Did you know that 88% of organizations worldwide experienced spear-phishing attempts in 2019? Or that data breaches exposed 36 billion records in the first half of 2020? As technology advances, cybersecurity systems are becoming increasingly important. But who examines and controls the proper operation of these systems and products? For instance, Common Criteria does. It enables an objective evaluation process to validate that a particular IT product or system satisfies a defined set of security requirements. In order to give you a better idea about the Common Criteria evaluation process, we collected the most essential information in our below article.

Purpose of Common Criteria evaluation for your products

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international set of standards (ISO/IEC 15408) for cybersecurity certification. It guarantees that the description, implementation, and evaluation of an IT product or system was accomplished in a rigorous, standard, and repeatable way at a level appropriate to the intended environment. The process that the eligible IT product or system has to go through in order to get CC Certified is called Common Criteria evaluation

If you are thinking to get your product Common Criteria certified, these are the benefits you can count with:

  • Competitiveness: Common Criteria evaluation and certification is essential in successfully competing with similar cybersecurity solutions that have already been certified. 
  • Improvement and cost-effectiveness: The thorough evaluation approach might uncover vulnerabilities that can be resolved before a product is released to the market, eliminating costly post-release modifications.
  • New business opportunities: Getting your product or system CC Certified can lead you to new potential business opportunities, for instance in the governmental sector.

What are the Common Criteria Evaluation Assurance Levels and what do they mean?

Common Criteria assessments are accomplished against a set of Evaluated Assurance Levels (EALs). EALs demonstrate how thoroughly the IT product (Target of Evaluation or TOE) is tested. There are 7 EAL levels, with 1 representing the lowest level of evaluation and 7 being the highest. Being certified on a higher-level rating does mean that the product is safer. Higher EAL indicates that it has undergone more examinations. 

Common Criteria Evaluation Assurance Levels:

  • EAL1: Functionally Tested
  • EAL2: Structurally Tested
  • EAL3: Methodically Tested and Checked
  • EAL4: Methodically Designed, Tested, and Reviewed
  • EAL5: Semi-Formally Designed and Tested
  • EAL6: Semi-Formally Verified Design and Tested
  • EAL7: Formally Verified Design and Tested

What are the most frequent EALs?

In 2021 a total of 411 IT products and systems got CC certified globally, which means that the certification is only chosen by  a niche segment of industry players.  According to the newest Common Criteria Statistic Report, 22.63% of all Common Criteria evaluations were performed on low assurance evaluations (EAL1-EAL3). The most frequent low assurance level was EAL2, with 71 certifications. 169 high assurance evaluations (EAL4-EAL7) were carried out, from which EAL4 was the most common with  77 evaluations.

Which type of products go through the Common Criteria evaluation process most often?

Since 2010 a total of 1665 IT products got certified from which 589 were ICs, Smart Cards, and Smart Card-Related Devices and Systems. The other frequent product categories are the Network and Network-Related Devices with 237 and Multi-Function Devices with 233 CC certifications. Besides these, numerous Operating Systems, Databases, Access Control Devices, Boundary Protection Devices, and Systems went through successfully at the Common Criteria evaluation process. 

As you can see Common Criteria evaluation is not a simple process, so if you are planning to get your product or system certified, we recommend that you consult with an experienced Common Criteria consultant in advance, to be prepared.