C20: A Comprehensive Guide to the Common Criteria for Information Technology Security Evaluation
Introduction
The Common Criteria (C20) is an international set of security standards that provide a common framework for evaluating the security of information technology products and systems. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), C20 is widely recognized and used by governments and organizations around the world.
Why C20 Matters
C20 certification is essential for:
-
Compliance with regulations: C20 compliance demonstrates adherence to industry best practices and government mandates, such as FISMA and HIPAA.
-
Improved security posture: Products and systems certified to C20 have undergone rigorous testing and evaluation, ensuring a higher level of protection against cyber threats.
-
Increased credibility and trust: C20 certification conveys to customers and stakeholders that your organization is committed to safeguarding sensitive information.
How to Achieve C20 Certification
Achieving C20 certification involves a multi-step process:
-
Identify the scope of the evaluation: Determine which products or systems will be evaluated and the specific security requirements that will be applied.
-
Select an accredited evaluation facility: Choose an independent laboratory that has been accredited by the National Information Assurance Partnership (NIAP) to conduct C20 evaluations.
-
Prepare for the evaluation: Gather the necessary documentation, such as security policy and technical specifications, to demonstrate compliance with the selected security requirements.
-
Undergo the evaluation: The accredited evaluation facility will conduct a thorough review of the product or system, testing it against the specified security requirements.
-
Obtain the certification: If the evaluation is successful, the accredited evaluation facility will issue a Certificate of Conformity, indicating that the product or system has met the specified security requirements.
Common Mistakes to Avoid
-
Underestimating the scope of the evaluation: Failure to adequately define the scope of the evaluation can lead to insufficient testing and potential security gaps.
-
Inadequate preparation: Failing to gather the necessary documentation and prepare for the evaluation can result in delays and potential denial of certification.
-
Choosing an unaccredited evaluation facility: Using a non-accredited evaluation facility can compromise the integrity of the evaluation and the validity of the certification.
-
Ignoring maintenance and updates: C20 certification is ongoing, requiring regular updates and maintenance to ensure continued compliance with security requirements.
Benefits of C20 Certification
-
Enhanced security: C20-certified products and systems provide a high level of protection against cyber threats, reducing the risk of data breaches and other security incidents.
-
Increased confidence: C20 certification gives customers and stakeholders confidence in the security of an organization's products and systems.
-
Competitive advantage: C20 certification can provide a competitive advantage by demonstrating an organization's commitment to security and compliance.
-
Reduced costs: Improved security posture can lead to reduced costs associated with cyber incidents, such as data recovery and reputational damage.
FAQs
-
What level of security does C20 certification provide? C20 certification provides different levels of security, known as Evaluation Assurance Levels (EALs), ranging from EAL1 (basic level) to EAL7 (highest level).
-
How long is C20 certification valid? C20 certification is typically valid for three years, after which it must be renewed through periodic reassessments.
-
What is the cost of C20 certification? The cost of C20 certification varies depending on the size and complexity of the product or system being evaluated, as well as the EAL level being sought.
-
Who can conduct C20 evaluations? Only accredited evaluation facilities designated by the NIAP are authorized to conduct C20 evaluations.
-
What happens if a product or system fails the C20 evaluation? If a product or system fails the C20 evaluation, the accredited evaluation facility will issue a Report on Testing that outlines the deficiencies identified during the evaluation.
-
What is the relationship between C20 and other security standards? C20 is a complementary standard that can be used in conjunction with other security standards, such as ISO 27001 and NIST SP 800-53.
Table 1: Evaluation Assurance Levels (EALs)
| EAL |
Level of Assurance |
| EAL1 |
Functional Testing |
| EAL2 |
Structural Testing |
| EAL3 |
Methodical Testing |
| EAL4 |
Methodical Advanced |
| EAL5 |
Semi-Formal Design |
| EAL6 |
Semi-Formal Verification |
| EAL7 |
Formal Verification |
Table 2: Common Security Requirements (CSRs)
| Class |
Name |
| ADV |
Development |
| AGD |
Guidance Documents |
| ALC |
Life Cycle |
| ASE |
Security Target Evaluation |
| ATE |
Tests |
| AVA |
Vulnerability Assessment |
| CIA |
Confidentiality, Integrity, and Availability |
| FCS |
Identification and Authentication |
| FMT |
Security Management |
| FPT |
Protection of the Target of Evaluation |
| FRU |
Security Audit |
| FTA |
TOE Access |
| FTS |
TOE Security Functional Specifications |
Table 3: Key Milestones in the C20 Certification Process
| Milestone |
Description |
| Initiation |
Define the scope and objectives of the evaluation |
| Preparation |
Gather necessary documentation and prepare for the evaluation |
| Evaluation |
Conduct the evaluation against the specified security requirements |
| Assessment |
Review the evaluation results and determine certification status |
| Certification |
Issue the Certificate of Conformity |
| Maintenance |
Regular updates and reassessments to ensure continued compliance |
