Definition

Common Criteria (CC) for Information Technology Security Evaluation

Part of the Security management glossary:

Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria is more formally called "Common Criteria for Information Technology Security Evaluation." 

Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product, such as a firewall. The Evaluation Assurance Level  (EAL) defines how thoroughly the product is tested.  Evaluation Assurance Levels are scaled from 1-7,  with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests. 

To submit a product for evaluation, the vendor must first complete a Security Target (ST) description, which includes an overview of the product and product's security features, an evaluation of potential security threats and the vendor's self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level the vendor chooses to test against. The laboratory then tests the product to verify the product's security features and evaluates how well it meets the specifications defined in the Protection Profile. The results of a successful evaluation form the basis for an official certification of the product. The goal of CC certification is to assure customers that the products they are buying have been evaluated and that the vendor's claims have been verified by a vendor-neutral third party. 

 

Learn more:

The Common Criteria Portal makes the guidelines and specifications available for downloading

The Trusted Computer System Evaluation Criteria was superseded by the Common Criteria for Information Technology Security Evaluation in 2005.

This was last updated in March 2011
Posted by: Margaret Rouse

Related Terms

Definitions

  • Types of enterprise risk

    - An enterprise risk is any potential event that could threaten an organization's ability to achieve its financial goals; long term, a risk can be a threat to sustainability. In a business context, r... (WhatIs.com)

  • business risk

    - A risk, in a business context, is anything that threatens an organization's ability to generate profits at its target levels. Business risks are broadly categorized as pure risks, which are negativ... (WhatIs.com)

  • pay for privacy

    - Pay for privacy is a business model in which customers are charged a fee to ensure that their data will not be shared and is secure from third-party access. In some contexts, a pay for privacy serv... (WhatIs.com)

Glossaries

  • Security management

    - Terms related to security management, including definitions about intrusion detection systems (IDS) and words and phrases about asset management, security policies, security monitoring, authorizati...

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question. Find an Answer.Powered by ITKnowledgeExchange.com

Ask An IT Question

Get answers from your peers on your most technical challenges

Ask Question

Tech TalkComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.