NIAP Home CCEVS Home About Us Contact Us Help Site Map

 

Search NIAP CCEVS

The Big CCEVS Picture
 Defining the CCEVS
CCEVS Objectives
Eval/Validation Primer
CCEVS Validation Body
Historical Perspective
Guidance to Consumers
CC Testing Labs (CCTL)
Candidate CCTLs
CCRA & Partners
Acronyms & Terms
Upcoming Events
The OR/OD Process
What's New

CCEVS Products
Validated Products List
Validated Protection Profiles
Products in Evaluation
PPs in Development
Archived Validated Products

Docs & Guidance
FAQs
Scheme Policy Letters
Scheme Publications
CC/CEM Documentation
Forms
LabGrams

Other Useful Links
Precedent Database
Public Interps Database
Int'l Interps Database
Validators Only
NVLAP Lab Accreditations
TTAP

 

CC Documentation

The Common Criteria is the result of the integration of information technology and computer security criteria. In 1983 the US issued the Trusted Computer Security Evaluation Criteria (TCSEC), which became a standard in 1985. Criteria developments in Canada and European ITSEC countries followed the original US TCSEC work. The US Federal Criteria development was an early attempt to combine these other criteria with the TCSEC, and eventually led to the current pooling of resources towards production of the Common Criteria.

Version 1.0 of the CC was published for comment in January 1996. Version 2.0 took account of extensive review and trials during the next two years and was published in May 1998. Version 2.0 was adopted by the International Organisation for Standards (ISO) as an International Standard (ISO 15408) in 1999. Within the Common Criteria project, this ISO standard is version 2.1.

The Common Criteria is composed of three parts: the Introduction and General Model (Part 1), the Security Functional Requirements (Part 2), and the Security Assurance Requirements (Part 3). While Part 3 specifies the actions that must be performed to gained assurance, it does no specify how those actions are to be conducted; to address this, the Common Evaluation Methodology (CEM) was created for the lower levels of assurance.

This common methodology is the basis upon which the member nations have agreed to recognize the evaluation results of one another, as specified in the "Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security". This was first signed in 2000 and additional member nations continue to join this agreement.

The CC and CEM continue to evolve as its use spreads. This evolution is propagated through the use of Interpretations, which are formal changes periodically made to the CC/CEM that have been mutually agreed by the participating producing nations.

The following links are to the CC, CEM, and their interpretations, as well as to other informative documents.

Official Documents

CC v2.2/CEM v1.2

This updated set of the CC/CEM reflects the incorporation of all final interpretations through 31 December 2003. All of the changes from CCv2.1/CEMv1.0 are due solely to the final interpretations. For the purposes of evaluations within CCEVS, either version may be used because the version that is used is identified in all outputs of the evaluation (Security Target, Protection Profile, Validation Report, certificate).
Part 1: Introduction and general model (v2.2)
Part 2: Security functional requirements (v2.2)
Part 3: Security Assurance Requirements (v2.2)
Common Methodology for Information Technology Security Evaluation

CC v2.1/CEM v1.0
Part 1: Introduction and General Model (v2.1)
Part 2: Security Functional Requirements (v2.1)
Part 3: Security Assurance Requirements (v2.1)
Common Methodology for IT Security Evaluation, v1.0

CEM Supplement: ALC_FLR - Flaw Remediation
Assurance Continuity: CCRA Requirements v1.0
Arrangement on the Recognition of Common Criteria Certificates
in the field of Information Technology Security

Interpretations

Draft Documents

Draft ASE/APE Update

The members of the CCRA have created a proposed update to the ASE and APE classes, which define the requirements for STs and PPs. These proposed updates have been incorporated into the bodies of the documents that they affect (CC Parts 1 and 3 and the CEM) for convenience.

These draft versions are now available for review and comment, as well as for trial use. Please contact CCEVS if you would be willing to them as the basis for your ST or PP evaluation.
Part 1: Introduction and general model (v2.4)
Part 3: Security Assurance Requirements (v2.4)
Common Methodology for Information Technology Security Evaluation (v2.4)

Useful Documents

(Note: the following have no official standing within the Common Criteria Project or Arrangement on the Recognition of Common Criteria Certificates)

CC - An Introduction
CC Users Guide

 

 


NIST Disclaimer Notice
Please read the NIST Privacy Statement / Security Notice.
Please send comments or suggestions to niap-info@nist.gov.
NIAP is in the Information Technology Laboratory at the National Institute of Standards and Technology.
NIST is an agency of the U.S. Commerce Department's Technology Administration.
NSA is an agency of the U.S. Department of Defense.

Page last updated: August 6, 2004 9:53 AM