Common Criteria is an international certification program accepted by many countries as a common standard for COTS IT products. CC certification is typically required by government customers, but public sector customers are increasingly using it as a purchasing requirement.
CPP vs EAL based CC evaluations
There are currently two flavors of Common Criteria. cPP (Collaborative Protection Profile) based evaluations are the accepted standard in countries such as the USA, UK, Canada, Australia and New Zealand. cPP based evaluations are primarily testing based and require strict conformance to published protection profile requirements for designated technologies.
EAL (Evaluation Assurance Level) based evaluations are the accepted standard in countries such as France, Germany and much of Europe. EAL based evaluations are primarily paper based with a focus on internal processes and design documentation. The EAL is an indication of the level of process applied to the product and vendor being evaluated – e.g. at EAL4 you need more detailed design documents, process documentation, etc, than at EAL2. EAL levels go from Level 1 to Level 7, where Level 4 is the highest normally obtained for COTS products.
The public document that describes a CC certified product is called the Common Criteria Security Target (ST). The ST defines the functional, process and assurance claims by the vendor for the product being evaluated. The ST also states exactly what configuration(s) of the product are certified – e.g. hardware versions, firmware/software versions, etc.
Unlike FIPS 140-2, which is a joint US-Canadian certification program, many countries that recognize CC certifications have their own CC certification programs which are commonly referred to as country schemes. Fortinet primarily certifies products through the Canadian CC Scheme (CCCS managed by CSE) and the US CC Scheme (CCEVS managed by NIAP).
Fortinet has also certified products through the Australian, Swedish and Spanish CC schemes.