Product Security Guidance

Common Criteria

Establishing a Common Criteria
Common Criteria Certification provides independent, objective validation of the reliability, quality, and trustworthiness of IT products. It is a standard that customers can rely on to help them make informed decisions about their IT purchases. Common Criteria sets specific information assurance goals including strict levels of integrity, confidentiality, and availability for systems and data, accountability at the individual level, and assurance that all goals are met. Common Criteria Certification is a requirement of hardware and software devices used by federal government on national security systems.
The history of Common Criteria
The Common Criteria is a descendant of the US Department of Defense Trusted Security Evaluation Criteria (TCSEC) originally in the 1970's. TCSEC was informally known as the "Orange Book." Several years later Germany issued their own version, the Green Book, as did the British and the Canadians. A consolidated European standard for security evaluations, known as ITSEC, soon followed. The United States joined the Europeans to develop the first version of the international Common Criteria in 1994. The current version of the Common Criteria, 2.1, was issued in August, 1999.

The Common Criteria is also known as ISO 15408. The international community has embraced the Common Criteria through the Common Criteria Recognition Arrangement (CCRA) whereby the signers have agreed to accept the results of Common Criteria evaluations performed by other CCRA members. The National Information Assurance Partnership (NIAP) was formed to administer a security evaluation program in the United States that utilizes the Common Criteria as the standard for evaluation.
Achieving Common Criteria Certification
Common Criteria Certification is a rigorous process that includes product testing by a third-party laboratory that has been accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) to perform evaluation of products against security requirements. Products are tested against functional security requirements based on predefined Evaluations Assurance Levels (EALs).

For health care, financial services and other industries, the need for security is no less important. Whether they are protecting their customers' privacy, or intellectual and financial assets, assurance that networks, hard drives and phone lines are safe and secure from hackers, viruses and other malicious activities is critical. Common Criteria Certification, while not a requirement outside the federal government, can provide independent validation.