Professional Documents
Culture Documents
143
On: 09 May 2023
Access details: subscription number
Publisher: CRC Press
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: 5 Howick Place, London SW1P 1WG, UK
Publication details
https://www.routledgehandbooks.com/doi/10.1081/E-EIA-120046535
Debra S. Herrmann
Published online on: 21 Dec 2010
How to cite :- Debra S. Herrmann. 21 Dec 2010, Common Criteria: IT Security Evaluation from:
Encyclopedia of Information Assurance CRC Press
Accessed on: 09 May 2023
https://www.routledgehandbooks.com/doi/10.1081/E-EIA-120046535
This Document PDF may be used for research, teaching and private study purposes. Any substantial or systematic reproductions,
re-distribution, re-selling, loan or sub-licensing, systematic supply or distribution in any form to anyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation that the contents will be complete or
accurate or up to date. The publisher shall not be liable for an loss, actions, claims, proceedings, demand or costs or damages
whatsoever or howsoever caused arising directly or indirectly in connection with or arising out of the use of this material.
Common Criteria: IT Security Evaluation
Debra S. Herrmann
Technical Advisor for Information Security and Software Safety, Office of the Chief Scientist,
Federal Aviation Administration (FAA), Washington, District of Columbia, U.S.A.
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
Abstract
This entry introduces the Common Criteria (CC) by describing the historical events that led to their
development, delineating the purpose and intended use of the CC and, conversely, situations not covered
by the CC, explaining the major concepts and components of the CC methodology and how they work,
discussing the CC user community and stakeholders, looking at the future of the CC.
To develop and acquire methodologies, techniques, security policy model, trusted computing base, and
Controls
Common –
Controls
508 Common Criteria: IT Security Evaluation
Table 2 Summary of Orange Book Trusted Computer System Evaluation Criteria (TCSEC) divisions.
Evaluation division Evaluation class Degree of trust
A—Verified protection A1—Verified design Highest
B—Mandatory protection B3—Security domains
B2—Structured protection
B1—Labeled security protection
C—Discretionary protection C2—Controlled access protection
C1—Discretionary security protection
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
increase; and the time to evaluate them would addressed in a very limited context—that of restrictions
decrease, especially given the emergence of the global on unauthorized physical access to security equipment and
economy. prevention of and resistance to unauthorized physical mod-
There has been some confusion that the term IT product ification or substitution of such equipment.[6] Personnel
only refers to plug-and-play commercial off-the-shelf security issues are not covered at all; instead, they are
(COTS) products. In fact, the CC interprets the term IT generally handled by assumptions made in the PP. The
product quite broadly, to include a single product or multi- CC/CEM does not address C&A processes or criteria.
ple IT products configured as an IT system or network. This was specifically left to each country and/or govern-
The standard lists several items that are not covered and ment agency to define. However, it is expected that CC/
considered out of scope:[7] CEM evaluation results will be used as input to C&A. The
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
Administrative security measures and procedural con- MAJOR COMPONENTS OF THE METHODOLOGY
trols generally associated with operational security AND HOW THEY WORK
(OPSEC) are not addressed by the CC/CEM. Likewise,
the CC/CEM does not define how risk assessments should The three-part CC standard (ISO/IEC 15408) and the CEM
be conducted, even though the results of a risk assessment are the two major components of the CC methodology, as
are required as an input to a PP.[7] Physical security is shown in Fig. 1.
Common –
Controls
and elements and elements
- Definition of standard EAL
packages
CEM-97/017 Part 1
- Terminology and concepts
- Description of CEM
- Evaluation principles and roles
CEM-99/045 Part 2
- Standardized application and
execution of CC Part 3
requirements
- Evaluation tasks, activities, and
work units
Classes
Protection Profiles (PPs) Families
Security Targets (STs) Components
Targets of Evaluation (TOEs) Elements
Packages
Eleven security functional classes, 67 security func-
A Protection Profile, or PP, is a formal document that tional families, 138 security functional components, and
expresses an implementation-independent set of security 250 security functional elements are defined in Part 2.
requirements, both functional and assurance, for an IT Fig. 2 illustrates the relationship between classes, families,
product that meets specific consumer needs.[7] The process components, and elements.
