Editing Common Criteria (section)

== Key concepts ==
Common Criteria evaluations are performed on computer security products and systems.

* '''Target of Evaluation (TOE)''' – the product or system that is the subject of the evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:
** '''[[Protection Profile]] (PP)''' – a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, [[smart card]]s used to provide [[digital signature]]s, or network [[Firewall (computing)|firewalls]]) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.
** '''[[Security Target]] (ST)''' – the document that identifies the security ''properties'' of the target of evaluation. The ST may claim conformance with one or more PPs. The TOE is evaluated against the SFRs (Security Functional Requirements. Again, see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a [[database]] management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.
** '''Security Functional Requirements (SFRs)''' – specify individual security '''functions''' which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, a SFR may state '''how''' a user acting a particular [[RBAC|role]] might be [[authentication|authenticated]]. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product.  Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles).

The evaluation process also tries to establish the level of confidence that may be placed in the product's security features through [[quality assurance]] processes:

* '''Security Assurance Requirements (SARs)''' – descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively.
* '''[[Evaluation Assurance Level]] (EAL)''' – the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL&nbsp;1 being the most basic (and therefore cheapest to implement and evaluate) and EAL&nbsp;7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly 'augmenting' requirements in a few areas with requirements from a higher level. Higher EALs ''do not'' necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively [[Verification and validation|verified]].

So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, [[operating system]]s, smart cards).

Common Criteria certification is sometimes specified for IT procurement. Other standards containing, e.g., interoperation, system management, user training, supplement CC and other product standards. Examples include the [[ISO/IEC 27002]] and the German [[IT baseline protection]].

Details of [[cryptographic]] implementation within the TOE are outside the scope of the CC. Instead, national standards, like [[FIPS 140-2]], give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use.

More recently, PP authors are including cryptographic requirements for CC evaluations that would typically be covered by FIPS 140-2 evaluations, broadening the bounds of the CC through scheme-specific interpretations.

Some national evaluation schemes are phasing out EAL-based evaluations and only accept products for evaluation that claim strict conformance with an approved PP. The United States currently only allows PP-based evaluations.