Common Criteria: A Little-Known Standard with Huge Implications | DataLocker Inc. 

12.03.21

Common Criteria: A Little-Known Standard with Huge Implications

The persistent evolution of technology has created numerous challenges for adopters. Organizations in and out of the government sector are burdened with isolating security from a network infrastructure that is already chock full of complexities. Among that ever-mounting list of obligations is the commitment to enforcing policies that protect mission-critical operations from an ever dangerous threat landscape. Enter Common Criteria.

Established in 1998, Common Criteria is a set of protocols designed to safeguard IT infrastructures against the wide array of cyber security threats by directing its scrutiny to the marketplace. A globally recognized standard, it exists to evaluate and validate the integrity of IT products and services marketed to government customers. From the US and UK to Germany, New Zealand and beyond, Common Criteria represents the largest international initiative dedicated to the quality assurance of the IT marketplace.

Once upon a time, each nation evaluated IT products against its own individually established criteria. This presented a unique challenge for vendors, who were saddled with satisfying standards in each of their respective target markets. Thanks to Common Criteria, those vendors can simply undergo a single evaluation that allows their products to be recognized worldwide.

The Common Components

While Common Criteria takes a streamlined approach to standardization, getting there is anything but simple. IT products must undergo rigorous testing from designated third-party labs, which examine various details associated with the use, transmission, and storage of data passing through the product or service in question.

Below we have outlined the basic tenets of Common Criteria:

Defined security target: Documentation that specifies the configuration and security function of the product under evaluation. In a nutshell, it highlights how the product works, then goes a step further to explain how those assurances are being met.

Profiled protection: A standardized template of requirements for VPNs, firewalls, and other specific product categories. Similar to the security target document, this template outlines both the functional and assurance requirements of the product. The most common of these profiles are published by the National Information Assurance Partnership (NIAP), the federal body that oversees the implementation of Common Criteria in the United States.

Functional evaluation: After a product is tested by the original design team, additional evaluations are conducted by independent testers to determine if the security operations function as intended.

Penetration testing: Ethical hacking procedures designed to highlight and exploit any vulnerabilities in the security target. Third-party testers typically employ tactics that mimic the actions of malicious hackers in order to access the vulnerability of the product.

How to Achieve Common Criteria Compliance

We’ve laid out core tenets of Common Criteria. Now let’s examine what it takes to obtain the coveted seal of approval.

Understand YOUR Specifics

When it comes to Common Criteria, it’s important to know that IT products are not required to undergo each evaluation stage. For instance, some countries require analysis defined by the traditional Evaluation Assurance Level (EAL) framework, while others enforce guidelines from the NIAP protection profiles that replaced it in most jurisdictions. The exact process will ultimately be determined by the assurance specifications highlighted in the security target.

Choose a Location

Common Criteria is recognized by a body of nations collectively known as the Common Criteria Recognition Arrangement (CCRA). Membership includes Australia, France, Germany, Netherlands, South Korea, the UK, and the US among others. However, the number of countries or schemes that issue certificates is much smaller.

Each country uses a different set of rules to consider a product for evaluation, with national interest often playing a significant role in the decision. Product market and competition as well as the scheme country and the flexibility of their requirements are among the factors vendors should take into consideration when targeting a location for certification.

Fill the Gaps

The security prowess of a given IT product will endure thorough testing during the evaluation process. Nevertheless, vendors are strongly encouraged to identify and address any vulnerabilities that may exist prior to applying for certification. Although it is not uncommon for applicants to fail the initial round of testing, failing to shore up potential issues beforehand can result in the need for cost prohibitive fixes, in addition to prolonged evaluation periods that delay products being released to the market.

DataLocker is committed to providing high-quality IT security products that meet strict compliance requirements, some of which include Common Criteria. Contact our team to customize a demo tailored to your data protection needs.