What is Common Criteria?

One of the best ways to meet your cybersecurity and compliance requirements is by leveraging a product with the globally recognized Common Criteria certification.

Not familiar? Allow us to explain.

Below, we’ll walk you through the basics of Common Criteria evaluation. From what it is and why it’s important to how a certified product can help your business, let’s explore all there is to know.

The Common Criteria for Information Technology Security Evaluation — Common Criteria, or simply “CC” for short — is an international standard for computer security certification. Based on ISO/IEC 15408, its primary goal is to provide assurance that IT security products have been evaluated in a rigorous and repeatable manner. More specifically, it ensures each product goes through a testing process commensurate with its intended use case.

Originally, the CC certification process was developed to unify and supersede security certification schemes from various countries. This included the United States, Canada, Germany, the United Kingdom, France, Australia, and New Zealand. Now, as a comprehensive cybersecurity framework, it provides the widest mutual recognition of secure IT products worldwide.

Overview

Common Criteria-certified solutions are required by governments and enterprises around the world to protect their mission-critical infrastructures.

In fact, it’s often a prerequisite for qualified digital signature services under the European Union’s Electronic Identification and Trust Services regulation, better known as eIDAS. Additionally, U.S. government customers frequently request secure IT products that are listed by the National Information Assurance Partnership (NIAP), which requires Common Criteria evaluation.

Why? Because the Common Criteria standard provides assurance that certain aspects of product security have been thoroughly implemented, tested, maintained, and independently verified. Among its security requirements, the CC certification addresses:

• Product development and related security functions, including high-level design, architecture, and implementation
• Guidance for secure product deployment and preparation
• Life cycle management for documents and processes related to product configuration, delivery, and retirement
• Testing security functions according to their baseline requirement

Certification Authorities

As an international standard, Common Criteria is managed by a partnership of various countries through organizations called Certification Bodies. Each Certification Body is responsible for independently evaluating and certifying products against Common Criteria security requirements.

There are several terms and phrases unique to the Common Criteria standard. Here is a quick breakdown of each one and why they’re significant:

• Target of Evaluation (TOE): This simply refers to the product that undergoes the CC evaluation process.
• Security Target (ST): A Security Target is a document that defines the TOE’s security features and properties. The ST allows vendors to customize the evaluation to their solution’s specific capabilities, while also helping customers identify which security features have been tested. It may refer to one or more Protection Profiles (PPs)
• Protection Profile (PP): This is a document created to help identify the security requirements for a specific type of product, such as a Qualified Signature Creation Device. Vendors often use a Protection Profile as a baseline to create their own Security Target.
• Security Functional Requirements (SFRs): This refers to all of a product’s unique security functions and capabilities.
• Security Assurance Requirements (SARs): An SAR list is used to describe the steps required to ensure a product meets its claimed standards.
• Evaluation Assurance Level (EAL): An EAL is a numerical rating describing the depth and rigor of the evaluation process. More simply, it tells customers how strenuously a product was tested according to its Security Assurance Requirements. EALs exist in a range of 1 (being the most basic) to 7 (the most stringent).

All Common Criteria-certified products and solutions must be independently tested and verified according to a specific evaluation process:

1. The developer must first complete a Security Target description and submit any supporting documents that overview the product, its security functionality, and any potential vulnerabilities.
2. Optionally, the organization may choose a Protection Profile to serve as its guiding document throughout the CC certification process. Choosing a PP may not be necessary, but does signify a commitment to thorough evaluation, ensuring the TOE is aligned with the intended use case.
3. Next, an independently licensed Certification Body must evaluate the product to see if it meets the Common Criteria standard. Once complete, it compiles its findings into an evaluation report.
4. If the TOE meets its minimum requirement, a Certification Body issues a Common Criteria certificate.

Once verified, all Common Criteria-certified products are listed in the Common Criteria portal.

Entrust nShield hardware security modules (HSMs) deliver a secure root of trust that’s been tested and certified against the rigorous Common Criteria standard, helping you comply with regulations while also giving you the confidence you need in your security solution.

With a CC certification, our Solo XC, Connect X, and nShield 5HSMs are verified to meet the requirements of the EN 419 221-5 Common Criteria Protection Profile — the industry standard for all hardware security modules. Our solutions help provide you with security assurance, allowing you to generate eIDAS-compliant cryptographic assets.

These HSMs offer a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Available in three form factors and an as-a-service offering, Entrust nShield HSMs support a variety of deployment scenarios.

If you are looking to deploy an eIDAS-compliant remote signing service, Entrust also offers a Signature Activation Module (SAM) certified against Common Criteria CEN EN 419 241-2. You can combine it with one of our CC-certified HSMs to deploy an eIDAS-compliant Qualified Signature Creation Device (QSCD).