Archive for November, 2007

Common Criteria

Posted on November 24, 2007. Filed under: Computer Science, Programming |

The Common Criteria is the result of the integration of information technology and computer security criteria. In 1983 the US issued the Trusted Computer Security Evaluation Criteria (TCSEC), which became a standard in 1985. Criteria developments in Canada and European ITSEC countries followed the original US TCSEC work. The US Federal Criteria development was an early attempt to combine these other criteria with the TCSEC, and eventually led to the current pooling of resources towards production of the Common Criteria.

Version 1.0 of the CC was published for comment in January 1996. Version 2.0 took account of extensive review and trials during the next two years and was published in May 1998. Version 2.0 was adopted by the International Organization for Standards (ISO) as an International Standard (ISO 15408) in 1999.

In 2005, the interpretations that had been made to date were incorporated into an update, version 2.3. This was published as ISO/IEC 15408-1:2005, 15408-2:2005, and 15408-3:2005; the corresponding update of the CEM was published as ISO/IEC 18045:2005. In September 2006, CC Version 3.1 was published. The new version provided a major change to the Security Assurance Requirements and incorporated all approved Interpretations. In September 2007, minor changes/corrections were incorporated into Version 3.1 and Revision 2 became official.

The Common Criteria is composed of three parts: the Introduction and General Model (Part 1), the Security Functional Requirements (Part 2), and the Security Assurance Requirements (Part 3). While Part 3 specifies the actions that must be performed to gained assurance, it does no specify how those actions are to be conducted; to address this, the Common Evaluation Methodology (CEM) was created for the lower levels of assurance.

This common methodology is the basis upon which the member nations have agreed to recognize the evaluation results of one another, as specified in the “Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security”. This was first signed in 2000 and additional member nations continue to join this agreement.

The CC and CEM continue to evolve as its use spreads. This evolution is propagated through the use of Interpretations, which are formal changes periodically made to the CC/CEM that have been mutually agreed by the participating producing nations.

The following links are to the CC, CEM, and their interpretations, as well as to other informative documents.

Read Full Post | Make a Comment ( None so far )

Liked it here?
Why not try sites on the blogroll...