Introduction: The Common Criteria (ISO/IEC 15408) and the Indian IC3S Scheme
The Common Criteria for Information Technology Security Evaluation, formally standardised as ISO/IEC 15408, is the world's most widely adopted framework for the independent, third-party security evaluation and certification of IT products. It provides a rigorous, repeatable and internationally mutually-recognised methodology for specifying security requirements, implementing them within a product, and having an accredited laboratory verify that those requirements have genuinely been met. Where compliance frameworks such as ISO/IEC 27001 or PCI DSS assess an organisation's management system, Common Criteria evaluates the security assurance of a specific product or a specific version of a product, known as the Target of Evaluation (TOE).
In India, Common Criteria evaluation is delivered through the Indian Common Criteria Certification Scheme (IC3S), operated by the Standardisation Testing and Quality Certification (STQC) Directorate under the Ministry of Electronics and Information Technology (MeitY). STQC is the Certification Body (CB) and India is a Certificate Authorising Participant of the Common Criteria Recognition Arrangement (CCRA), meaning certificates issued under IC3S are recognised across the CCRA member nations up to Evaluation Assurance Level (EAL) 2 and for evaluations conducted against certified collaborative Protection Profiles (cPPs). This guide is written for two audiences simultaneously: the developer or product/sponsor team preparing a product for evaluation, and the evaluator/assessor or procurement officer who must judge whether an evaluation has been conducted correctly and whether a certificate is fit for their assurance needs.
Copyright and source note
Common Criteria (ISO/IEC 15408 Parts 1-5) and the Common Evaluation Methodology (ISO/IEC 18045 / CEM) are copyrighted standards published by ISO/IEC and maintained by the Common Criteria Development Board. The IC3S scheme documents are published by STQC/MeitY. This guide is an original explanatory work by CyberSigma. It paraphrases and summarises publicly documented structure, class identifiers and terminology for educational purposes and does not reproduce copyrighted normative text. Organisations pursuing evaluation must obtain and work from the current official standards and scheme publications.
What is Common Criteria?
Common Criteria is an assurance framework, not a checklist of mandatory security features. It is built around a deliberate separation between two independent variables: what security a product claims to provide (its functional requirements) and how much confidence you can place in those claims (its assurance requirements). This separation is the conceptual heart of the standard and is worth internalising before any evaluation project begins.
The standard emerged in the mid-1990s from the harmonisation of earlier national schemes - the United States TCSEC (the 'Orange Book'), the European ITSEC and the Canadian CTCPEC - into a single international criteria set, first published as ISO/IEC 15408 in 1999 and revised repeatedly since, with a substantial restructuring into a five-part standard in the 2022 edition. The accompanying Common Evaluation Methodology was standardised as ISO/IEC 18045. Together they underpin the Common Criteria Recognition Arrangement, under which member nations agree to recognise each other's certificates within defined bounds, so that a product evaluated once can be trusted across many markets rather than being re-tested in each. This one-evaluation, many-markets economy is the core commercial value proposition of Common Criteria for product vendors.
Security functional requirements (SFRs) are drawn from ISO/IEC 15408 Part 2 and describe the security behaviour a product must exhibit, for example cryptographic operation, access control, audit generation or trusted-path establishment. Security assurance requirements (SARs) are drawn from Part 3 and describe the depth and rigour of the evidence and testing used to gain confidence that the SFRs are correctly and completely implemented, for example design documentation, source-code analysis, penetration testing and configuration-management discipline. A predefined bundle of SARs forms an Evaluation Assurance Level (EAL1 through EAL7).
The evaluation always concerns a precisely bounded Target of Evaluation (TOE): a defined product, in a defined configuration, at a defined version, running in a defined operational environment with stated assumptions. The security claims are captured in a Security Target (ST), an auditable document that binds the TOE to a threat model, security objectives, SFRs and SARs. Where a class of products shares a common security problem, a Protection Profile (PP) expresses an implementation-independent set of requirements that many products can claim conformance to; collaborative Protection Profiles (cPPs) developed by international technical communities (iTCs) are the modern basis for mutual recognition.
A vital consequence of this model is that a Common Criteria certificate is meaningful only when read together with its Security Target. The certificate tells you that a named laboratory verified, to a stated level of rigour, that a named product met the SFRs claimed in its ST while operating under the assumptions in that ST. It does not tell you the product is 'secure' in the abstract, nor does it warrant behaviour outside the evaluated configuration. Consumers and procurement officers who treat the EAL number as a standalone quality grade routinely misjudge assurance; mature buyers read the TOE boundary, the assumptions and the claimed PP before relying on any certificate. This discipline is precisely what distinguishes Common Criteria from marketing-led security labelling schemes.
