Common Criteria

How secure is a firewall, a smartcard chip or an operating system really? Manufacturer specifications answer this only to a limited extent, because marketing and verified properties are two different things. Common Criteria closes this gap: the standard has security claims about IT products verified by independent evaluation bodies using a uniform methodology. For procurement in sensitive areas, the certificate is often mandatory, and for everyone else it is a solid selection criterion.

What is Common Criteria?

Common Criteria for Information Technology Security Evaluation, or CC for short, is an international standard for evaluating the security properties of IT products, standardized as ISO/IEC 15408. It emerged in the 1990s from the consolidation of European and North American evaluation catalogs and has been maintained internationally ever since.

Three terms structure every evaluation: the Target of Evaluation is the product in a defined version and configuration. The Security Target describes which security functions the product is meant to deliver and under which assumptions. Protection Profiles define vendor-independent requirement catalogs for entire product classes, such as firewalls or signature cards, and thereby make certificates comparable.

Thanks to mutual recognition agreements, certificates are valid across national borders. In Germany, the Federal Office for Information Security (BSI) certifies on the basis of the evaluation reports of accredited evaluation bodies. At the European level, the EUCC certification scheme continues the CC methodology within the framework of the Cybersecurity Act.

How it works

The path to certification follows a clearly regulated process:

  • Defining security requirements: In the Security Target, the manufacturer describes the range of functions, the operating environment and the threats the product protects against. A recognized protection profile often serves as the basis.
  • Choosing the depth of evaluation: The Evaluation Assurance Levels EAL1 through EAL7 determine how thoroughly the product is examined. EAL1 confirms basic functional tests, intermediate levels require insight into design and development processes, and the highest levels demand partly formal, mathematically supported proofs. For commercial software, EAL4 is a common ceiling, while chip cards and security modules regularly reach higher levels.
  • Evaluation by the testing body: An accredited, independent evaluation body tests the product against the requirements. In addition to function, the evaluation also covers documentation, delivery channels and resistance to attacks of a defined effort, including penetration tests.
  • Certification by the national body: The certification body, the BSI in Germany, assesses the evaluation report and issues the certificate. It applies exclusively to the tested version in the tested configuration.
  • Maintaining the certificate: Updates and new versions require a reassessment or a regulated procedure for continuation. Without maintenance, a certificate becomes outdated along with the product.

Why it matters

  • Objective comparability: certificates based on the same protection profile make products from different manufacturers comparable by a uniform standard instead of weighing data sheets against each other.
  • Access to regulated markets: authorities and operators of sensitive infrastructure require certified components for certain product classes, for example in signature technology, smart metering or components for classified information.
  • Trust in the supply chain: the evaluation includes the development environment and delivery. This reduces the risk of manipulated or sloppily built products.
  • Reduced in-house effort: whatever an accredited evaluation body has already verified does not have to be tested again to the same depth by your own organization during the selection process.
  • Knowing the limits: the certificate evaluates a product; secure operation must be ensured by the organization using it. A misconfigured certified firewall protects no better than an uncertified one.

Typical scenarios

A federal agency procures VPN gateways to connect branch offices. The tender requires certification against a specific protection profile, which narrows the field of bidders to tested products and makes the award legally defensible.

A manufacturer of smartcard chips has its platform evaluated at a high EAL level because bank cards and official documents cannot be approved without this foundation. The certification runs over months in parallel with development.

A company uses CC certificates as a criterion in product selection: given two comparable network components, the evaluated product is preferred, and the tested configuration serves at the same time as a template for hardening in the company's own operations.

Common Criteria vs. ISO 27001

The two standards are frequently confused but examine different things. Common Criteria evaluates a product: a specific version with defined security functions at the time of evaluation. ISO 27001 certifies an organization: a management system for information security with processes, roles and continuous improvement.

This leads to a division of labor. An ISO 27001 certificate says nothing about the quality of individual products in use, and a CC certificate says nothing about the maturity of operations. In practice, the two interlock: an ISMS based on ISO 27001 defines requirements for procurement, and CC-certified components provide solid building blocks for it, complete with documented security assumptions.

KAEMI as your partner

KAEMI weighs certifications where they carry decisions: in the selection of components for secure enterprise networks. As part of the Professional Services , KAEMI supports tender criteria, the classification of protection profiles and EAL levels, and the alignment of the certified configuration with the planned use. This way, tested products feed into an architecture whose operation actually upholds the security assumptions. For an assessment of your requirements, reach us via the contact page .

Frequently asked questions about Common Criteria

What do the EAL levels mean in concrete terms?

The Evaluation Assurance Levels describe the depth of evaluation, from EAL1 with basic functional tests to EAL7 with a formally verified design. With each level, the requirements for development documentation, test coverage and attack resistance increase. Commercial software usually reaches up to EAL4; higher levels are the domain of chip cards, security modules and specially developed high-security components.

Is a product with a higher EAL level automatically more secure?

No. The EAL level measures the depth of the evaluation; the range of functions is defined in the Security Target. One product may demonstrate broad protection at EAL2, while another has only had a few functions tested at EAL5. Only the combination of protection profile, tested functions and level, related to your own intended use, is meaningful.

Who issues Common Criteria certificates in Germany?

The certificates are issued by the Federal Office for Information Security. The technical evaluation is carried out by independent evaluation bodies recognized by the BSI, whose reports the BSI assesses. Through international recognition agreements and the European EUCC scheme, German certificates are accepted in many other countries, which avoids duplicate evaluations for manufacturers.

For which products is Common Criteria common?

Typical product classes are those with a high protection need: smartcards and security chips, hardware security modules, signature and ID technology, firewalls and VPN gateways, operating systems, and components for authorities and critical infrastructure. For ordinary business applications, the effort is rarely worthwhile; there, other evaluation methods such as penetration tests or vendor audits are usually sufficient.

Do companies need Common Criteria for ISO 27001?

No, the standard does not require certified products. It calls for a regulated procurement process that defines security requirements for suppliers and products. CC certificates are a strong aid here: they demonstrate tested properties through independent bodies and make it easier to justify selection decisions to auditors, customers and your own management level.

Want to put this into practice in your own network? Talk to KAEMI, aligned to your requirements and with operations from a single source.