What are the Common Criteria (CC)?
Common Criteria = ISO/IEC 15408, an international standard for evaluating and certifying the security properties of IT products (not organisations) — used heavily for smartcards, firewalls, and government systems.
* Common Criteria in one picture: the TOE is described by a Security Target that claims a Protection Profile, and the whole thing is evaluated to an EAL. *
The full title (Rev 5): "Common Criteria for Information Technology Security Evaluation."
What CC certifies: the product (an OS, a firewall appliance, a smartcard chip) against a defined Protection Profile (PP) — a list of security requirements for that product class.
Key concepts:
| Term | Meaning |
|---|---|
| TOE | Target of Evaluation — the product being certified |
| PP | Protection Profile — generic requirements for a class (e.g., "firewalls for federal use") |
| ST | Security Target — how the specific TOE claims to meet a PP |
| EAL 1–7 | Evaluation Assurance Levels — depth of evaluation (more on this in the FIPS card) |
Mutual recognition: countries that signed the Common Criteria Recognition Arrangement (CCRA) accept each other's certifications up to EAL 4.
Tip: CC certification is slow and expensive (months to years, six-figure costs). It's worth it only when a customer (often a government) demands it, or when a vendor wants to lock competitors out of a regulated market.
Go deeper:
Common Criteria — ISO/IEC 15408 (Wikipedia) — TOE, Protection Profile, Security Target, EAL 1-7 and the CCRA mutual-recognition arrangement.