The framework is also deliberately technology-neutral. The same catalogue of SFRs and SARs applies whether the TOE is a smart-card chip, a firewall appliance, a database engine, a hardware security module or a piece of virtualisation software. Product-category specificity is layered on top through Protection Profiles: the Network Device cPP, firewall and VPN cPPs, the smart-card and secure-element PPs, operating-system PPs and application PPs each translate the generic catalogue into a concrete, testable baseline for their domain. This layered design lets Common Criteria remain stable across decades of technology change while still delivering directly comparable evaluations within a product class.
- Target of Evaluation (TOE): the exact product, version and configuration being evaluated.
- Security Target (ST): the sponsor's implementation-specific security specification and evaluation basis.
- Protection Profile (PP / cPP): an implementation-independent, reusable statement of requirements for a product category.
- Security Functional Requirements (SFRs): Part 2 catalogue of what the product must do.
- Security Assurance Requirements (SARs): Part 3 catalogue of how thoroughly it is verified.
- Evaluation Assurance Level (EAL 1-7): a predefined, internally consistent package of SARs.
- Common Evaluation Methodology (CEM / ISO/IEC 18045): the mandatory methodology evaluators must follow.
- Certificate: issued by the Certification Body (STQC under IC3S) after a successful evaluation by an accredited laboratory.
Who must comply with, or benefit from, Common Criteria?
Common Criteria is rarely a blanket legal mandate; it is typically a procurement requirement, a market-access requirement or a sector regulation. Governments impose it on the products they buy for sensitive systems; payment and identity schemes impose it on the secure hardware that underpins them; and regulated industries increasingly reference it as evidence of independently verified product assurance. Understanding which driver applies to you determines whether a full standalone evaluation, a PP/cPP conformance claim, or an existing certificate reuse is the right route. The following table summarises who is driven towards a CC certificate and why.
| Stakeholder / sector | Driver for Common Criteria | Typical target |
|---|
| Government and defence IT procurement | National security policy often mandates CC-certified products for classified or sensitive systems | EAL2-EAL4+ or PP conformance |
| Smart cards and secure elements (payment, SIM, e-passport) | Payment schemes and national ID programmes require CC certification | EAL4+ to EAL6+ with SOG-IS crypto |
| Network and infrastructure vendors (firewalls, VPN, routers) | cPP conformance required for many public-sector procurements | NDcPP / firewall cPP conformance |
| Hardware security modules and cryptographic devices | Assurance for key protection alongside or instead of FIPS 140-3 | EAL4+ or cPP |
| Operating systems, databases and virtualisation platforms | Enterprise and government baseline assurance | OS PP / EAL4+ |
| Digital signature, PKI and trust-service products (India, EU) | eIDAS-style and Indian trust ecosystem requirements | QSCD / EAL4+ |
| Indian public-sector and CERT-In-driven procurement (IC3S) | STQC/MeitY promote IC3S certification for indigenous products | EAL1-EAL4 via IC3S |
| IoT, industrial and medical device makers | Emerging cPPs and regulatory expectations for connected devices | cPP / EAL2-EAL4 |
| Procurement officers and system integrators (consumers) | Must interpret certificates and validate scope for assurance | Read ST/PP and validated reports |
Structure of Common Criteria
ISO/IEC 15408 is organised into parts, and within Parts 2 and 3 into hierarchically named classes, families, components and elements. A class is a broad grouping (e.g. cryptographic support), a family refines it (e.g. cryptographic key management), a component is a specific selectable requirement with dependencies and hierarchy, and an element is the smallest indivisible statement. Requirements are cited by a compact identifier: a three-letter class prefix, a three-letter family suffix, and a component number, for example FCS_COP.1 (Functional-Cryptographic Support-Cryptographic Operation, component 1) or ADV_FSP.4 (Assurance-Development-Functional Specification, component 4).
Two properties of this catalogue matter greatly in practice. First, components carry dependencies: selecting one SFR frequently obliges you to select others (for example, a cryptographic-operation requirement depends on key generation, key destruction and often audit), and an incomplete dependency chain is one of the most frequent Security Target defects. Second, many components contain assignments and selections - author-completed parameters such as the specific algorithm, key length or list of auditable events - which turn the generic requirement into a precise, testable claim. Evaluators verify both that dependencies are satisfied or justifiably not, and that every assignment and selection has been made and is consistent with the rest of the ST. Understanding this identifier-and-parameter grammar is essential to reading any Security Target or Protection Profile fluently.
