Browse Definitions :
Definition

Common Criteria (CC) for Information Technology Security Evaluation

TechTarget Contributor
By

Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria is more formally called "Common Criteria for Information Technology Security Evaluation." 

Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product, such as a firewall. The Evaluation Assurance Level  (EAL) defines how thoroughly the product is tested.  Evaluation Assurance Levels are scaled from 1-7,  with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests. 

To submit a product for evaluation, the vendor must first complete a Security Target (ST) description, which includes an overview of the product and product's security features, an evaluation of potential security threats and the vendor's self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level the vendor chooses to test against. The laboratory then tests the product to verify the product's security features and evaluates how well it meets the specifications defined in the Protection Profile. The results of a successful evaluation form the basis for an official certification of the product. The goal of CC certification is to assure customers that the products they are buying have been evaluated and that the vendor's claims have been verified by a vendor-neutral third party. 

 

Learn more:

The Common Criteria Portal makes the guidelines and specifications available for downloading. 

The Trusted Computer System Evaluation Criteria was superseded by the Common Criteria for Information Technology Security Evaluation in 2005.

This was last updated in March 2011
Networking
  • net neutrality

    Net neutrality is the concept of an open, equal internet for everyone, regardless of content consumed or the device, application ...

  • network scanning

    Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network ...

  • networking (computer)

    Networking, also known as computer networking, is the practice of transporting and exchanging data between nodes over a shared ...

Security
CIO
  • IT budget

    IT budget is the amount of money spent on an organization's information technology systems and services. It includes compensation...

  • project scope

    Project scope is the part of project planning that involves determining and documenting a list of specific project goals, ...

  • core competencies

    For any organization, its core competencies refer to the capabilities, knowledge, skills and resources that constitute its '...

HRSoftware
  • employee onboarding and offboarding

    Employee onboarding involves all the steps needed to get a new employee successfully deployed and productive, while offboarding ...

  • succession planning

    Succession planning is the strategic process of identifying and developing internal candidates to fill key organizational roles ...

  • recruitment

    Recruitment is the process of finding, screening, hiring and onboarding qualified job candidates.

Customer Experience
  • chatbot

    A chatbot is a software or computer program that simulates human conversation or "chatter" through text or voice interactions.

  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

Close