of developing a PP helps a consumer to elucidate, define, A class is a grouping of security requirements that share
and validate their security requirements, the end result of a common focus; members of a class are referred to as
which is used to 1) communicate these requirements to families.[7] Each functional class is assigned a long name
potential developers and 2) provide a foundation from and a short three-character mnemonic beginning with an
which a security target can be developed and an evaluation “F.” The purpose of the functional class is described and a
conducted. structure diagram is provided that depicts the family mem-
A Security Target, or ST, is an implementation- bers. ISO/IEC 15408-2 defines 11 security functional
dependent response to a PP that is used as the basis classes. These classes are lateral toone another; there is
for developing a TOE. In other words, the PP specifies no hierarchical relationship among them. Accordingly, the
security functional and assurance requirements, while standard presents the classes in alphabetical order. Classes
an ST provides a design that incorporates security represent the broadest spectrum of potential security func-
mechanisms, features, and functions to fulfill these tions that a consumer may need in an IT product. Classes
requirements. are the highest-level entity from which a consumer begins
A Target of Evaluation, or TOE, is an IT product, to select security functional requirements. It is not
system, or network and its associated administrator and expected that a single IT product will contain SFRs from
user guidance documentation that is the subject of an all classes. Table 3 lists the security functional classes.
evaluation.[7–9] A TOE is the physical implementation of A functional family is a grouping of SFRs that share
Common –
Controls
an ST. There are three types of TOEs: monolithic, compo- security objectives but may differ in emphasis or rigor. The
nent, and composite. A monolithic TOE is self-contained; members of a family are referred to as components.[7] Each
it has no higher or lower divisions. A component TOE is
the lowest-level TOE in an IT product or system; it forms
part of a composite TOE. In contrast, a composite TOE is
Class A
the highest-level TOE in an IT product or system; it is
composed of multiple component TOEs.
A package is a set of components that are combined
together to satisfy a subset of identified security objec- Family 1 Family 2 Family x
tives.[7] Packages are used to build PPs and STs.
Packages can be a collection of functional or assurance
requirements. Because they are a collection of low-level
Component 1 Component 2 Component x
requirements or a subset of the total requirements for an IT
product or system, packages are intended to be reusable.
Evaluation assurance levels (EALs) are examples of
predefined packages. Element 1 Element 2 Element x
Part 2 of ISO/IEC 15408 is a catalog of standardized
security functional requirements, or SFRs. SFRs serve Fig. 2 Relationship between classes, families, components, and
many purposes. They[7–9] 1) describe the security behavior elements.
Common Criteria: IT Security Evaluation 511
FMT Security management Management of security attributes, data, and functions and definition of security roles
FPR Privacy Protect users against discovery and misuse of their identity
FPT Protection of the TSF Maintain the integrity of the TSF management functions and data
FRU Resource utilization Ensure availability of system resources through fault tolerance and the allocation of services by
priority
FTA TOE access Controlling user session establishment
FTP Trusted path/channels Provide a trusted communication path between users and the TSF and between the TSF and
other trusted IT products
functional family is assigned a long name and a assurance families, and 93 security assurance components
three-character mnemonic that is appended to the func- are defined in Part 3.
tional class mnemonic. Family behavior is described. A class is a grouping of security requirements that
Hierarchics or ordering, if any, between family members share a common focus; members of a class are referred
is explained. Suggestions are made about potential OPSEC to as families.[7] Each assurance class is assigned a long
management activities and security events that are candi- name and a short three-character mnemonic beginning
dates to be audited. with an “A.” The purpose of the assurance class is
Components are a specific set of security requirements described and a structure diagram is provided that depicts
that are constructed from elements; they are the smallest the family members. There are three types of assurance
selectable set of elements that can be included in a classes: 1) those that are used for Protection Profile or
Protection Profile, Security Target, or a package.[7] Security Target validation, 2) those that are used for TOE
Components are assigned a long name and described. conformance evaluation, and 3) those that are used to
Hierarchical relationships between one component and maintain security assurance after certification. ISO/IEC
another are identified. The short name for components 15408-3 defines ten security assurance classes. Two
consists of the class mnemonic, the family mnemonic, classes, APE and ASE, evaluate PPs and STs, respec-
and a unique number. tively. Seven classes verify that a TOE conforms to its
Common –
Controls
An element is an indivisible security requirement that PP and ST. One class, AMA, verifies that security assur-
can be verified by an evaluation, and it is the lowest-level ance is maintained between certification cycles. These
security requirement from which components are con- classes are lateral to one another; there is no hierarchical
structed.[7] One or more elements are stated verbatim for relationship among them. Accordingly, the standard
each component. Each element has a unique number that is presents the classes in alphabetical order. Classes repre-
appended to the component identifier. If a component has sent the broadest spectrum of potential security assurance
more than one element, all of them must be used. measures that a consumer may need to verify the integrity
Dependencies between elements are listed. Elements are
the building blocks from which functional security require-
ments are specified in a protection profile. Fig. 3 illustrates
the standard CC notation for security functional classes,
families, components, and elements.