| Part / catalogue | Prefix | What it defines |
|---|
| Part 1 - Introduction and general model | - | Concepts, TOE, ST/PP structure, evaluation model |
| Part 2 - Functional components (SFRs) | F** | 11 functional classes describing product security behaviour |
| Part 3 - Assurance components (SARs) | A** / A** | Assurance classes, EAL packages and evaluation criteria |
| Part 4 - Predefined packages | - | Methodology for defining assurance/functional packages (2022 revision) |
| Part 5 - Predefined packages of security requirements | - | Catalogue of predefined packages including EALs (2022 revision) |
| ISO/IEC 18045 (CEM) | - | Common Evaluation Methodology - mandatory evaluator actions |
| Part 2 functional class | Prefix | Scope |
|---|
| Security audit | FAU | Audit data generation, analysis, review, storage and protection |
| Communication | FCO | Non-repudiation of origin and receipt |
| Cryptographic support | FCS | Key generation, distribution, destruction and cryptographic operation |
| User data protection | FDP | Access control, information flow, data integrity and residual protection |
| Identification and authentication | FIA | User attributes, authentication mechanisms, secrets and binding |
| Security management | FMT | Management of functions, attributes, roles and TSF data |
| Privacy | FPR | Anonymity, pseudonymity, unlinkability and unobservability |
| Protection of the TSF | FPT | Self-protection, secure state, replay detection, time and TSF integrity |
| Resource utilisation | FRU | Fault tolerance, priority of service and resource allocation |
| TOE access | FTA | Session establishment, locking, banners and history |
| Trusted path/channels | FTP | Trusted channel between IT products and trusted path to users |
| Part 3 assurance class | Prefix | Scope |
|---|
| Protection Profile evaluation | APE | Evaluation of a Protection Profile for soundness and consistency |
| Security Target evaluation | ASE | Evaluation of the Security Target and its claims |
| Development | ADV | Functional spec, TOE design, architecture, implementation representation |
| Guidance documents | AGD | Operational user guidance and preparative procedures |
| Life-cycle support | ALC | Configuration management, delivery, development security, flaw remediation, tools |
| Tests | ATE | Coverage, depth, functional testing and independent testing |
| Vulnerability assessment | AVA | Vulnerability analysis and penetration testing |
| Composition (optional) | ACO | Assurance of composed TOEs built from evaluated components |
Master assessment checklist - class by class
This is the operational core of the guide. It enumerates every functional and assurance class, giving the evaluator concrete verification points and the sponsor/developer the typical evidence expected. For an actual evaluation the applicable subset of SFRs is fixed by the Security Target or claimed Protection Profile, and the applicable SARs are fixed by the claimed EAL or cPP assurance package. Use these tables to structure evidence collection and gap analysis.
A practical way to use this section is to run it as a two-pass exercise. In the first pass, the product team maps every claimed SFR in the Security Target to the relevant functional class below and confirms that a design artefact and a test case exist for each; any class row with no corresponding claim is either legitimately out of scope or a sign of an incomplete ST. In the second pass, the team walks every assurance class and confirms that the evidence at the claimed EAL exists at the required rigour, not merely in outline. Evaluators perform the mirror image of this exercise, sampling the same rows and probing for the boundary between what the developer asserts and what the evidence actually demonstrates. Treating the functional classes and the assurance classes as two coordinated coverage matrices is the single most effective way to avoid late-stage Observation Reports.
FAU - Security audit
| What to verify | Typical evidence |
|---|
| Auditable events are generated for the relevant SFRs at the required level of detail | Audit design spec, event catalogue mapped to SFRs, log samples |
| Each audit record captures date, time, subject identity, event type and outcome | Sample audit records, log schema documentation |
| Audit review, selection and sorting tools restrict access to authorised roles | Access-control matrix, screenshots, RBAC configuration |
| Audit trail is protected against unauthorised modification and loss, with defined behaviour on storage exhaustion | Storage-protection design, alarm/rotation configuration, test logs |
FCO - Communication
| What to verify | Typical evidence |
|---|
| Non-repudiation of origin binds a message to its verified originator | Protocol design, signature/evidence generation records |
| Non-repudiation of receipt provides verifiable proof of delivery | Receipt evidence samples, verification test results |
| Evidence can be verified by the intended recipient or a third party | Verification procedure, test transcripts |
FCS - Cryptographic support
| What to verify | Typical evidence |
|---|
| Cryptographic key generation uses approved algorithms and key sizes (FCS_CKM.1) | Algorithm certificates, key-generation design, standards references |
| Key distribution, storage and destruction follow a defined lifecycle (FCS_CKM.2/.4) | Key-management policy, zeroisation test evidence |
| Cryptographic operations use standardised, correctly implemented algorithms (FCS_COP.1) | CAVP/algorithm test results, self-test evidence, SOG-IS conformance |
