance process and describe the steps to take in order to ensure a product meets its claimed security standards.
  • Evaluation Assurance Level (EAL): This is a numerical rating that describes the depth and rigor of evaluation. Each EAL corresponds to a set of SARs. Common Criteria lists seven levels of EAL where 1 is the most basic level of evaluation and 7 is the most stringent.

How Products Get CC Certified


Here are some steps a company must use to become Common Criteria Certified:

  1. The company must complete a Security Target description along with any supporting documents. This should include an overview of the product, its security features, and any potential security threats.
  2. The company must find an independently licensed laboratory to evaluate its product and determine if it meets the security standards the company has defined for the product.
  3. Once the product passes the evaluation, one of many Certificate Authoring Schemes issues certification.

Common Criteria is an international standard for computer security certification. Product vendors can get their products Common Criteria Certified to prove the security claims they make, and then enterprises can compare their security needs against the tested claims to find software and systems to add to their infrastructure.

Learn more


For more details on Illumio's Common Criteria and other government security certifications, visit our Federal solutions page.