How to get ready for Common Criteria evaluation?

How to get ready for Common Criteria evaluation?
Post Menu and Details.

Words: 940

Reading time: ~4 minutes

Since 2010, a total of 1665 IT products and systems have been CC certified globally. The most common products that successfully went through the Common Criteria evaluation process were Network and Network-Related Devices, Databases, ICs, Smart Cards, Smart Card-Related Devices and Systems, Access Control Devices, Multi-Function Devices, and Operating Systems.
Suppose you – as a Sponsor or Developer – consider having your IT product CC-certified. In that case, the following article will certainly help you with a lot of useful details and insight into the topic.

What gets evaluated?

Before getting into the details let’s clarify the basics. Common Criteria (CC) is an internationally acknowledged standard, also known as ISO/IEC 15408, that is used to validate that a particular IT system or product (Target of Evaluation or TOE) meets a defined set of cybersecurity requirements. It’s important to know that the latest CEM (Cybersecurity Evaluation Methodology) and Common Criteria documents and regulations are not exactly the same as the ISO standard; they have a more updated version.

The framework specifies the structure of the Common Criteria evaluation, describes the terminology for defining security requirements, and a technique for assessing those requirements. The Common Criteria certification guarantees that an IT security product’s (TOE) specification, implementation, and cybersecurity assessment have been carried out in a standard, rigorous, and repeatable way at a level that matches its target operational environment.

Target of Evaluation

The Target of Evaluation (TOE) is the product or part of the product that gets evaluated. The depth of the Common Criteria evaluation depends on the chosen Evaluation Assurance Level (EAL). The Developer should specify the TOE boundary.

The Common Criteria evaluation process always includes related document assessments as well as actual testing of the product, just like:

  • Vulnerability analysis
  • Functional testing
  • Guidance evaluation
  • Design evaluation
  • Life-cycle evaluation

What is the purpose of Common Criteria evaluation?

What Is The Purpose Of Common Criteria Evaluation

Common Criteria Evaluation is a complex assessment procedure that is required to get an IT product or system CC-certified. Although Common Criteria Certification has many advantages, it is important to mention that not all IT products need it and not all are eligible.

The main benefits of Common Criteria evaluation and certification include:

  • Maintain competitiveness
  • Product improvement
  • Avoid post-market costs
  • Further business opportunities

How to prepare your product for Common Criteria evaluation?

We are talking about a highly complex process, so before you embark on a Common Criteria evaluation project, make sure whether your product is eligible for CC certification. For the same reason, we recommend contacting a Common Criteria expert or consultant who will help you prepare the product and collect or prepare the necessary material for the evaluation.

In addition to involving the expert, you must study the latest information about Common Criteria, the evaluation process, the necessary steps, and the tasks.

Common Criteria evaluation is performed by an accredited independent Test Laboratory which you need to hire before starting the process. As the first step, a detailed EWP (Evaluation Work Plan) will be prepared by the Test Laboratory and approved by the CB (Certification Body).

Evaluators must get access to the evaluation resources of your product required to carry out the tasks outlined in the EWP. 

Evaluation materials can be for instance:

  • The Target for Security;
  • HW, firmware, or SW elements that make up the Target of Evaluation (TOE);
  • Documentation for TOE users;
  • Documentation for technical support for developers,
  • Product lifecycle documentation, etc.


Common Criteria evaluation is one of the most important steps on the path to CC certification. It is known as a quite complicated procedure. Therefore, we recommend getting professional help and consultancy service when preparing for it. With the support of an expert, you can save both time and costs while easily getting over the difficulties of your Common Criteria evaluation project.


What are Common Criteria certified?

A predefined security standard for government deployments is known as Common Criteria, officially known as the Common Criteria for Information Technology Security Evaluation.

What is the number of levels in the Common Criteria?

To assess whether the TOE meets the security requirements of Common Criteria, the Evaluation Assurance Level (EAL) is assigned. Levels range from 1 to 7.

How does the Common Criteria standard work?

Information security products must meet a set of agreed-upon security standards for government deployment to meet Common Criteria (CC).

What is the cost of Common Criteria certification?

Do Common Criteria certifications cost a lot? It is generally estimated that CC evaluations cost between USD $100k and $200k, including lab and consulting fees. In determining this amount, multiple factors must be considered.

What is the validity period of Common Criteria certification?

The Common Criteria certification is valid for a period of five (5) years, depending on the version of the product tested. A process called Assurance Continuity (AC) is used by Common Criteria to update version information.

What Countries created Common Criteria?

Six countries developed the Common Criteria (CC): the United States, Canada, France, Germany, the United Kingdom and the Netherlands.

ISO 15408: What is its purpose?

IT products and systems are required to comply with a common set of security functions and assurance measures during a security evaluation.

What year were Common Criteria created?

The first version of Common Criteria was published in 1994. In 1999, Common Criteria became ISO/IEC 15408 to gain international acceptance and enlarge the contributor community.

How do Common Criteria define Protection Profile?

Organizations typically write protection profiles with specific ITS requirements but not with specific systems or products in mind. Security targets are typically written by vendors of systems and products listing how their products meet specific ITS requirements.

EAL certification – what is it?

After a Common Criteria security evaluation, an IT product or system is assigned an Evaluation Assurance Level (EAL). Levels indicate how much testing was done on a product or system. Specific assurance requirements must be met for a product to achieve an EAL.

Thank you for reading!