Encyclopedia > Common Criteria

  Article Content

Common Criteria

The Common Criteria (CC) is an international standard (ISO 15408) for computer security. Its purpose is to allow users to specify their security requirements, to allow developers to specify the security attributes of their products, and to allow evaluators to determine if products actually meet their claims.

Table of contents

Usage

The CC defines a common set of potential security requirements, divided into functional requirements and assurance requirements. The CC also defines two kinds of documents that can be built using this common set:

  • Protection Profiles (PPs). A PP is a document created by a user or user community, and identifies user security requirements.
  • Security Targets (STs). An ST is a document, typically created by a system developer, that identifies the security capabilities of a particular product. An ST may claim to implement zero or more PPs.

Often, users desire an independent evaluation of a product (termed the Target of Evaluation, or TOE) to show that the product does, in fact, meet the claims in an ST. The CC is specifically written to support this independent evaluation.

The CC also predefines sets of assurance requirements, termed Evaluation Assurance Levels (EALs). These EALs are numbered 1 to 7, with higher EALs requiring increasing levels of evaluation effort. The notion is that higher EAL levels gain more assurance, but cost more time and money to independently evaluate. Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security of the TOE has been more extensively validated.

History

The CC originated out of two standards -- ITSEC[?], a European standard, developed in the early 1990s by the UK, France, the Netherlands, Germany, and also used by some other countries, e.g. Australia; TCSEC (also called the "Orange Book"), the US standard, and CTCPEC, the Canadian standard.

CC was produced by unifying these pre-existing standards, so that companies selling computer products for defence or intelligence use would only need to have them evaluated against one set of standards. The CC was developed by the governments of the UK, France, the Netherlands, Germany, the US, and Canada.

Mutual Recognition Arrangement

As well as the Common Criteria standard, there is also a sub-treaty level Common Criteria MRA (Mutual Recognition Arrangement), whereby each party thereto recognizes evaluations against the Common Criteria standard done by other parties. Originally signed in 1998 by the United States, Canada, France, Germany and the United Kingdom, Australia and New Zealand joined 1999, followed by Norway, Spain, the Netherlands, Italy, Greece, Finland, and Israel in 2000. The Arrangement has since been renamed Common Criteria Recognition Arrangement (CCRA).

External Links



All Wikipedia text is available under the terms of the GNU Free Documentation License

 
  Search Encyclopedia

Search over one million articles, find something about almost anything!
 
 
  
  Featured Article
DB

...   Contents DB DB can mean the following: dB is the abbreviation for Decibel; see Bel DB is a French automobile maker; see DB (car) DB is the abbreviation for ...

 
 
 
This page was created in 27.9 ms