Part 3 of ISO/IEC 15408 is a catalog of standardized functional 3-letter 1-digit
security assurance requirements or SARs. SARs define the requirement family code element
number
criteria for evaluating PPs, STs, and TOEs and the security 2-letter 1-digit
assurance responsibilities and activities of developers and class code component
number
evaluators. The CC organize SARs in a hierarchical struc-
ture of security assurance classes, families, components, Fig. 3 Standard notation for classes, families, components, and
and elements. Ten security assurance classes, 42 security elements.
512 Common Criteria: IT Security Evaluation
of the security functions performed by an IT product. An element is an indivisible security requirement that
Classes are the highest-level entity from which a consu- can be verified by an evaluation, and it is the lowest-level
mer begins to select security assurance requirements. security requirement from which components are con-
Table 4 lists the security assurance classes in alphabetical structed.[7] One or more elements are stated verbatim for
order and indicates their type. each component. If a component has more than one
An assurance family is a grouping of SARs that share element, all of them must be used. Dependencies between
security objectives. The members of a family are referred elements are listed. Elements are the building blocks from
to as components.[7] Each assurance family is assigned a which a PP or ST is created. Each assurance element has a
long name and a three-character mnemonic that is unique number that is appended to the component identi-
appended to the assurance class mnemonic. Family beha- fier and a one-character code. A “D” indicates assurance
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
vior is described. Unlike functional families, the members actions to be taken by the TOE developer. A “C” explains
of an assurance family only exhibit linear hierarchical the content and presentation criteria for assurance
relationships, with an increasing emphasis on scope, evidence, that is, what must be demonstrated.[7] An “E”
depth, and rigor. Some families contain application notes identifies actions to be taken or analyses to be performed
that provide additional background information and con- by the evaluator to confirm that evidence requirements
siderations concerning the use of a family or the informa- have been met. Fig. 4 illustrates the standard notation for
tion it generates during evaluation activities. assurance classes, families, components, and elements.
Components are a specific set of security requirements Part 3 of ISO/IEC 15408 also defines seven hierarchical
that are constructed from elements; they are the smallest evaluation assurance levels, or EALs. An EAL is a group-
selectable set of elements that can be included in a Protection ing of assurance components that represents a point on the
Profile, Security Target, or a package.[7] Components are predefined assurance scale.[7] In short, an EAL is an assur-
assigned a long name and described. Hierarchical relation- ance package. The intent is to ensure that a TOE is not
ships between one component and another are identified. over- or underprotected by balancing the level of assurance
The short name for components consists of the class against cost, schedule, technical, and mission constraints.
mnemonic, the family mnemonic, and a unique number. Each EAL has a long name and a short name, which
Again, application notes may be included to convey addi- consists of “EAL” and a number from 1 to 7. The seven
tional background information and considerations. EALs add new and higher assurance components as
ACM Configuration TOE Control the process by which a TOE and its related documentation is developed, refined, and
Controls
management modified
ADO Delivery and TOE Ensure correct delivery, installation, generation, and initialization of the TOE
operation
ADV Development TOE Ensure that the development process is methodical by requiring various levels of specification
and design and evaluating the consistency between them
AGD Guidance TOE Ensure that all relevant aspects of the secure operation and use of the TOE are documented in
documents user and administrator guidance
ALC Lifecycle support TOE Ensure that methodical processes are followed during the operations and maintenance phase
so that security integrity is not disrupted
ATE Tests TOE Ensure adequate test coverage, test depth, functional and independent testing
AVA Vulnerability TOE Analyze the existence of latent vulnerabilities, such as exploitable covert channels, misuse or
assessment incorrect configuration of the TOE, the ability to defeat, bypass, or compromise security
credentials
AMA Maintenance of AMA Essure that the TOE will continue to meet its security target as changes are made to the TOE
assurance or its environment
PP/ST—Protection Profile or Security Target evaluation.
TOE—TOE conformance evaluation.
AMA—Maintenance of assurance after certification.