| Random-bit generation meets entropy and health-test requirements | Entropy analysis report, DRBG design and test vectors |
FDP - User data protection
| What to verify | Typical evidence |
|---|
| Access control and information-flow policies are defined and consistently enforced (FDP_ACC/FDP_ACF/FDP_IFC/FDP_IFF) | Policy model, enforcement design, decision test cases |
| Data authentication and stored/transmitted integrity are protected (FDP_DAU/FDP_SDI/FDP_ITT) | Integrity mechanism design, tamper-detection test evidence |
| Residual information protection prevents data remanence on resource reuse (FDP_RIP) | Memory/disk sanitisation design, remanence test results |
| Import and export of user data preserve associated security attributes (FDP_ETC/FDP_ITC) | Import/export design, attribute-binding test cases |
FIA - Identification and authentication
| What to verify | Typical evidence |
|---|
| Users are identified and authenticated before security-relevant actions (FIA_UID/FIA_UAU) | Authentication design, login flow, bypass test results |
| Authentication mechanisms resist guessing, replay and brute force; failure handling defined (FIA_AFL/FIA_SOS) | Lockout configuration, secret-quality metrics, attack test evidence |
| Secrets are protected in storage and transit; verification is secure (FIA_UAU.7) | Credential-storage design (hashing/salting), feedback masking evidence |
| Security attributes are correctly bound to authenticated subjects (FIA_ATD/FIA_USB) | Attribute-binding design, session-context test cases |
FMT - Security management
| What to verify | Typical evidence |
|---|
| Management of SFR behaviour, attributes and TSF data restricted to authorised roles (FMT_MOF/FMT_MSA/FMT_MTD) | Role definitions, management interface docs, authorisation tests |
| Security roles and their separation are defined and enforced (FMT_SMR) | Role model, separation-of-duty evidence |
| Secure default values and restrictive initialisation are provided (FMT_MSA.3) | Default-configuration documentation, hardening guide |
| The set of management functions is specified and complete (FMT_SMF) | Management-function list mapped to SFRs |
FPR - Privacy
| What to verify | Typical evidence |
|---|
| Anonymity and pseudonymity mechanisms operate as claimed (FPR_ANO/FPR_PSE) | Privacy design, identity-resolution test evidence |
| Unlinkability prevents correlation of operations to a user (FPR_UNL) | Linkage-analysis test results |
| Unobservability conceals the use of resources or services (FPR_UNO) | Traffic/behaviour analysis test evidence |
FPT - Protection of the TSF
| What to verify | Typical evidence |
|---|
| The TSF preserves a secure state on failure and performs self-tests (FPT_FLS/FPT_TST) | Failure-mode analysis, self-test design and results |
| Reliable time stamps and inter-TSF data consistency are maintained (FPT_STM/FPT_TDC) | Time-source design, consistency test cases |
| Replay detection and TSF data integrity are enforced (FPT_RPL/FPT_ITT) | Replay-protection design, integrity test evidence |
| Domain separation and non-bypassability of the TSF are demonstrated | Security architecture description (ADV_ARC), bypass analysis |
FRU - Resource utilisation
| What to verify | Typical evidence |
|---|
| Fault tolerance maintains operation under defined failures (FRU_FLT) | Redundancy design, fault-injection test results |
| Priority of service prevents resource starvation of security functions (FRU_PRS) | Scheduling design, contention test evidence |
| Resource allocation quotas limit denial-of-service impact (FRU_RSA) | Quota configuration, exhaustion test results |
FTA - TOE access
| What to verify | Typical evidence |
|---|
| Session establishment can be restricted by attributes, time and location (FTA_TSE/FTA_LSA) | Session-policy configuration, restriction test cases |
| Concurrent-session limits and session locking/termination operate correctly (FTA_MCS/FTA_SSL) | Session-limit configuration, timeout test evidence |
| Advisory banners and access-history notifications are presented (FTA_TAB/FTA_TAH) | Banner configuration, last-login display evidence |
FTP - Trusted path/channels
| What to verify | Typical evidence |
|---|
| A trusted channel protects inter-TSF communication from disclosure and modification (FTP_ITC) | Channel/protocol design (TLS/IPsec), interception test evidence |
| A trusted path assures users they are communicating with the genuine TSF (FTP_TRP) | Trusted-path design, spoofing-resistance test results |
ASE / APE - Security Target and Protection Profile evaluation
| What to verify | Typical evidence |
|---|
| ST/PP introduction, TOE overview and description are complete and internally consistent | Security Target document, PP claim |
| Security problem definition (threats, assumptions, OSPs) is coherent and rationalised | Threat model, assumptions register, rationale tables |
| Security objectives and objectives rationale trace to the problem definition | Objectives-to-threat mapping tables |
| SFRs, SARs and their rationale are complete, with satisfied dependencies | SFR/SAR selection, dependency-analysis tables, TOE summary specification |
ADV - Development
| What to verify | Typical evidence |
|---|
| Functional specification describes all TSF interfaces at the required rigour (ADV_FSP) | Functional specification, interface (TSFI) catalogue |
| Security architecture demonstrates self-protection, domain separation and non-bypass (ADV_ARC) | Security architecture description |
