The Common Criteria Framework

Do you struggle with Validation? I mean, within yourself, not others? How do you uphold yourself to your own set of standards? Do you have standards? Maybe you are athletic and as such it is required that you run every morning for at least 6.5 Miles. This is your own standard – that you set – and you uphold yourself to, as an athletic professional. When you stick to this criteria, you are then validating yourself – and you probably feel GREAT when you go to bed at night, because you upheld your own vision and values, you went for your run, and you are being your best self. Like my last 500 articles – what does this have to do with Cybersecurity?

First things first, we need to revert to the evaluation requirement. Referring to my former opening statement, ‘How do you uphold yourself to your own set of standards?’ – For me personally, my self evaluation is based on my own criteria- having met or unmet my standards- i.e, did I run my 6.5 or not?  This is the basis for the International Framework known as the Common Criteria. The Common Criteria is a Standard for Computer Security Certification – which is globally recognized and was developed with the involvement of 6 different countries.

The CC offers whats considered an Assurance Evaluation, which measures the parts of a computer system that are pertinent to it’s security aspects. InfoSec Pros are familiar with terms such as the TCB (Trusted Computing Base), Reference Monitor, Kernel, and Access Control & Protection Mechanisms. There used to be different processes and techniques to evaluate and assign an assurance level to a system. However, The Common Criteria is as globally known as the Coronavirus.

So, since this framework enables the User to specify security requirements, and the Vendor to exemplify how those requirements are satisfied, not to mention independent labs can be involved which will help to verify said claims, The product in question will be assigned an Evaluation Assurance Level (EAL) prior to having been evaluated. There are seven levels of assurance involved with the Common Criteria Framework, EAL 1-7.

I figured my readers would be less interested in the EAL levels, so I will leave it up to you to examine them if you are interested. Instead, I thought we would take a look at a real time example. Take a look at this list of Common Criteria-Certified Products. Don't be surprised if you see your phone or computer on it =).

About the Author - Ashley Oliver


About the Author - Ashley Oliver is an experienced Cybersecurity Consultant, Engineer, Mentor and Teacher based in the Central New York area. Ashley has over 10 years of experience. Ashley is a SME in several areas of security including Network Security Engineering, Architecture, Policy, Standards, and Compliance. Ashley's rare and unique experience is based on her love for the Shell, and perfect design. Ashley has knowledge of NIST, and is very proficient in Cybersecurity, Network Security, Next-Gen Firewalls, Layered Security, DLP, Encryption, IPSec, and more, and she is always more than willing to share and to teach.