Common Criteria: IT Security Evaluation 513
Common –
Controls
CC USER COMMUNITY AND STAKEHOLDERS Customers or end users
IT product vendors
The CC user community and stakeholders can be viewed Sponsors
from two different constructs: 1) generic groups of users, Common Criteria Testing Laboratories (CCTLs)
and 2) formal organizational entities that are responsible National Evaluation Authorities
for overseeing and implementing the CC/ CEM worldwide Common Criteria Implementation Management Board
(see Table 6). (CCIMB)
b
II. Specific Organizations
Customer or end user Specify requirements
Inform vendors how IT product will be evaluated
Use PP, ST, and TOE evaluation results to compare IT products
IT product vendor Respond to customer’s requirements
Prove that all requirements have been met
Deliver evidence to sponsor
Sponsor Contract with CCTL for IT product to be evaluated
Deliver evidence to CCTL
Common Criteria Testing Request accreditation from National Evaluation Authority
Laboratory (CCTL) Receive evidence from sponsor
Conduct evaluations according to CC/CEM
Produce Evaluation Technical Reports
Make certification recommendation to National Evaluation Authority
National Evaluation Define and manage national evaluation scheme
Authority Accredit CCTLs
Monitor CCTL evaluations
Issue guidance to CCTLs
Issue and recognize CC certificates
Maintain Evaluated Products Lists and PP Registry
Common Criteria Facilitate consistent interpretation and application of the CC/CEM
Implementation Oversee National Evaluation Authorities
Management Render decisions in response to Requests for Interpretations (RIs)
Board (CCIMB)
Maintain the CC/CEM
Common –
Controls
Customers or end users perform the same role as functional and assurance requirements specified in the
consumers in the generic model. They specify their PP have been satisfied by their ST and TOE. This proof
security functional and assurance requirements in a PP. and related development documentation is delivered to
By defining an assurance package, they inform develo- the Sponsor.
pers how the IT product will be evaluated. Finally, they A new role introduced by the CCRA is that of the
use PP, ST, and TOE evaluation results to compare IT Sponsor. A Sponsor locates an appropriate CCTL and
products and determine which best meets their specific makes contractual arrangements with them to conduct an
needs and will work best in their particular operational evaluation of an IT product. They are responsible for
environment. delivering the PP, ST, or TOE and related documentation
IT product vendors perform the same role as develo- to the CCTL and coordinating any pre-evaluation activ-
pers in the generic model. They respond to customer ities. A Sponsor may represent the customer or the IT
requirements by developing an ST and corresponding product vendor, or be a neutral third party such as a system
TOE. In addition, they provide proof that all security integrator.
Common Criteria: IT Security Evaluation 515
The CCRA divides the generic evaluator role into three maintains the current version of the CC/CEM and coordi-
hierarchical functions: Common Criteria Testing nates with ISO/IEC JTC1 SC27 WG3 and the CEMEB
Laboratories (CCTLs), National Evaluation Authorities, concerning new releases of the CC/CEM and related
and the Common Criteria Implementation Management standards.
Board (CCIMB).
CCTLs must meet accreditation standards and are
subject to regular audit and oversight activities to ensure
that their evaluations conform to the CC/CEM. CCTLs FUTURE OF CC
receive the PP, ST, or TOE and the associated documenta-
tion from the Sponsor. They conduct a formal evaluation of As mentioned earlier, the CC/CEM is the result of a
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
the PP, ST, or TOE according to the CC/CEM and the 30 year evolutionary process. The CC/CEM and the pro-
assurance package specified in the PP. If missing, ambig- cesses governing it have been designed so that CC/CEM
uous, or incorrect information is uncovered during the will continue to evolve and not become obsolete when
course of an evaluation, the CCTL issues an Observation technology changes, like the Orange Book did. Given
Report (OR) to the sponsor requesting clarification. The that and the fact that 15 countries have signed the CCRA,
results are documented in an Evaluation Technical Report the CC/CEM will be with us for the long term. Two near-
(ETR), which is sent to the National Evaluation Authority term events to watch for are the issuance of both the CEM
along with a recommendation that the IT product be and the SSE-CMM as ISO/IEC standards.
