History

Common Criteria History

The Common Criteria for Information Technology Security Evaluation (aka. Common Criteria) was developed by the governments of Canada, France, Germany, Netherlands, UK, and U.S. in the mid-90’s.

Common Criteria (CC) was produced by the willing to unify the security evaluation standards existing at this time: the European ITSEC standard, developed by France, Germany, the Netherlands and the UK; the U.S. TCSEC standard (aka. Orange Book) developed by the United States Department of Defense and the Canadian CTCPEC derived from the TCSEC standard.

By unifying security evaluation criteria, the objective was to avoid re-evaluation of products addressing international markets.

Common Criteria version 1.0 was issued in 1994.

In order to enlarge the community of contributors and to target an international endorsement of the criteria, Common Criteria became the ISO/IEC 15408 standard in 1999. The ISO version corresponds to the version 2.1 of the Common Criteria document edited by the Common Criteria Management Board.

Continuing the willing to reduce the need for re-evaluations, an arrangement allowing the mutual recognition of Common Criteria certificates has been signed in May 2000 (http://www.commoncriteriaportal.org/ccra/).

The Participants in this Arrangement share the following objectives:

• to ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles;
• to improve the availability of evaluated, security-enhanced IT products and protection profiles;
• to eliminate the burden of duplicating evaluations of IT products and protection profiles;
• to continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation process for IT products and protection profiles.

Today 26 nations are participants of the Arrangement.

Certificate Producers

Certificate Consumers

In order to take into account the evolution of the technology and the progress in security evaluation techniques, Common Criteria continuously evolves. The current applicable versions of the Common Criteria are the CC version 3.1 revision 3 and the ISO/IEC 15408:2009 standard.

MC Vision Statement

To a large extent the CCRA activity has in the past been focused on developing the CC/CEM and harmonization of the application of the CC/CEM among the schemes. Nowadays there is an increased interest among the participants of the CCRA to facilitate development of protection profiles through collaboration between government agencies of CCRA participants, product vendors and labs. These protection profiles are then intended to be used for procurement purposes in several nations.

However, moving to a more PP-centric way of using the CC and CCRA also requires harmonization of how the CCRA participants develop and apply protection profiles.

The CCRA Management Committee (CCMC) held a meeting in Paris, September 17 2012, and agreed on a vision statement for the future direction of the application of the CC and the CCRA.

The paper highlights the key points for adapting the CCRA and continues by describing the fundamental framework for how the CCMC have agreed to allow for proper management of such protection profiles.

ICCC History

In order to support the CC Recognition Arrangement, the CC Management Committee organized an annual International Common Criteria Conference (ICCC). This important event brings together Certification Bodies, Evaluation Laboratories, Experts, Policy Makers, and Product Developers interested in the specification, development, evaluation, and certification of IT security. The Conference has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.

The previous ICCC conferences have been organized in the following locations: