Site icon

Common Criteria and NIST Evaluation

The Common Criteria, recognized worldwide, provides a standardized framework for evaluating the security attributes of IT products and systems. From defining security requirements to testing and verifying products against these requirements, the Common Criteria assure that the evaluation process is rigorous, repeatable, and thorough.

To ensure the success of the program on a national basis, organizations in those locales will manage certified labs that can test for Common Criteria standards. One such organization and program in the United States is the National Voluntary Laboratory Accreditation Program, or NVLAP).

This article will discuss Common Criteria and how they are managed under NVLAP. 

 

What Is the Common Criteria?

The Common Criteria for Information Technology Security Evaluation (Common Criteria or even “CC” for short) is an international standard of structured evaluation methods for IT products and services. CC is recognized worldwide and mutually by 31 nations that have signed the Common Criteria Recognition Arrangement (CCRA).

The CC is significant in ensuring a computer security product’s specification, implementation, and evaluation such that assessment results are well-maintained and documented. 

Licensed laboratories conduct Common Criteria evaluations, certified by national certification bodies. For example, in the United States, national certification bodies are often authorized under NVLAP.

 

What Are the Components of a Common Criteria Evaluation?

The Common Criteria for Information Technology Security Evaluation (Common Criteria) sets a framework for evaluating the security attributes of IT products and systems. A Common Criteria evaluation is a rigorous and thorough process that has several key components:

 

What Are the Evaluation Assurance Levels of Common Criteria?

Common Criteria evaluations are performed at different assurance levels ranging from EAL1 to EAL7. A higher EAL number represents a higher level of security but also implies more rigorous testing requirements, which can be more time-consuming and costly. The rigor of such evaluation refers specifically to the evaluation process–how “in-depth” and comprehensive a particular test and evaluation will be performed. 

The seven levels of EALs include:

Note that a higher EAL doesn’t necessarily mean a system is more secure in a general sense; it just means that the system underwent more rigorous testing and verification according to the requirements of the Common Criteria. Higher security and more rigorous testing are often, but not exclusively, related. They should not be considered a one-to-one relationship. 

 

What Is a Common Criteria Testing Laboratory?

A Common Criteria Testing Laboratory (CCTL) is an evaluation facility accredited by an authoritative body that conducts security evaluations of IT products and systems according to the Common Criteria for Information Technology Security Evaluation.

The Common Criteria is an international standard (ISO/IEC 15408) for evaluation that is done in a repeatable and documented manner.

A CCTL will, during operation, perform specific testing and evaluation functions:

CCTLs play a critical role in the global IT security ecosystem, providing independent verification of the security features of IT products and systems and fostering confidence among users and suppliers about the security of IT products.

 

How Does Common Criteria Relate to the NVLAP?

NVLAP is a program run by NIST to provide third-party accreditation to testing and calibration laboratories in response to legislative actions or requests from government agencies or private-sector organizations.

In the Common Criteria for IT Security Evaluation context, NVLAP accredited laboratories that conduct security testing of IT products. In the US, the specific program that deals with this is the CCTL program.

CCTLs are evaluated by NVLAP to ensure they are competent to test IT products for conformance to the Common Criteria standards. The evaluation process involves thoroughly examining a laboratory’s technical qualifications and competence for carrying out specific calibrations or tests.

 

Align With Common Criteria and NIST Standards with Lazarus Alliance

Seeking compliance with ISO, NIST, or Common Criteria standards? Lazarus Alliance has decades of experience working with industry and regulatory standards worldwide. Contact us today.

[wpforms id=”137574″]

Exit mobile version