Learn about the basics of Common Criteria certification: what is Common Criteria, what are the EAL levels, and approximately how long the procedure takes. Moreover, we provide an insight into the most common products that go through Common Criteria certification process
The number of Common Criteria certification for cybersecurity products is slowly but surely increasing yearly. Although more and more people are getting familiar with this international set of standards, the topic is still surrounded by many questions.
We will answer the most common ones.
Table of Contents
1. What is Common Criteria Certification?
Common Criteria is a framework of internationally recognized and scalable cybersecurity certification standards (ISO 15408). CC certifications are recognized by all CCRA members, which at the moment means 31 countries. The Common Criteria certification is the process that the IT product or service must go through in order to get certified. The assessment must be completed by a competent and independent, accredited Testing Laboratory. Supporting documents are used throughout the Common Criteria certification process to clarify how the measures and evaluation procedures should be employed, when assessing and certifying specific IT products.
2. What happens before starting the evaluation?
It’s highly recommended to hire a CC specialist before starting the Common Criteria certification process to ensure the highest quality of developer documentation for the assessment. In addition to that, you need to choose an accredited Testing Laboratory, and ensure that the following processes are performed before initiating the Common Criteria assessment:
- Choose National Scheme
- Decide on Target of Evaluation and its boundaries
- Pick an EAL level
- Choose the Protection Profile (this is optional)
- Prepare the Security Target
- Approve the Evaluation Work Plan provided by the Testing Laboratory
3. What does each EAL level mean?
The Common Criteria Evaluation Assurance Level (EAL) indicates how thoroughly an IT security product or system has been verified. EALs range from 1 to 7, with 1 indicating the lowest level of evaluation and 7 indicating the highest. A higher level Common Criteria evaluation does not necessarily imply that the product is more secure; rather, it suggests that the product has undergone more or deeper testing.
The EAL levels are the following:
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
In 2021 EAL4 evaluation level was the most frequent based on the latest Common Criteria Statistic Report. A total of 411 products got Common Criteria certified of which 169 were high assurance evaluations (EAL4-EAL7). Low assurance evaluations (EAL1-EAL3) represented 22.63% of all the Common Criteria evaluations with a total of 93 certified products.
How long does aCommon Criteria certification process take?
The time of a Common Criteria certification process is determined by a variety of factors, including the product’s complexity and the EAL chosen. It usually takes a few months, but it might take much longer depending on the quality of the submitted documentation and the preparedness of the Developer/Sponsor. Once the evaluation is completed, the Laboratory sends the Evaluation Technical Report (ETR) to the Certification Body. ETR serves as the foundation for the certificate if the product or service met the requirements of the Standards and passed all the executed tests for each evaluation classes.
+1 What are the most common products that go through Common Criteria certification process?
The most common products of all time that got CC certified are the followings:
- ICs, Smart Cards and Smart Card-Related Devices and Systems: 583 Certified Products
- Other Devices and Systems – 266 Certified Products
- Network and Network-Related Devices and Systems: 231 Certified Products
- Products for Digital Signatures: 58 Certified Products
- Data Protection: 57 Certified Products
- Operating Systems: 53 Certified Products
Cue
As you can see, going through the Common Criteria certification procedure is a complex task, so we recommend that you involve an expert, who will accompany you from preparation through pre-assessment to the end of the evaluation process.