| TOE design decomposes the TSF into subsystems/modules as required (ADV_TDS) | Design decomposition document |
| Implementation representation and internal structuring are provided at higher EALs (ADV_IMP/ADV_INT) | Source code / hardware design, complexity analysis |
AGD - Guidance documents
| What to verify | Typical evidence |
|---|
| Operational user guidance covers secure roles, functions and warnings (AGD_OPE) | Administrator and user guides |
| Preparative procedures allow secure acceptance and installation (AGD_PRE) | Installation/acceptance procedure, secure-configuration guide |
| Guidance is consistent with the evaluated configuration | Guidance-to-ST cross-check notes |
ALC - Life-cycle support
| What to verify | Typical evidence |
|---|
| Configuration management identifies and controls all TOE items uniquely (ALC_CMC/ALC_CMS) | CM plan, CM system records, item list |
| Delivery procedures protect the TOE against tampering in transit (ALC_DEL) | Delivery procedure, integrity-verification method |
| Development security protects TOE confidentiality and integrity (ALC_DVS) | Site-security documentation, audit records |
| Defined life-cycle model, tools and flaw remediation are in place (ALC_LCD/ALC_TAT/ALC_FLR) | Life-cycle definition, tool list, flaw-handling procedure |
ATE - Tests
| What to verify | Typical evidence |
|---|
| Test coverage demonstrates TSFI are tested (ATE_COV) | Coverage analysis mapping tests to interfaces |
| Test depth exercises subsystems/modules of the design (ATE_DPT) | Depth analysis mapped to design |
| Developer functional testing is documented with expected/actual results (ATE_FUN) | Test plans, procedures, results, logs |
| Independent evaluator testing confirms and samples developer tests (ATE_IND) | Evaluator test plan and independent test results |
AVA - Vulnerability assessment
| What to verify | Typical evidence |
|---|
| Systematic vulnerability analysis identifies potential flaws (AVA_VAN) | Vulnerability analysis report, public-vulnerability search |
| Penetration testing is scaled to the required attack potential (Basic to High) | Penetration test plan, findings, attack-potential calculation |
| Residual vulnerabilities are shown to be non-exploitable in the operational environment | Exploitability rationale, remediation evidence |
ACO - Composition (where applicable)
| What to verify | Typical evidence |
|---|
| The dependent component correctly relies on an already-certified base component | Composition rationale, base component certificate/ST |
| Reliance information and interface consistency between components are demonstrated | Interface mapping, composition test evidence |
| Combined vulnerability analysis considers the composed TOE | Composed-TOE vulnerability assessment |
Scoping the Target of Evaluation
Scoping is the single most consequential decision in a CC project, because it fixes cost, timeline and the value of the resulting certificate. The TOE boundary must be drawn deliberately: everything inside is evaluated, everything outside becomes an operational-environment assumption that consumers must satisfy. A certificate whose scope excludes the features a buyer actually cares about provides little real assurance, so both sponsor and evaluator must scrutinise the boundary.
Each assumption pushed into the operational environment is, in effect, a transfer of responsibility from the developer to the deployer. An assumption that 'administrators are trusted and competent', or that 'the TOE is physically protected', or that 'a supporting IT environment provides a secure time source', simplifies the evaluation but obliges the customer to make that assumption true. Well-scoped evaluations keep the security-relevant behaviour that customers depend on inside the boundary and reserve assumptions for genuinely environmental factors. When a Protection Profile or cPP applies, much of this scoping discipline is pre-decided by the technical community, which is one of the strongest arguments for claiming PP conformance rather than crafting a bespoke Security Target: the boundary, threats and assumptions have already been debated and agreed by domain experts, and the resulting certificate is directly comparable with competitors evaluated against the same profile.
- Define the exact product, version, build and hardware/firmware baseline that constitutes the TOE.
- State the physical and logical boundary: which components, interfaces and services are inside versus outside.
- Record operational-environment assumptions (physical protection, trusted administrators, supporting IT) precisely, as each shifts risk to the consumer.
- Choose the conformance target: a claimed Protection Profile / cPP (preferred for mutual recognition) or a standalone Security Target with a chosen EAL.
- Confirm the evaluated configuration is a realistic, deployable configuration, not a stripped-down variant that no customer would use.
- Identify any excluded functionality and document why, so the certificate is not misread as covering it.
- Fix the cryptographic scheme and, where required, align to SOG-IS agreed cryptographic mechanisms.
Scoping pitfall
A common failure is an over-narrow TOE that excludes remote management, update mechanisms or key cryptographic services in order to reach a target EAL cheaply. This produces a technically valid certificate that misleads buyers. Assessors should always read the Security Target's TOE boundary and assumptions before trusting a certificate.
