Common Criteria History

The Common Criteria for Information Technology Security Evaluation (aka. Common Criteria) was developed by the governments of Canada, France, Germany, Netherlands, UK, and U.S. in the mid-90’s.

Common Criteria (CC) was produced by the willing to unify the security evaluation standards existing at this time: the European ITSEC standard, developed by France, Germany, the Netherlands and the UK; the U.S. TCSEC standard (aka. Orange Book) developed by the United States Department of Defense and the Canadian CTCPEC derived from the TCSEC standard.

By unifying security evaluation criteria, the objective was to avoid re-evaluation of products addressing international markets.

Common Criteria version 1.0 was issued in 1994.

In order to enlarge the community of contributors and to target an international endorsement of the criteria, Common Criteria became the ISO/IEC 15408 standard in 1999. The ISO version corresponds to the version 2.1 of the Common Criteria document edited by the Common Criteria Management Board.

Continuing the willing to reduce the need for re-evaluations, an arrangement allowing the mutual recognition of Common Criteria certificates has been signed in May 2000 (http://www.commoncriteriaportal.org/ccra/).

The Participants in this Arrangement share the following objectives:

Today 26 nations are participants of the Arrangement.

Certificate Producers

Australia Canada France Germany Italy Japan Malaysia Netherlands New Zealand Norway Spain Sweden South Korea Turkey United Kingdom USA

Certificate Consumers

Austria Czech Republic Denmark Finaland Greece Hungary India Israel Pakistan Singapore

In order to take into account the evolution of the technology and the progress in security evaluation techniques, Common Criteria continuously evolves. The current applicable versions of the Common Criteria are the CC version 3.1 revision 3 and the ISO/IEC 15408:2009 standard.

MC Vision Statement

To a large extent the CCRA activity has in the past been focused on developing the CC/CEM and harmonization of the application of the CC/CEM among the schemes. Nowadays there is an increased interest among the participants of the CCRA to facilitate development of protection profiles through collaboration between government agencies of CCRA participants, product vendors and labs. These protection profiles are then intended to be used for procurement purposes in several nations.

However, moving to a more PP-centric way of using the CC and CCRA also requires harmonization of how the CCRA participants develop and apply protection profiles.

The CCRA Management Committee (CCMC) held a meeting in Paris, September 17 2012, and agreed on a vision statement for the future direction of the application of the CC and the CCRA.

The paper highlights the key points for adapting the CCRA and continues by describing the fundamental framework for how the CCMC have agreed to allow for proper management of such protection profiles.

ICCC History

In order to support the CC Recognition Arrangement, the CC Management Committee organized an annual International Common Criteria Conference (ICCC). This important event brings together Certification Bodies, Evaluation Laboratories, Experts, Policy Makers, and Product Developers interested in the specification, development, evaluation, and certification of IT security. The Conference has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.

The previous ICCC conferences have been organized in the following locations:

18-20 September 2012Paris, France
27-29 September 2011Kuala Lumpur, Malaysia
21-23 September 2010Atalya, Turkey
22-24 September 2009Tromsø, Norway
23-25 September 2008Jeju, South Korea
25-27 September 2007Rome, Italy
19-21 September 2006Lanzarote, Spain
28-29 September 2005Tokyo, Japan
28-30 September 2004Berlin, Germany
7-9 September 2003Stockholm, Sweden
13-14 May 2002Ottawa, Canada
18-19 June 2001Brighton, United Kingdom
23-25 May 2000Baltimore, Maryland, United States of America