What Is Common Criteria? Security Definition
On This Page
Quick Definition
Common Criteria is a globally recognized standard that helps buyers and vendors assess the security of IT products like firewalls, operating systems, and smart cards. It provides a consistent way to define security requirements and evaluate whether a product meets those requirements. This helps organizations choose products with confidence that they have been tested by an independent laboratory.
Commonly Confused With
TCSEC is the older US Department of Defense standard for evaluating computer security, which used classes like C2 and B1. Common Criteria replaced TCSEC and is an international standard with more flexibility. TCSEC focused on operating systems, while Common Criteria covers many product types.
A system certified as TCSEC C2 would be roughly equivalent to a Common Criteria product evaluated to around EAL2–EAL3, but the two are not directly comparable because the evaluation criteria differ.
FIPS 140-2 is a US government standard that specifically evaluates cryptographic modules (encryption hardware and software). Common Criteria evaluates the overall security of a product, not just its cryptographic algorithms. A product might need both certifications: FIPS 140-2 for the crypto part and Common Criteria for the overall system security.
A VPN appliance might have a FIPS 140-2 certified cryptographic chip inside it, while the whole appliance is Common Criteria certified to EAL4+ for overall security.
ISO 27001 is a standard for an organization's Information Security Management System (ISMS), it certifies that an organization has a proper process for managing security. Common Criteria evaluates specific IT products, not the organization. An organization can be ISO 27001 certified and still use non-CC certified products.
A company that is ISO 27001 certified for its security processes might still require Common Criteria certification for the firewalls it buys to protect its network.
Must Know for Exams
Common Criteria appears prominently in the ISC2 CISSP exam, particularly in the Domain 3: Security Architecture and Engineering. The CISSP Common Body of Knowledge expects you to understand the term as part of evaluating and selecting security products. Exam questions often test your knowledge of the seven Evaluation Assurance Levels (EAL1–EAL7) and what each level represents. You may be asked to identify which EAL corresponds to a given level of rigor, such as 'structurally tested' (EAL2) or 'formally verified, designed and tested' (EAL7). Another common question type is about Protection Profiles and Security Targets: you need to know that a Protection Profile is a set of security requirements for a type of product, while a Security Target is the specific implementation of those requirements for a particular product. The exam also tests the concept of the Target of Evaluation (TOE). You may encounter questions about the recognition arrangements (CCRA) and how certificates are recognized among countries. The CC is also compared to other security evaluation frameworks like FIPS 140-2 (for cryptographic modules) and the Trusted Computer System Evaluation Criteria (TCSEC, the old 'Orange Book'). The CISSP exam expects you to know that CC replaced TCSEC and ITSEC and became the international standard.
For the CISSP, Common Criteria is not the most heavily tested topic, but it appears regularly enough that you need to be prepared. Questions are usually straightforward definitions, EAL hierarchies, or scenario-based choices about which product to select based on security requirements. For example, a scenario might describe a government agency that needs a product for 'low to moderate security assurance' and you have to choose between different EAL levels. Another question might ask about the purpose of a Protection Profile. You also need to understand that CC does not test a product's actual security effectiveness in operation, but rather the assurance that it was developed with a security process. This is an important nuance: CC is about process and evaluation rigor, not about the absence of vulnerabilities. In the CompTIA Security+ exam, CC appears less frequently but still shows up in the context of security assessment and evaluation standards. You might see a question about EAL levels or recognition arrangements. For the (ISC)² CISSP, the concept is more in-depth and you should be able to explain the components (TOE, ST, PP, EAL) and their relationships. The exam also touches on the limitations of CC, such as that it does not guarantee perfect security and that it does not replace vulnerability management. You might need to know that a CC certified product can still have vulnerabilities, and that the certification applies only to the specific version and configuration tested.