Implementation approach - a phased programme
A Common Criteria evaluation is a structured project spanning the sponsor/developer, the accredited evaluation laboratory (ITSEF/CCTL) and the Certification Body. It is best run as a formal programme with a named evaluation manager on the sponsor side, because the effort is dominated by evidence production rather than by the product engineering itself. Experience shows that teams which start authoring the Security Target and building the evidence inventory early, in parallel with development, complete evaluation far faster than those who treat it as a post-development compliance exercise. The following phases describe a typical EAL2-EAL4 or cPP engagement; higher assurance levels add formal-methods and semiformal-design activities that materially lengthen phases 2 and 3.
Phase 1 - Feasibility and strategy
- Activities: decide business drivers, select PP/cPP or standalone ST, choose target assurance level, identify the accredited laboratory, engage the CB (STQC under IC3S) early.
- Deliverables: evaluation strategy note, assurance-level decision, laboratory engagement, high-level TOE boundary.
Phase 2 - Security Target and evidence planning
- Activities: author the Security Target (or PP conformance claim), define SFRs/SARs, build the security problem definition and rationale, plan the full evidence inventory.
- Deliverables: draft Security Target, SFR/SAR selection with dependency analysis, evidence plan and responsibility matrix.
Phase 3 - Development evidence production
- Activities: produce ADV (functional spec, architecture, design), AGD guidance, ALC configuration-management and life-cycle evidence, and developer ATE testing.
- Deliverables: design documentation set, administrator/user guidance, CM system and records, developer test suite with results.
Phase 4 - Evaluation and vulnerability assessment
- Activities: the ITSEF evaluates all deliverables per the CEM, performs independent testing (ATE_IND) and vulnerability analysis with penetration testing (AVA_VAN), and raises Observation Reports.
- Deliverables: Evaluation Technical Report (ETR), observation/finding resolutions, penetration test results.
Phase 5 - Certification and maintenance
- Activities: the CB reviews the ETR, issues the certificate and Certification Report, publishes to the CC portal, and the sponsor establishes assurance continuity for patches and new versions.
- Deliverables: CC certificate, public Certification Report, validated ST, and an assurance-continuity/maintenance plan for future updates.
Assurance levels - the EAL scoring model
Evaluation Assurance Levels are the predefined scoring scale of Common Criteria. Each EAL is an internally consistent package of SARs; higher levels demand more design detail, more rigorous testing and stronger resistance to attack. Crucially, a higher EAL means greater confidence, not necessarily more security features - a low-EAL product may implement strong functionality with modest assurance. An augmented EAL (denoted 'EAL4+') adds one or more SARs above the base package, most commonly a stronger AVA_VAN or ALC component; augmentation is the usual way smart-card and secure-element evaluations reach the resistance to high-attack-potential adversaries that their threat model demands. Under CCRA, mutual recognition is limited to EAL2 (and its assurance components) and to PP/cPP-based evaluations; higher-EAL recognition persists under regional arrangements such as SOG-IS in Europe.
The modern trajectory of Common Criteria is away from raw EAL numbers and towards Protection Profile and cPP conformance, because a cPP-based evaluation states exactly which threats were countered and which tests were run for a specific product class, whereas a bare EAL package leaves the functional claims entirely to the individual Security Target. For procurement, 'EAL4+ conformant to the Network Device cPP' is far more informative than 'EAL4+' alone, and it is directly comparable across vendors. Sponsors choosing a route should therefore ask first whether a suitable PP/cPP exists for their product category and default to it; a standalone ST with a chosen EAL is reserved for products with no applicable profile.
| Level | Descriptor | Assurance characteristics |
|---|
| EAL1 | Functionally tested | Basic confidence via functional and interface testing; minimal developer effort |
| EAL2 | Structurally tested | Design description, developer testing, vulnerability analysis; CCRA baseline |
| EAL3 | Methodically tested and checked | Development-environment controls and more thorough testing/coverage |
| EAL4 | Methodically designed, tested and reviewed | Low-level design, implementation subset, resistance to Enhanced-Basic attack; highest commercially feasible without special design |
| EAL5 | Semiformally designed and tested | Semiformal design, modular structure, resistance to Moderate attack potential |
| EAL6 | Semiformally verified design and tested | Layered/structured design, high-attack-potential resistance; high-risk environments |
| EAL7 | Formally verified design and tested | Formal design and verification; only for tightly focused, security-critical TOEs |
| AVA_VAN component | Attack potential resisted | Typical EAL association |
|---|
| AVA_VAN.1 / .2 | Basic | EAL1 / EAL2-EAL3 |
| AVA_VAN.3 | Enhanced-Basic | EAL4 |
| AVA_VAN.4 | Moderate | EAL5 |
| AVA_VAN.5 | High | EAL6-EAL7 and many smart-card cPPs |
Assurance continuity deserves particular attention because a Common Criteria certificate is a point-in-time statement about a specific version, yet products change constantly. Under the scheme's maintenance procedures, minor changes with no security impact can be handled through an assurance-continuity or maintenance process that updates the certificate without a full re-evaluation, while significant changes to the TSF, the cryptographic scheme or the threat environment require re-evaluation. Sponsors who plan for this from the outset - by keeping the impact-analysis discipline, configuration management and evidence repository live after certification - can keep their certificate current at modest cost. Those who do not find that the certificate rapidly ceases to describe the shipping product, eroding the very assurance it was meant to provide. For buyers, checking the certificate date, the certified version and whether maintenance has been applied is as important as checking the EAL.
