ISO/IEC 15408, commonly referred to as Common Criteria (CC), is an international standard used for evaluating and certifying the security features and capabilities of information technology products and systems. The Common Criteria is designed to provide a consistent and globally recognized framework for assessing the security of software, hardware, and other IT components. Here's a detailed explanation of ISO/IEC 15408 Common Criteria:
1. Background and Purpose:
The Common Criteria was developed to address the need for standardized security evaluations of IT products and systems. It emerged from a collaboration between several nations, including the United States, Canada, the United Kingdom, France, Germany, and the Netherlands. The primary purpose of the Common Criteria is to provide a consistent and reliable way to evaluate and compare the security attributes of IT products and systems.
2. Key Concepts and Components:
a. **Protection Profiles (PPs)**: Protection Profiles are documents that define security requirements for a specific class of IT products or systems. They describe the security objectives and functional and assurance requirements that a product or system must meet to achieve a certain level of security.
b. **Security Target (ST)**: A Security Target is a document that outlines the specific security requirements and features of an individual IT product or system. It serves as the basis for security evaluations and certification.
c. **Target of Evaluation (TOE)**: The Target of Evaluation is the specific IT product or system being evaluated for security. It is defined in the Security Target.
d. **Evaluation Assurance Levels (EALs)**: EALs are a set of predefined levels that indicate the depth and rigor of an evaluation. They range from EAL1 (the lowest) to EAL7 (the highest), with each level specifying a different set of evaluation criteria and requirements.
3. Evaluation and Certification Process:
The Common Criteria evaluation and certification process involves the following key steps:
a. **Preparation**: The product developer or system owner defines the security requirements and objectives in a Security Target (ST) or selects a relevant Protection Profile (PP).
b. **Security Evaluation**: Independent evaluation laboratories or organizations conduct a thorough assessment of the product or system's security against the defined criteria.
c. **Documentation**: The results of the security evaluation, along with all relevant documentation, are compiled and submitted for review.
d. **Certification**: If the product or system meets the security requirements and passes the evaluation, it is granted Common Criteria certification at a specific Evaluation Assurance Level (EAL).
e. **Security Target and Certification Documentation**: The Security Target, evaluation documentation, and certification reports are made publicly available, allowing customers to assess the security of the certified product or system.
4. Evaluation Assurance Levels (EALs):
EALs range from EAL1 (functionally tested) to EAL7 (formally verified). The higher the EAL, the more rigorous and comprehensive the evaluation process. EALs are used to express the level of confidence in the security of a certified product or system.
5. Global Recognition:
The Common Criteria is internationally recognized, and certified products and systems can be used in a wide range of government and industry applications around the world. Many countries and regions have established schemes for Common Criteria certification, including the United States (through the National Information Assurance Partnership, NIAP) and the European Union.
6. Benefits:
- Interoperability: Common Criteria helps ensure that IT products and systems meet security standards, allowing for better interoperability between different systems.
- Risk Mitigation: Certification provides confidence in the security of products and systems, reducing the risk of security breaches and vulnerabilities.
- Global Market Access: Certified products and systems can be marketed and sold internationally, expanding market opportunities for manufacturers.
In summary, ISO/IEC 15408 Common Criteria is an internationally recognized standard for evaluating and certifying the security of information technology products and systems. It provides a consistent framework for assessing and comparing the security attributes of IT components and plays a vital role in ensuring the security of digital infrastructure and systems around the world.