Simple Meaning
Imagine you are shopping for a high-security lock for your front door. You want to know if it can resist being picked, drilled, or bumped by burglars. Without a standard, each lock company would advertise their own tests, making it impossible to compare. Common Criteria works like a universal testing and rating system for security products. It defines a set of security levels, called Evaluation Assurance Levels (EAL), from EAL1 (basic testing) up to EAL7 (rigorous, formal verification). A product is tested by an independent laboratory against a specific security profile, called a Protection Profile, that describes exactly what security functions the product should have and how strongly they must be tested. For example, a smart card for government IDs might be evaluated to EAL4+, meaning it has been thoroughly tested against moderate threats. The result is a certificate that says: this product has been independently verified to meet a certain security level for a defined set of features. This saves you from having to trust a vendor's marketing claims. Instead, you can rely on an international standard that governments, banks, and large enterprises use to buy security products. It is a way to ensure that when a product says it is secure, it has actually been proven to be so by a neutral third party. The process covers the whole lifecycle, from design to development to final testing, so it is not just a one-time check but a thorough examination of the product's security architecture.
Think of it like a restaurant health inspection rating. You walk past two restaurants: one has an 'A' rating from the health department, the other has no rating. The 'A' gives you confidence that the kitchen is clean and food is handled properly. Common Criteria gives you that same confidence for security products. It is a trusted stamp of approval that stands behind a product's security claims. Governments often require Common Criteria certification before they will purchase a product, especially for systems that handle classified information. This standard helps everyone speak the same language when talking about security, whether you are a vendor, an evaluator, or a buyer. It removes confusion and provides a clear, objective measure of security assurance.
Full Technical Definition
Common Criteria (CC) is an international standard formally known as ISO/IEC 15408. It provides a structured framework for specifying security functional requirements (SFRs) and security assurance requirements (SARs) for IT products and systems. The evaluation is based on a Target of Evaluation (TOE), which is the product or system under assessment.
The process begins with the development of a Security Target (ST), a document that describes the TOE's security features, the assumed threat environment, and the specific security requirements it claims to meet. The ST references Protection Profiles (PPs), which are reusable, standardised sets of security requirements for a particular type of product, such as an operating system or a database management system. The evaluation is performed by an accredited, independent laboratory called a Commercial Evaluation Facility (CLEF).
The lab tests the TOE against the claims made in the ST. The evaluation covers seven Evaluation Assurance Levels (EAL1 through EAL7). EAL1 provides basic functional testing, while EAL7 involves formal verification of design and testing.
Most commercial products target EAL2 to EAL4, because higher levels are extremely expensive and require very formal development processes. The evaluation includes analysis of the product's design documentation, the development environment, configuration management, delivery procedures, and the product's behaviour in testing. For higher assurance levels, the evaluation includes formal models, semiformal and formal design descriptions, and covert channel analysis.
Once a product passes, it is granted a Common Criteria certificate, which is valid for a specific version of the product. The certificate lists the EAL, the PP it conforms to, and any augmented requirements. The certificate is published on the Common Criteria portal (commoncriteriaportal.
org). The CC is widely used by governments (e.g., the US NIAP, German BSI) and by regulated industries like finance and healthcare. It is complementary to other standards like FIPS 140-2 for cryptographic modules.
In practice, a product's CC certificate simplifies procurement because it pre-validates security claims, reducing the need for each buyer to perform their own deep security assessment. The CC also includes a Recognition Arrangement (CCRA) where signatory countries agree to mutually recognize certificates, which helps global trade of certified products. However, the mutual recognition does not always extend to higher EALs or specific national schemes, so buyers must verify local acceptance.
The CC does not evaluate a product's specific implementation of security features like encryption algorithms in detail, but rather the process and assurance that the product's security functions are correctly implemented. For cryptographic algorithm testing, a product might be certified under both CC (for process) and FIPS 140 (for algorithm correctness). IT professionals working with security architecture should understand that CC certification is a strong indicator of a product's security maturity, but it is not a guarantee against all vulnerabilities.
It provides evidence that the product has been developed with a security mindset and has passed rigorous independent testing.
