An Introduction to the Common Criteria
Governments and commercial users of DBMS products need to understand the security functionalities and the quality of those functionalities that they purchase and use. Third party evaluation is the preferred method of security verification and for that each nation in the past required its own evaluation, an expensive proposition for vendors and customers alike. Sharing an evaluation between four nations, as the European ITSEC did, was an improvement on the time and costs of evaluation. But the real solution was the Common Criteria, where an evaluation under its strict conditions is formally recognized currently by twenty-four nations by an international agreement (the Common Criteria Mutual Recognition Arrangement or CCRA) and by dozens more countries and by many commercial users beyond the agreement.
The Common Criteria is more than just the concise definitions of security functionalities and assurance requirements. It is also a precise evaluation process defined in the Common Evaluation Methodology document. In addition, it is a formal and approved evaluation scheme for each nation performing CC evaluations. And it is a government certification based on government working with a private evaluation lab certified in that country.
While the CC certification represents an evaluation of security functions using specified assurance measures, there is no hierarchy of security functions, in part because many security functions are independent of each other. There is however an accepted ranking of assurance criteria within the CC documents called Evaluation Assurance Levels, EAL1 to EAL7. Of these, evaluations at EAL1 to EAL4+ (the “+” added to EAL4 represents flaw remediation which is not part of EAL4) are mutually recognized by the 25 countries that signed the CCRA.
Another important aspect of the CC is that it recognizes Protection Profiles (PP). A PP, strictly defined in the CC documentation, is a set of security functionality requirements and assurance requirements. The original concept of PP’s is that the large customers or customer groups, governments and industries for example, would develop a specific set of security and assurance requirements, often the minimum requirements of the customer or group. This allows those customer groups to use a defined set of functionalities and assurance measures, the Common Criteria, when considering and determining the organizational IT needs and then allows them to formally define their security requirements with globally understood definitions. This is occurring with government and more slowly with industries. These PP’s allow vendors to clearly understand these requirements and to develop products that meet and exceed them.