What Is Common Criteria (CC) and Why It Matters for Cybersecurity?

By SecYork,

As cybersecurity threats grow more sophisticated, organizations need to ensure that the IT products they use are trustworthy and secure—especially in government, defense, and critical infrastructure sectors. One of the most recognized global standards for evaluating the security of IT products is the Common Criteria (CC).

At SecYork, we believe that understanding international security standards is essential for both vendors and buyers of secure systems. In this post, we explain what Common Criteria is, how it works, and why it matters to you.

What Is Common Criteria (CC)?

Common Criteria for Information Technology Security Evaluation—commonly known as Common Criteria (CC)—is an international standard (ISO/IEC 15408) used to evaluate the security features and assurance levels of IT products.

It provides a framework for developers to specify security functionalities, and for independent labs to verify that these functionalities are implemented and tested correctly.

Who Uses It?

• Government agencies procuring secure technology (e.g., firewalls, smart cards, operating systems)

• IT vendors developing secure products

• Regulators seeking consistent global benchmarks

• Enterprises needing to comply with procurement and compliance policies

CC is officially recognized by 31+ countries through the Common Criteria Recognition Arrangement (CCRA), which means a product evaluated in one member country is accepted in others.

Key Components of Common Criteria

1. Target of Evaluation (TOE)

The product or system being evaluated (e.g., a VPN appliance, OS, or smart card).

2. Security Target (ST)

A detailed document that outlines the security features and assurances the product claims to provide.

3. Protection Profile (PP)

A reusable set of security requirements for a category of products (e.g., firewalls, biometric readers). Vendors can align their Security Targets with applicable PPs.

4. Evaluation Assurance Levels (EALs)

There are 7 EALs, ranging from basic (EAL1) to formally verified (EAL7).

• EAL1 = Functionally tested

• EAL4 = Structurally tested (most common for commercial products)

• EAL7 = Formally verified design and tested

Why Common Criteria Matters

✔ Confidence in Security Claims

CC certification provides independent validation that the product does what it claims in terms of security.

✔ Global Recognition

CC-certified products are trusted across multiple countries, easing international procurement.

✔ Regulatory Compliance

Some government and defense contracts require CC-certified products.

✔ Risk Reduction

Using evaluated products helps reduce the risk of using insecure or poorly implemented technologies.

Real-World Examples of CC-Certified Products

• Firewalls (e.g., Fortinet, Cisco)

• Secure operating systems

• Smart cards and secure ID platforms

• Hardware security modules (HSMs)

• Encryption libraries

Final Thoughts from SecYork

While Common Criteria is not a replacement for full risk management, it offers a solid foundation for trusting security features in technology. For government contractors, critical infrastructure providers, and security-conscious enterprises, it can be a vital part of your procurement and assurance strategy.

At SecYork, we help clients understand certification standards like CC, FIPS 140-3, and FedRAMP to make informed cybersecurity decisions.

Have Questions?

Need help evaluating a CC-certified product? Or want to know if your vendor complies with international security standards?

SecYork – Securing Your Digital Future.

www.secyork.com