Real-Life Example
Let's say you need to hire a bodyguard for a VIP event. You interview two candidates. Both claim to be 'highly trained' and 'security certified.' One shows you a certificate from an internationally recognized bodyguard academy that requires 300 hours of training, a written test, a practical test, and a background check. The other just shows a self-printed certificate from an online course that took two hours. Which one do you trust? This is exactly what Common Criteria does for IT security products. The first bodyguard's certificate is like an EAL4+ certification: it means a reputable third party has thoroughly tested the candidate. The second certificate is like a vendor's own security claim with no independent verification.
Now, imagine you are a government agency buying a firewall to protect sensitive data. You cannot just trust the vendor's marketing brochure. You need a firewall that has been evaluated by a trusted lab against known security standards. Common Criteria provides that evaluation. You can look up a certified firewall's EAL level and the Protection Profile it meets. For example, you might need a firewall that meets the 'Network Device Protection Profile' at EAL4+. That means a lab has tested that the firewall handles access control, implements secure administration, protects audit logs, and so on, to a high standard. Without CC, you would have to either trust the vendor's claims or spend huge sums of money doing your own evaluation.
In the real world, many governments (like the US, UK, Germany, and Australia) require CC certification for any product used in government networks. It has become a de facto standard for high-security procurement. For example, smart cards used for employee badges in government buildings are usually CC certified. Operating systems like Microsoft Windows have been CC certified for certain security profiles. This certification gives buyers confidence that the product has been independently verified and that the vendor follows secure development practices. It also provides a common language: when a security architect says 'we need an EAL4+ certified firewall,' everyone understands the minimum level of assurance required. The certification process is rigorous and time-consuming, but it pays off in reduced risk for organizations that handle sensitive data.
Why This Term Matters
Common Criteria matters because it moves security decisions from trust to verification. In IT, you constantly rely on products built by others. Without Common Criteria, you have no independent proof that those products are secure. You rely on vendor promises, which can be biased or incomplete. For a security architect, knowing that a product has CC certification reduces uncertainty. It provides a documented, repeatable, and independent assessment of the product's security capabilities. This is crucial when building systems that need to meet regulatory requirements or protect sensitive data. For example, if you are designing a system that handles credit card data (PCI DSS), you might require CC certified components to demonstrate due diligence. Common Criteria also helps standardize security requirements across different products. Instead of writing a unique security specification for every firewall you buy, you can reference a Protection Profile that many vendors can meet. This saves time and ensures consistency.
Another reason CC matters is its role in procurement. Government agencies, defense departments, and large enterprises often mandate CC certification for products in high-security environments. If your organization sells products to such buyers, having CC certification can be a competitive advantage. It shows that you have invested in independent security validation. For IT professionals, understanding CC helps you read and interpret product certifications. It allows you to compare products based on objective assurance levels rather than marketing hype. You can ask: 'Is this product certified under CC? At what EAL? Which Protection Profile does it meet?' These questions lead to better security decisions. Finally, CC is important for risk management. While no certification can guarantee perfect security, CC certification gives you a baseline of assurance. It tells you that the product has been tested against known threats and that the vendor follows secure development practices. This helps you allocate your security budget more effectively: you can focus your own penetration testing and vulnerability assessments on the highest-risk areas, knowing that the core product has already been independently evaluated.
How It Appears in Exam Questions
In the CISSP exam, Common Criteria questions often present a scenario where an organization needs to evaluate a security product. For example: 'Your organization is a government contractor that needs to procure a new firewall. The contract specifies that the firewall must have been evaluated by an independent laboratory against a standard security baseline. Which standard is being referenced?' The correct answer would be Common Criteria. Another question might ask: 'What is the relationship between a Protection Profile (PP) and a Security Target (ST)?' The answer: A PP defines security requirements for a product class, while an ST applies those requirements to a specific product. A more challenging question could ask: 'A product is evaluated to EAL2. Which of the following best describes the assurance level?' Answer: Structurally tested. You need to remember that EAL1 is functionally tested, EAL2 is structurally tested, EAL3 is methodically tested and checked, EAL4 is methodically designed, tested, and reviewed, and so on up to EAL7.
Another frequent question format is: 'Which of the following is the best reason for using Common Criteria when selecting a security product?' The correct answer is that it provides an independent, standardized assurance of the product's security. A distractor might be that it tests the product's resistance to all known attacks, which is not true. Questions about the Common Criteria Recognition Arrangement (CCRA) might ask: 'Under the CCRA, how are Common Criteria certificates recognized among participating countries?' The answer: Certificates are mutually recognized, but national validation is still required for the highest assurance levels. Scenario-based questions might involve choosing a product for a specific security need. For example: 'You need to select a database management system for a system that will store classified military data. The security requirement is for a product that has been formally verified. Which EAL level is most appropriate?' Answer: EAL7. Another type of question asks about the difference between Common Criteria and other standards. 'What is the primary advantage of Common Criteria over the older TCSEC (Orange Book)?' Answer: Common Criteria is international and more flexible, covering a wider range of products and allowing for different assurance levels. You might also see a question about evaluation labs: 'Who performs Common Criteria evaluations?' Answer: Accredited independent laboratories (CLEFs). These questions test not just memorization but also your ability to apply CC concepts to real-world procurement and security architecture decisions.
Study CISSP
Test your understanding with exam-style practice questions.
Example Scenario
You are the IT security officer for a medium-sized financial company. The company needs to buy a new two-factor authentication system for employee access to the corporate network. The vendor of System A claims their product is 'extremely secure' on their website but has no independent certification. The vendor of System B offers a product that is Common Criteria certified to EAL4+ and meets the 'Certificate-Based Authentication Protection Profile.' You have to decide which product to recommend to management. System A might be cheaper and have great marketing, but you cannot verify its security claims. System B has been tested by an independent laboratory against a standard security profile. The evaluation process included a review of the product's design, source code analysis for higher assurance levels, and thorough functional testing. The certificate is published on the public Common Criteria portal, so you can read exactly what was evaluated and the scope of the certification. You also know that the certification covers only that specific version of the product, so you will need to ensure that any future updates are also certified or at least not introduce new vulnerabilities.
You present your recommendation to the board: go with System B. The board asks why it is worth the extra cost. You explain that CC certification reduces the risk of a security breach caused by a flaw in the authentication system. It also meets compliance requirements for financial regulators who expect due diligence in security product selection. If the authentication system is breached, the company could face legal liability. Having chosen a CC-certified product demonstrates that you followed industry best practices. You also mention that the certification provides ongoing value because the evaluation process requires the vendor to have secure development and update processes. This means future patches are more likely to be secure. In the end, the company chooses System B, and you are confident you made the right security decision based on independent evidence.
Common Mistakes
Thinking that Common Criteria certification guarantees a product has no vulnerabilities.
Common Criteria evaluates the development and testing process, not the absence of all vulnerabilities. Even highly certified products can have bugs or be misconfigured. CC provides assurance about the security process, not a guarantee of flawlessness.
Understand that CC certification is about process assurance. Always combine CC with ongoing vulnerability management, patching, and proper configuration.
Confusing EAL levels with security functionality level. For example, thinking EAL7 is always better than EAL4 for every use case.
EAL levels measure assurance (how thoroughly the product was tested), not the amount of security features. A product at EAL4 might have strong encryption and access control, while an EAL7 product might have fewer features but be more rigorously verified. The right EAL depends on the risk environment.
Select EAL based on the product's intended use and threat level. For most commercial applications, EAL2 to EAL4 is sufficient. Higher levels are for extreme security needs like classified military systems.
Believing that Common Criteria certification applies to all versions of a product indefinitely.
A CC certificate is valid only for the specific version of the product that was tested. If the vendor releases an update, the certification does not automatically apply to the new version. The product may need to be re-evaluated or the new version must be shown to not impact security.
Always check that the CC certificate matches the exact product version and configuration you intend to use. Track any updates and require re-certification for major changes.
Assuming that all Common Criteria certificates are universally recognized across all countries for all EAL levels.
