Inferensys

Glossary

Common Criteria (CC)

An international standard (ISO/IEC 15408) for computer security certification, providing a framework where users specify security requirements and vendors implement and have their products independently evaluated.
Wide-angle shot of a modern WeWork open floor plan with creative walls covered in AI system architecture diagrams, product team collaborating in standing desk area with industrial lighting.
SECURITY CERTIFICATION FRAMEWORK

What is Common Criteria (CC)?

Common Criteria is an international standard (ISO/IEC 15408) for evaluating and certifying the security properties of IT products, providing a globally recognized framework where vendors define security targets and independent laboratories validate claims.

Common Criteria (CC) is an international standard (ISO/IEC 15408) that provides a rigorous framework for specifying, implementing, and independently evaluating the security of IT products. It enables vendors to define a Security Target (ST) —a document specifying the product's security functional requirements—which an accredited laboratory then tests against to achieve certification at a defined Evaluation Assurance Level (EAL) .

The framework establishes mutual recognition through the Common Criteria Recognition Arrangement (CCRA) , allowing a product certified in one participating nation to be accepted across 31 member countries. This eliminates redundant evaluations, making CC the de facto standard for procurement in government, defense, and critical infrastructure sectors where hardware root of trust and supply chain assurance are mandatory.

ISO/IEC 15408 FRAMEWORK

Core Components of Common Criteria

The Common Criteria framework is built on a structured vocabulary of functional and assurance components that allow for the precise specification and rigorous evaluation of a product's security properties.

02

Security Target (ST)

A vendor-provided document that specifies the security properties of a specific, identified product (the Target of Evaluation or TOE). The ST can claim conformance to one or more Protection Profiles and details the exact Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) the product meets.

  • Key Distinction: A PP is a generic wishlist; an ST is a product's specific promise.
  • Content: Includes the TOE boundary, operational environment assumptions, and a rationale for how the SFRs counter identified threats.
03

Target of Evaluation (TOE)

The specific product or system—including its documentation, guidance, and supporting hardware/software—that is the subject of a Common Criteria evaluation. Defining a clear TOE boundary is critical, as it separates the security-relevant components from the rest of the operational environment.

  • Example: A TOE could be a complete operating system, a hardware security module, or a specific application's cryptographic module.
  • Context: The evaluation only validates the security claims made about the components inside the TOE boundary.
04

Evaluation Assurance Level (EAL)

A numerical grade from EAL1 (functionally tested) to EAL7 (formally verified design and tested) that represents the depth and rigor of the evaluation. A higher EAL does not mean 'more secure'; it means the security claims were verified to a higher degree of assurance.

  • EAL1-EAL4: Focus on commercial-grade development practices and testing.
  • EAL5-EAL7: Require semi-formal to formal design specifications and rigorous vulnerability analysis, often for high-risk government or critical infrastructure use.
05

Security Functional Requirements (SFRs)

The specific, auditable security behaviors that the TOE must exhibit. These are selected from a standardized catalog in Part 2 of ISO/IEC 15408. SFRs define functions like identification and authentication (FIA), audit (FAU), and cryptographic support (FCS).

  • Structure: Each SFR is a verbatim requirement from the standard, with vendor-defined assignments and selections.
  • Example: FIA_UAU.5.1 requires the TOE to provide a specific set of authentication mechanisms to verify a user's claimed identity.
06

Security Assurance Requirements (SARs)

The criteria that specify the measures taken during the product's development, engineering, and delivery to ensure it meets its SFRs. SARs are defined in Part 3 of ISO/IEC 15408 and cover the rigor of life-cycle management (ALC), testing depth (ATE), and vulnerability assessment (AVA).

  • Focus: SARs validate the process and evidence, not just the final product's features.
  • Example: ALC_CMC.4 requires a documented configuration management system to track all implementation representation changes.
COMMON CRITERIA CERTIFICATION

Frequently Asked Questions

Essential questions about the ISO/IEC 15408 standard for evaluating and certifying the security properties of IT products and systems.

Common Criteria (CC) is an international standard (ISO/IEC 15408) for the independent evaluation and certification of security properties in IT products. It works through a framework where users define their security requirements in a Protection Profile (PP), vendors document their implementation in a Security Target (ST), and accredited laboratories evaluate the product against these specifications. The evaluation verifies that the product's security functions are correctly implemented and resistant to defined threats at a specific Evaluation Assurance Level (EAL1 through EAL7). The result is a globally recognized certificate valid across 31 member nations under the Common Criteria Recognition Arrangement (CCRA), eliminating the need for redundant national evaluations.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.