The Common Criteria, recognized worldwide, provides a standardized framework for evaluating the security attributes of IT products and systems. From defining security requirements to testing and verifying products against these requirements, the Common Criteria assure that the evaluation process is rigorous, repeatable, and thorough.
To ensure the success of the program on a national basis, organizations in those locales will manage certified labs that can test for Common Criteria standards. One such organization and program in the United States is the National Voluntary Laboratory Accreditation Program, or NVLAP).
This article will discuss Common Criteria and how they are managed under NVLAP.
What Is the Common Criteria?
The Common Criteria for Information Technology Security Evaluation (Common Criteria or even “CC” for short) is an international standard of structured evaluation methods for IT products and services. CC is recognized worldwide and mutually by 31 nations that have signed the Common Criteria Recognition Arrangement (CCRA).
The CC is significant in ensuring a computer security product’s specification, implementation, and evaluation such that assessment results are well-maintained and documented.
Licensed laboratories conduct Common Criteria evaluations, certified by national certification bodies. For example, in the United States, national certification bodies are often authorized under NVLAP.
What Are the Components of a Common Criteria Evaluation?
The Common Criteria for Information Technology Security Evaluation (Common Criteria) sets a framework for evaluating the security attributes of IT products and systems. A Common Criteria evaluation is a rigorous and thorough process that has several key components:
- Security Target (ST): The ST is a document that outlines the security properties of the product being evaluated, including the functional security requirements (what the product should do to maintain security) and the security assurance requirements (the rigor of the evaluation process). The ST is specific to each product and is used as the basis for evaluation.
- Protection Profiles (PP): A PP is an implementation-independent set of security requirements for products that meet specific customer needs. It allows consumers to specify and vendors to implement the security aspects of products in a standard manner. Some evaluations may only use a PP if one exists for the specific type of product being evaluated.
- Security Functional Requirements: These requirements provide detailed specifications for the behavior of the security attributes of a product or system. These specifications include confidentiality, data protection, identification, authentication, security and data management, resource utilization, and access control.
- Evaluation Assurance Level (EAL): The EAL designates the level of rigor and depth of a particular assessment, with higher levels referring to more rigorous evaluations.
What Are the Evaluation Assurance Levels of Common Criteria?
Common Criteria evaluations are performed at different assurance levels ranging from EAL1 to EAL7. A higher EAL number represents a higher level of security but also implies more rigorous testing requirements, which can be more time-consuming and costly. The rigor of such evaluation refers specifically to the evaluation process–how “in-depth” and comprehensive a particular test and evaluation will be performed.
The seven levels of EALs include:
- EAL1 – Functionally Tested: This level applies where security threats are not considered severe. It evaluates the product as it would be sold or distributed to a customer and includes independent testing against a specification and review of supplier security measures.
- EAL2 – Structurally Tested: In addition to the requirements of EAL1, an analysis of the system architecture is required. A more thorough investigation of the product and its development environment is conducted than for EAL1.
- EAL3 – Methodically Tested and Checked: EAL3 includes all the requirements of EAL2 and requires a more systematic coverage and analysis of the product and its development environment. A rudimentary set of development controls is required.
- EAL4 – Methodically Designed, Tested, and Reviewed: EAL4 adds the requirement for a formal product specification and tests demonstrating correspondence between the product and its specification. In addition, a more thorough analysis of the product development environment is required.
- EAL5 – Semi-Formally Designed and Tested: EAL5 requires the requirements of EAL4, a formal model of the product’s security policy, evidence of a more sophisticated development environment, and more thorough testing.
- EAL6 – Semi-Formally Verified Design and Tested: EAL6 includes the requirements of EAL5 but with a more detailed and thorough model of the product’s security policy and evidence of an even more robust development environment. The testing effort is also more thorough and covers more of the product’s functionality.
- EAL7 – Formally Verified Design and Tested: The highest assurance level, EAL7 applies to products where the high cost of rigorous formal development and verification can be justified (i.e., when it is critical to catch high-level vulnerabilities or design errors).
Note that a higher EAL doesn’t necessarily mean a system is more secure in a general sense; it just means that the system underwent more rigorous testing and verification according to the requirements of the Common Criteria. Higher security and more rigorous testing are often, but not exclusively, related. They should not be considered a one-to-one relationship.
What Is a Common Criteria Testing Laboratory?
A Common Criteria Testing Laboratory (CCTL) is an evaluation facility accredited by an authoritative body that conducts security evaluations of IT products and systems according to the Common Criteria for Information Technology Security Evaluation.
The Common Criteria is an international standard (ISO/IEC 15408) for evaluation that is done in a repeatable and documented manner.
A CCTL will, during operation, perform specific testing and evaluation functions:
- Evaluation: CCTLs conduct an independent and objective assessment of IT products and systems, assessing the design, implementation, and operational aspects of these products to determine their security features and capabilities.
- Documentation: The evaluations conducted by CCTLs involve the creation of detailed documentation to ensure the transparency and repeatability of the evaluation process. These documents often include a security target (a detailed specification of a specific product’s security objectives and requirements) and an evaluation assurance level (EAL) rating that indicates the depth and rigor of the evaluation.
- Certification Support: CCTLs help manufacturers prepare for and obtain Common Criteria certification for their products. This includes helping to navigate the certification process and ensuring that products meet the necessary security and assurance requirements.
CCTLs play a critical role in the global IT security ecosystem, providing independent verification of the security features of IT products and systems and fostering confidence among users and suppliers about the security of IT products.
How Does Common Criteria Relate to the NVLAP?
NVLAP is a program run by NIST to provide third-party accreditation to testing and calibration laboratories in response to legislative actions or requests from government agencies or private-sector organizations.
In the Common Criteria for IT Security Evaluation context, NVLAP accredited laboratories that conduct security testing of IT products. In the US, the specific program that deals with this is the CCTL program.
CCTLs are evaluated by NVLAP to ensure they are competent to test IT products for conformance to the Common Criteria standards. The evaluation process involves thoroughly examining a laboratory’s technical qualifications and competence for carrying out specific calibrations or tests.
Align With Common Criteria and NIST Standards with Lazarus Alliance
Seeking compliance with ISO, NIST, or Common Criteria standards? Lazarus Alliance has decades of experience working with industry and regulatory standards worldwide. Contact us today.