CC is an internationally recognized set of standards used by governments and organizations to assess the security of IT products and systems. The standards are designed to provide a common framework for evaluating the security of IT products and systems, and to allow for comparisons to be made between products and systems. CC is a joint effort of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
What is Common Criteria EAL2?
Common Criteria for Information Technology Security Evaluation (CC), and more specifically the Evaluation Assurance Level 2 (EAL2), is a set of standards used by governments and other organizations to ensure that IT products and services meet a minimum level of security. Products and services that have been evaluated at EAL2 have undergone a rigorous, independent evaluation process and have been found to be secure against a range of well-defined threats.
What three standards originated the Common Criteria standard?
The Common Criteria standard originated from three standards: the Orange Book, the Rainbow Series, and the European Computer Manufacturers Association (ECMA) standard.
The Orange Book was published by the United States Department of Defense in 1985 and outlined standards for evaluating the security of computer systems.
The Rainbow Series was published by the National Computer Security Center in 1987 and consisted of seven books that provided guidance on various aspects of computer security.
The ECMA standard was published in 1987 and provided guidance on the evaluation of computer systems for use in sensitive environments.
What is Common Criteria PP compliant?
The Common Criteria for Information Technology Security Evaluation (CC) is an international standard (ISO/IEC 15408) for computer security certification. It is sponsored by governments of the United States, Canada, France, Germany, and the United Kingdom, and is used in over 35 countries. CC was developed to provide a common basis for evaluating the effectiveness of IT security products and systems.
A Protection Profile (PP) is a type of security requirements document defined by the Common Criteria. PPs are used to specify the security requirements for a particular IT product or system. In order for a product or system to be CC PP compliant, it must meet the security requirements specified in a PP.
There are two types of PPs:
- Functional PPs (FPPs): FPPs specify the security functions that a product or system must provide. For example, an FPP for an email system might specify requirements for authentication, confidentiality, and integrity.
- Assurance PPs (APPs): APPs specify the security assurance requirements that a product or system must meet. Assurance requirements define the level of confidence that can be placed in the security functions of a product or system. For example, an APP for an email system might specify requirements for documentation, testing, and security audits.
In order to be CC PP compliant, a product or system must meet the requirements specified in both an FPP and an APP.
What is the main purpose of the Common Criteria for Information Technology Security Evaluation?
The Common Criteria for Information Technology Security Evaluation (CC) is an international standard (ISO/IEC 15408) that defines a unified approach to security evaluations of IT products and systems. The CC was developed by a consortium of government, industry, and academic organizations from more than 25 countries.
The primary purpose of the CC is to provide a common framework within which IT security evaluations can be conducted in a consistent, repeatable, and reliable manner. The CC also aims to promote international recognition and acceptance of security evaluations, and to facilitate the mutual recognition of evaluations conducted in different countries.
How much does Common Criteria certification cost?
There is no simple answer to the question of how much Common Criteria certification costs, as the price tag can vary widely depending on a number of factors. The size, scope, and complexity of the system being evaluated are perhaps the most important factors influencing the overall cost of certification. Other important factors include the number of security functions being evaluated, the number of evaluation assurance levels (EAL) being sought, and the number of target markets for the certified product.
In general, certification costs can be divided into three main categories:
1. Evaluation Costs: These are the costs incurred in actually conducting the evaluation, and can include things like the fees charged by the evaluation laboratory, the cost of hiring consultants to assist with the evaluation, and the cost of any necessary travel.
2. Certification Maintenance Costs: Once a product is certified, there are costs associated with maintaining that certification. These can include things like annual fees charged by the certification body, and the cost of re-evaluation if significant changes are made to the product.
3. Product Development Costs: In some cases, products will need to be modified in order to meet the requirements of the Common Criteria. This can add significant costs to the overall certification process.
The best way to get an accurate estimate of the cost of Common Criteria certification for a specific product is to consult with a certification body that is experienced in the certification process.