Assessment and audit approach
The evaluation lifecycle is defined by the Common Evaluation Methodology (ISO/IEC 18045), which prescribes the specific work units an evaluator must perform and the verdicts they must assign for each assurance component. This methodological standardisation is what makes results repeatable and mutually recognisable: two accredited laboratories evaluating the same product against the same ST should reach the same verdicts. Each work unit yields a pass, fail or inconclusive verdict, and an inconclusive or fail result triggers an Observation Report that the sponsor must resolve before the component can pass. The following ordered steps describe how an evaluation proceeds from initiation to certificate issuance under a scheme such as IC3S.
- Initiate the evaluation: sponsor contracts an accredited ITSEF/CCTL and registers the project with the Certification Body (STQC).
- Evaluate the Security Target (ASE) or Protection Profile (APE) to confirm the claims are sound before deeper work begins.
- Assess development evidence (ADV) against the claimed assurance components for completeness and rigour.
- Assess guidance (AGD) and life-cycle evidence (ALC), including configuration management, delivery and development security.
- Analyse and independently execute tests (ATE): review coverage and depth, repeat sampled developer tests, run independent tests.
- Perform vulnerability analysis and penetration testing (AVA_VAN) calibrated to the required attack potential.
- Raise Observation Reports for deficiencies; the sponsor remediates and resubmits evidence.
- Compile the Evaluation Technical Report (ETR) documenting all verdicts and rationale.
- Certification Body reviews the ETR for methodological correctness and consistency across the scheme.
- Issue the certificate and publish the Certification Report and validated Security Target to the Common Criteria portal.
- Maintain assurance continuity: assess patches, minor changes and re-evaluation triggers over the product lifecycle.
Evidence request list
The following categorised inventory covers the evidence an ITSEF will request. Not all items apply at every EAL; the applicable subset is fixed by the claimed assurance package. A useful sponsor practice is to hold each item in a version-controlled evidence repository with a clear owner and a maturity status (draft, internally reviewed, evaluation-ready), so that the evaluation manager can report readiness objectively and the laboratory receives complete, consistent packages rather than a stream of partial drafts. Incomplete or inconsistent evidence is the leading cause of schedule slippage in real evaluations.
- Specification: Security Target (or PP conformance claim), TOE boundary description, SFR/SAR selection with dependency rationale.
- Design (ADV): functional specification and TSFI catalogue, security architecture description, TOE design decomposition, implementation representation/source (higher EALs).
- Guidance (AGD): administrator and user operational guidance, preparative/installation and secure-acceptance procedures.
- Life-cycle (ALC): configuration-management plan and records, item/configuration list, delivery procedures, development-site security documentation, life-cycle model, tool list, flaw-remediation procedure.
- Testing (ATE): test plans, test procedures, expected and actual results, coverage and depth analyses, test logs.
- Vulnerability (AVA): developer and public vulnerability analysis, penetration test plans and results, attack-potential calculations.
- Cryptographic: algorithm certificates, entropy analysis, key-management design, self-test and zeroisation evidence.
- Scheme/administrative: laboratory accreditation, evaluation contract, prior certificates for reused/base components (composition).
Roles and responsibilities
| Role | Responsibility |
|---|
| Sponsor | Commissions and funds the evaluation, owns the certificate, may differ from the developer |
| Developer | Produces the TOE and all development, guidance and testing evidence (ADV/AGD/ALC/ATE) |
| Evaluation laboratory (ITSEF / CCTL) | Accredited body that evaluates evidence and performs independent and penetration testing per the CEM |
| Certification Body (STQC under IC3S) | Oversees evaluations, validates the ETR, issues the certificate and Certification Report |
| Protection Profile / iTC authors | Define reusable cPP requirements and supporting documents for a product class |
| Accreditation body | Accredits laboratories to ISO/IEC 17025 and scheme requirements |
| Consumer / procurement | Interprets certificates, checks scope and assumptions, selects certified products |
| CyberSigma advisory team | Guides sponsors through scoping, ST authoring, evidence readiness and evaluation management |
KPIs to track
- Evidence completeness: percentage of required ADV/AGD/ALC/ATE deliverables produced and accepted.
