Overview, Goals, and Scope
Common Criteria (CC) is an international certification program accepted by many countries as a common standard for commercial off-the-shelf (COTS) IT products. CC certification is typically required by government customers, but public sector customers are increasingly using it as a purchasing requirement.
- Ensure that evaluations of information technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles
- Improve the availability of evaluated security-enhanced IT products and protection profiles
- Eliminate the burden of duplicating evaluations of IT products and protection profiles
- Continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation process for IT products and protection profiles
The purpose is to advance those objectives by bringing about a situation in which IT products and protection profiles that earn a Common Criteria certificate can be procured or used without the need for further evaluation. It seeks to provide grounds for confidence in the reliability of the judgements on which the original certificate was based by requiring that a certification/validation body (CB) issuing Common Criteria certificates should meet high and consistent standards.
Common Criteria has two classifications: collaborative Protection Profile (cPP) and evaluation assurance level (EAL).
cPP-based evaluations are the accepted standard in countries such as the USA, UK, Canada, Australia, and New Zealand. cPP-based evaluations are primarily testing-based and require strict conformance to published protection profile requirements for designated technologies.
EAL-based evaluations are the accepted standard in many European countries such as France and Germany. EAL-based evaluations are primarily paper-based with a focus on internal processes and design documentation. The EAL is an indication of the level of process applied to the product and vendor being evaluated. For example, at EAL4 you need more detailed design documents, process documentation, etc., than at EAL2. EAL levels go from level 1 to 7, where level 4 is the highest normally obtained for COTS products.
cPP/EAL certification applies to:
- FortiOS 5.6
- FortiProxy 1.0
- FortiWeb 5.6 - Communication Security Establishment
- FortiMail 6.0
Protecting information and systems against unauthorized access and disclosure of information.
Avoid redundant checks and processes to deliver secure products more efficiently.
Eliminate product verification processes that contribute little to actual product security.