The Common Criteria For The Common Good
For many organizations, evaluating the security of a particular product can be difficult.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains The Common Criteria, a globally recognized security certification formed in 1999 by leading government agencies to help organizations validate product and vendor security beyond vendor claims. It addresses the real-world problem that organizations often lack the expertise, time, and resources to independently assess both functionality and security of solutions, by providing a certification that covers product testing, design documentation, functional testing, and penetration testing. As a result, enterprises, higher education institutions, and government-integrated private organizations can confidently evaluate and procure solutions from vendors with internationally recognized assurance across many countries and development processes.
What problem does The Common Criteria solve for organizations evaluating product security?
The Common Criteria addresses the difficulty organizations face in validating both the functionality and security of products when they often lack the expertise, time, and resources to perform thorough security assessments themselves. Before The Common Criteria, vendors had to certify separately against each government’s scheme, which was cumbersome and led many vendors to forgo certification. By enabling certification with a testing lab in one participating country and having that certification recognized by other member nations, The Common Criteria reduces duplication of effort and provides a trusted, comprehensive assessment of product security and vendor development processes.
What does The Common Criteria certification process evaluate beyond the product itself?
The Common Criteria certification requirements extend beyond the product to include design documentation, design analysis, functional testing, and penetration testing, ensuring a comprehensive evaluation of both the product and the vendor’s processes. This means the assessment examines how the product was developed and the vendor’s procedures, not just the finished product, offering organizations assurance that they are purchasing from a vendor with robust development practices. Such process-level scrutiny helps enterprises rely on the certification as evidence of mature security posture across product lifecycle activities.
Who uses The Common Criteria and why is it attractive for global organizations?
Originally intended to validate products for government procurement, The Common Criteria is now used by many organizations including enterprise companies and higher education institutions because it provides an industry-wide, recognized security standard. With participation from 26 member nations and seven of the eight G8 countries, it offers global recognition that is especially attractive to companies operating across multiple countries, as a single certification can be accepted in many jurisdictions. This broad international representation and mutual recognition make it easier for private organizations that work with governments to have their required products accepted and integrated.
For many organizations, evaluating the security of a particular product can be difficult. It’s enough work just to evaluate the functionality of a solution, let alone the security of the system. Validating the security of your proposed solution requires expertise, time and effort that most organizations can’t afford. And while you may be willing to take the vendor’s word on the security of their product, it’s always best to get an assessment from someone you trust.
Enter The Common Criteria. The Common Criteria was formed in 1999 from leading government security agencies around the globe, including the United States’ Department of Defense (DOD) Canada’s Communications Security Establishment (CSE) and the United Kingdom’s Communications-Electronics Security Group (CESG), in order to provide a globally recognized set of security criteria that vendors could certify their products against.
Before The Common Criteria was formed, vendors would have to certify their product according to each government’s particular scheme, which was cumbersome for many vendors to do and resulted in most not bothering to certify their products at all. With The Common Criteria, they’re able to certify their product with a testing lab in one country and have that certification be recognized by all other participating nations. And the certification requirements not only include the product, but also involve design documentation, design analysis, functional testing, and penetration testing. This makes for a more complete and involved certification that extends beyond the product into the vendor’s processes and procedures.
With 26 members, and seven of the eight G8 countries participating, The Common Criteria is one of the industry’s most recognized certifications. Having certified over 1850 products in the last 14 years, it’s also one of the largest certifying bodies specializing in security.
While initially proposed as a means to validate products for purchase within the government, The Common Criteria is now used by many organizations, including enterprise companies and higher education institutions in order to assess the security of a solution.
While there are some specialized security certifications, such as the Federal Information Processing Standards (FIPS) 140 series certification for cryptographic modules, there are little industry wide certifications that can be used to assess the security of a solution. In lieu of these standard certifications from the private sector, The Common Criteria has emerged as the certification of choice for enterprises because it certifies both the product and the processes behind how the vendor develops that product. Organizations can be assured that they’re not only purchasing the right solution, but also from the right vendor.
For global companies, it is even more attractive due to the participation from leading nations in 5 of the 6 inhabited continents. This global representation ensures that an organization is covered in many, if not all, of the countries where they may have a presence.
And for those private organizations that deal with the government and require some form of integration, The Common Criteria certification helps to ensure that the products they need to integrate will be accepted more easily.
Although developed with government intentions, The Common Criteria has emerged as a recognized standard by all and should be part of every security conscious organization’s checklist when evaluating products.
Read the BlueCat Press Release Read the Common Criteria Evaluation Report
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.