The CC Recognition Arrangement (CCRA) ensures mutual recognition, but this is typically limited to EAL2 through EAL4 certificates. Higher levels (EAL5 and above) often require additional national validation. Different countries may also have their own evaluation schemes with specific requirements.
When procuring for a multinational organization, verify the certificate's recognition in each country where the product will be used. Check the national cybersecurity authority for specific requirements.
Exam Trap — Don't Get Fooled
{"trap":"A question asks you to identify the highest Evaluation Assurance Level (EAL). Many learners see 'EAL7' and think that is always the best choice for every scenario. The trap is that the question might present a scenario where a lower EAL is actually more appropriate due to cost, timeline, or the product's intended use."
,"why_learners_choose_it":"Learners are conditioned to think that 'higher is better' in many contexts (like security levels). They may not consider that EAL7 is extremely expensive and typically only used for high-classified systems. In a commercial exam scenario, the correct answer might be EAL4 because it balances cost and assurance."
,"how_to_avoid_it":"Read the scenario carefully. Look for clues about the threat environment, budget, and regulatory requirements. If the scenario mentions 'commercial' or 'moderate security,' a higher EAL is likely overkill.
Understand that EAL is about assurance rigour, not feature richness. Always match the EAL to the specific security needs described."
Step-by-Step Breakdown
Determine the need for a security evaluation
An organization identifies a need to procure a security product, such as a firewall, smart card, or operating system. The buyer decides that independent verification of security is required, often due to regulatory compliance or high-security requirements.
Select a Protection Profile (PP)
The buyer or vendor defines a Protection Profile, which is a standardized set of security requirements for a class of products. For example, a 'Firewall Protection Profile' might specify requirements for packet filtering, logging, and administration. Using a PP ensures the evaluation is consistent across similar products.
Develop the Security Target (ST)
The product vendor writes a Security Target document. The ST describes the specific security functions of the product (the Target of Evaluation) and how it meets the requirements of the chosen Protection Profile. The ST includes the intended environment, threats, and security objectives.
Engage an accredited evaluation lab (CLEF)
The vendor contracts an independent, accredited Commercial Evaluation Facility (CLEF). The lab is the neutral third party that will perform the testing. The lab reviews the ST and plans the evaluation process based on the claimed EAL level.
Perform evaluation activities
The lab tests the product against the claims in the ST. This includes analyzing design documents, source code (for higher EALs), configuration management, delivery procedures, and conducting functional and penetration tests. The deeper the EAL, the more rigorous and formal the activities become.
Produce the Evaluation Technical Report (ETR)
After testing, the lab writes a detailed report summarizing the evaluation results, including any issues found and how they were resolved. The ETR is submitted to the national certification body for review.
Grant the Common Criteria certificate
If the evaluation is successful, the certification body issues a Common Criteria certificate for the product. The certificate lists the product name, version, EAL level, Protection Profile, and other relevant details. The certificate is published on the Common Criteria portal for public viewing.
Practical Mini-Lesson
Understanding how Common Criteria works in practice is essential for security architects and procurement professionals. Let us walk through an actual scenario using a firewall product. Suppose your company needs a firewall to protect its data center. You find two products: Firewall A is CC certified to EAL2, and Firewall B is CC certified to EAL4+ with a Protection Profile for network devices. Which one do you choose? EAL2 provides assurance that the product has been structurally tested, meaning its design is sound and basic penetration testing has been done. That might be fine for a low-risk environment. But if your data center handles sensitive customer data subject to GDPR, you may need the higher assurances of EAL4+, which includes middle-level design review and more rigorous testing. The EAL4+ firewall will have had its security mechanisms more thoroughly examined. However, you also need to check the Protection Profile. The Network Device Protection Profile ensures the firewall meets specific requirements for network security, like secure management, packet filtering, and audit logging. Just having EAL4+ without a matching PP might not guarantee the firewall has the right features.