- Observation Report burden: number of ORs raised by the ITSEF and mean time to resolution.
- Schedule adherence: variance against the planned evaluation timeline per phase.
- Vulnerability findings: number of exploitable findings from AVA_VAN and their remediation status.
- Test pass rate: proportion of developer and independent test cases passing on first submission.
- Rework ratio: evidence items requiring resubmission versus total submitted.
- Assurance-continuity health: time to re-certify patches and versions under maintenance.
- Certificate scope quality: proportion of consumer-relevant functionality inside the TOE boundary.
Readiness checklist
- Business drivers and target assurance level (EAL or cPP) agreed and documented.
- Applicable Protection Profile / cPP identified, or a standalone Security Target scope decided.
- TOE boundary, version baseline and evaluated configuration fixed and realistic.
- Operational-environment assumptions and excluded functionality documented.
- Security Target drafted with SFRs, SARs, threat model and complete rationale.
- Development evidence (functional spec, architecture, design) available at the required rigour.
- Administrator and user guidance plus secure preparative procedures complete.
- Configuration management, delivery and development-security controls operating and evidenced.
- Developer functional test suite with coverage/depth analysis and documented results ready.
- Vulnerability analysis performed and cryptographic evidence (algorithm certs, entropy) assembled.
- Accredited ITSEF engaged and the Certification Body (STQC/IC3S) project registered.
- Assurance-continuity/maintenance plan defined for future patches and versions.
Common gaps and failure modes
- Over-narrow TOE scope that excludes management, update or crypto functions to reach an EAL cheaply, undermining the certificate's real value.
- Security Target rationale gaps: unsatisfied SFR dependencies or objectives that do not trace to the threat model.
- Weak security architecture (ADV_ARC) evidence for self-protection, domain separation and non-bypassability.
- Configuration management that fails to uniquely identify every TOE item or does not cover the whole build.
- Insufficient developer test coverage and depth, forcing extensive independent-testing rework.
- Underestimating vulnerability assessment: penetration testing scaled to the wrong attack potential for the claimed level.
- Guidance documents inconsistent with the evaluated configuration, so real deployments diverge from the certificate.
- Inadequate entropy/randomness or unapproved cryptographic mechanisms failing FCS requirements.
- Confusing EAL with security strength - assuming a higher EAL automatically means a more secure product.
- No assurance-continuity plan, so the certificate lapses in relevance the moment the product is patched.
Common Criteria mapped to other frameworks
Common Criteria sits within a wider assurance ecosystem and is most powerful when positioned correctly against neighbouring schemes. It answers the question 'has this specific product been independently verified to meet stated security requirements at a stated rigour?', whereas management-system standards answer 'does this organisation run its security processes well?' and secure-development frameworks answer 'does this team build software using sound practices?'. The three are complementary rather than substitutable, and sophisticated procurement stacks them: an ISO/IEC 27001-certified vendor, developing under NIST SSDF practices, shipping a Common Criteria-certified product, supplies assurance at the organisational, process and product layers simultaneously. The table below clarifies the relationships and, importantly, the distinctions that stop these frameworks from being conflated.
| Framework | Relationship to Common Criteria | Key distinction |
|---|
| ISO/IEC 27001 | Complementary; an ISMS may mandate CC-certified products | 27001 certifies an organisation's management system; CC certifies a product |
| FIPS 140-3 | Overlapping for cryptographic modules; often required together | FIPS 140-3 targets crypto-module security; CC covers broader product assurance |
| NIST SSDF (SP 800-218) | Supports ALC life-cycle and secure-development evidence | SSDF is a secure-development practice set; CC is a product-evaluation scheme |
| PCI PTS / EMVCo | Consume CC evaluations for payment secure elements and terminals | Payment-specific schemes layered on CC-evaluated hardware |
| eIDAS / QSCD (EU) | CC certification underpins qualified signature/seal devices | eIDAS is a trust-service regulation; CC provides the device assurance |
| CERT-In / IC3S (India) | IC3S is the Indian delivery scheme for CC under STQC | National scheme operationalising CC and CCRA participation |
| NIST SP 800-53 | CC certificates support control assurance for SA/SC control families | 800-53 is a control catalogue; CC provides independent product verification |
How CyberSigma helps
CyberSigma guides product and sponsor teams through the full Common Criteria and IC3S journey: assurance-level and Protection Profile strategy, precise TOE scoping, Security Target authoring, and readiness assessment across every ADV, AGD, ALC, ATE and AVA class. Our CERT-In-empanelled and QSA-led specialists build the evidence inventory, remediate gaps before the laboratory engagement, manage Observation Reports through to a clean Evaluation Technical Report, coordinate with STQC as the Certification Body, and establish assurance-continuity so your certificate keeps pace with every patch and release. The result is a certificate whose scope genuinely reflects the security your customers depend on.