certified (or not). The CCIMB has set in place a process to ensure
Each country that is a signatory to the CCRA has a consistent interpretations of the CC/CEM and to capture
National Evaluation Authority. The National Evaluation any needed corrections or enhancements to the methodol-
Authority is the focal point for CC activities within its ogy. Both situations are dealt with through what is known
jurisdiction. A National Evaluation Authority may take as the Request for Interpretation (RI) process. The first step
one of two forms—that of a Certificate Consuming in this process is for a developer, sponsor, or CCTL to
Participant or that of a Certificate Authorizing Participant. formulate a question. This question or RI may be triggered
A Certificate Consuming Participant recognizes CC certifi- by four different scenarios. The organization submitting
cates issued by other entities but, at present, does not issue the RI:[10]
any certificates itself. It is not uncommon for a country to
sign on to the CCRA as a Certificate Consuming Participant, 1. Perceives an error in the CC or CEM
then switch to a Certificate Authorizing Participant later, 2. Perceives the need for additional material in the CC
after it has established a national evaluation scheme and or CEM
accredited some CCTLs. 3. Proposes a new application of the CC or CEM and
A Certificate Authorizing Participant is responsible for wants this new approach to be validated
defining and managing the evaluation scheme within its 4. Requests help in understanding part of the CC or
jurisdiction. This is the administrative and regulatory CEM
framework by which CCTLs are initially accredited and
subsequently maintain their accreditation. The National The RI cites the relevant CC or CEM reference and
Common –
states the problem or question.
Controls
Evaluation Authority issues guidance to CCTLs about
standard practices and procedures and monitors evaluation The ISO/IEC has a 5 year reaffirm, update, or
results to ensure their objectivity, repeatability, and withdrawal cycle for standards. This means that the
conformance to the CC/CEM. The National Evaluation next version of ISO/IEC 15408, which will include all
Authority issues official CC certificates, if they agree of the final interpretations in effect at that time, should be
with the CCTL recommendation, and recognizes released near the end of 2004. The CCIMB has indicated
CC certificates issued by other National Evaluation that it may issue an interim version of the CC or CEM,
Authorities. In addition, the National Evaluation prior to the release of the new ISO/IEC 15408 version, if
Authority maintains the Evaluated Products List and PP the volume and magnitude of final interpretations war-
Registry for its jurisdiction. rant such an action. However, the CCIMB makes it clear
The Common Criteria Implementation Management that it remains dedicated to support the ISO/IEC
Board (CCIMB) is composed of representatives from process.[1]
each country that is a party to the CCRA. The CCIMB
has the ultimate responsibility for facilitating the consistent
interpretation and application of the CC/CEM across all REFERENCES
CCTLs and National Evaluation Authorities. Accordingly,
the CCIMB monitors and oversees the National Evaluation 1. Centralized resource for current information about the
Authorities. The CCIMB renders decisions in response to Common Criteria standards, members, and events, http://
Requests for Interpretations (RIs). Finally, the CCIMB www.commoncriteria.org.
516 Common Criteria: IT Security Evaluation
2. DoD 5200.28M. ADP Computer Security Manual— 6. Herrmann, D. A Practical Guide to Security Engineering
Techniques and Procedures for Implementing, Deactivating, and Information Assurance, Auerbach Publications: Boca
Testing, and Evaluating Secure Resource-Sharing ADP Raton, FL, 2001.
Systems, U.S. Department of Defense, January, 1973. 7. ISO/IEC 15408-1(1999-12-01). Information technology—
3. DoD 5200.28M. ADP Computer Security Manual— Security techniques—Evaluation criteria for IT security—
Techniques and Procedures for Implementing, Part 1: Introduction and general model.
Deactivating, Testing, and Evaluating Secure Resource- 8. ISO/IEC 15408-2(1999-12-01). Information technology—
Sharing ADP Systems, with 1st Amendment, U.S. Security techniques—Evaluation criteria for IT security—
Department of Defense, June 25, 1979. Part 2: Security functional requirements.
4. CSC-STD-001-83. Trusted Computer System Evaluation 9. ISO/IEC 15408-3(1999-12-01). Information technology—
Criteria (TCSEC), National Computer Security Center, Security techniques—Evaluation criteria for IT security—
Downloaded By: 10.3.97.143 At: 23:06 09 May 2023; For: 9781351235808, entry61, 10.1081/E-EIA-120046535
U.S. Department of Defense, August 15, 1983. Part 3: Security assurance requirements.
5. DoD 5200.28-STD. Trusted Computer System Evaluation 10. Arrangement on the Recognition of Common Criteria
Criteria (TCSEC), National Computer Security Center, U.S. Certificates in the Field of Information Technology
Department of Defense, December, 1985. Security, May 23, 2000.
Common –
Controls