Common Criteria (CC) for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation is a framework or set of standards to evaluate the security of computer systems. According to the United States Computer Emergency Readiness Team, the Common Criteria were developed by the United States, Canada, France, Germany, the Netherlands, and the United Kingdom (US-CERT, 2013):

This effort built on earlier standards, including Europe's Information Technology Security Evaluation Criteria (ITSEC), the United States' Trusted Computer System Evaluation Criteria (TCSEC), and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) (Caplan, 1999). The CC is an international standard (ISO/IEC 15408) for computer security. A Common Criteria evaluation allows an objective evaluation to validate that a particular product satisfies a defined set of security requirements.

Though CC focuses on evaluation of systems, it is also useful for the development of security requirements. Seven Common Criteria evaluation assurance levels (EALs) have been defined to indicate the different levels of security functional requirements.

References

Caplan, K., & Sanders, J. (1999). Building an international security standard. IT Professional, 1(2), 29–34. doi:10.1109/6294.774938

United States Computer Emergency Readiness Team (US-CERT). (2013). The common criteria. The United States Computer Emergency Readiness Team. https://www.us-cert.gov/bsi/articles/best-practices/requirements-engineering/the-common-criteria