LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the Common Criteria (CC)?

Common Criteria = ISO/IEC 15408, an international standard for evaluating and certifying the security properties of IT products (not organisations) — used heavily for smartcards, firewalls, and government systems.

Relationship of Common Criteria concepts: a Protection Profile and a TOE are both tied to a Security Target, which is evaluated to an EAL 1-7 assurance level

* Common Criteria in one picture: the TOE is described by a Security Target that claims a Protection Profile, and the whole thing is evaluated to an EAL. *

The full title (Rev 5): "Common Criteria for Information Technology Security Evaluation."

What CC certifies: the product (an OS, a firewall appliance, a smartcard chip) against a defined Protection Profile (PP) — a list of security requirements for that product class.

Key concepts:

Term Meaning
TOE Target of Evaluation — the product being certified
PP Protection Profile — generic requirements for a class (e.g., "firewalls for federal use")
ST Security Target — how the specific TOE claims to meet a PP
EAL 1–7 Evaluation Assurance Levels — depth of evaluation (more on this in the FIPS card)

Mutual recognition: countries that signed the Common Criteria Recognition Arrangement (CCRA) accept each other's certifications up to EAL 4.

Tip: CC certification is slow and expensive (months to years, six-figure costs). It's worth it only when a customer (often a government) demands it, or when a vendor wants to lock competitors out of a regulated market.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026