In practice, IT professionals should learn how to read a Common Criteria certificate. You can go to the Common Criteria portal and search for a product. The certificate entry includes the ST, the PP, the date of certification, and any limitations. It also states the exact version that was tested. The certification applies to that specific version. If the firewall later receives a firmware update, the certification does not automatically cover the new version. The vendor may need to have the update evaluated as a 'maintenance' evaluation, which is less rigorous but still necessary. This is where professionals often make mistakes: they assume that as long as the product line is certified, any version is equally secure. Not true. Another practical aspect is the cost of certification. For a vendor, getting a product certified can cost tens of thousands to hundreds of thousands of dollars, plus months of effort. That cost is often passed to the buyer. So you need to decide if the extra cost of certified products is worth the risk reduction.
Configuration is also important. The evaluation is done on a specific configuration (hardware version, firmware version, features enabled). If you deploy the product with different settings (e.g., disabling logging or enabling extra features not tested), you may be using the product outside its certified scope. This could void the security assurance. Always deploy the product as evaluated, and only make changes that are explicitly allowed in the ST. Finally, Common Criteria should be seen as one piece of a larger security strategy. It does not replace continuous monitoring, patching, and secure configuration. It provides a strong foundation, but you still need to protect your system from new vulnerabilities discovered after certification. The practical takeaway is: use CC certification as a due diligence tool, but do not stop there. Combine it with your own risk assessment, penetration testing, and security operations.
Memory Tip
Remember the seven EAL levels by memorizing the mnemonic "Every Apple Can Munch A Delicious Green Fruit", E1 through E7, but only the first letters help. Better: think of EAL as a staircase: E1 (basic functional test), E2 (structural), E3 (methodical), E4 (design), E5 (semiformal), E6 (formal), E7 (full formal).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
What is the difference between Common Criteria and ISO 27001?
Common Criteria evaluates the security of specific IT products (like firewalls and smart cards). ISO 27001 evaluates an organization's overall security management processes. They are complementary but different.
Is a Common Criteria certified product completely secure?
No. CC certification means the product has been independently tested against a defined set of security requirements and that the development process was sound. It does not guarantee the absence of all vulnerabilities, especially those discovered after certification.
What EAL level do I need for a commercial product?
Most commercial products are certified to EAL2 or EAL4. EAL2 is sufficient for low-risk environments. EAL4 is common for moderate to high-security needs. Higher levels like EAL5–7 are reserved for military or classified systems due to high cost.
Does Common Criteria certification expire?
Certificates are typically valid for a specific product version. They do not expire but become outdated when the product is updated. New versions require at least a maintenance evaluation. Always check the certificate for the exact version tested.
Who performs Common Criteria evaluations?
Evaluations are conducted by accredited, independent laboratories called Commercial Evaluation Facilities (CLEFs). These labs are approved by national certification bodies like NIAP (US) or BSI (Germany).
Can I find Common Criteria certified products online?
Yes. The official Common Criteria portal at commoncriteriaportal.org has a searchable list of certified products with details. This is a reliable resource for procurement decisions.
Summary
Common Criteria (ISO 15408) is the international standard for evaluating the security of IT products. It provides a consistent, independent method for determining whether a product meets a defined set of security requirements. The system uses Protection Profiles (standardized security specs for product types), Security Targets (a product's specific claims), and Evaluation Assurance Levels (EAL1–EAL7) that indicate the rigor of testing. Common Criteria is especially important for security architecture because it helps professionals make informed procurement decisions based on independent assurance, not vendor marketing. For organizations that handle sensitive data or must comply with regulations, requiring Common Criteria certification is a strong due diligence step.
In the context of exams like the CISSP, you need to understand the key components, the EAL hierarchy, and how CC fits into the broader landscape of security evaluation standards. Remember that CC is about process assurance, not vulnerability elimination. The exam will test your ability to apply CC concepts to scenarios, such as selecting the right EAL for a given threat environment or distinguishing between Protection Profiles and Security Targets. Common mistakes include confusing EAL levels with security functionality, thinking certification covers all versions, and assuming certificates are universally recognized. By mastering these nuances, you will be well-prepared for exam questions and for practical security architecture work in the real world.