Common Criteria Knowledge Base

An overview of Common Criteria (ISO/IEC 15408), the international standard for IT security product evaluation and certification.

An overview of the major Common Criteria certification schemes worldwide, including BSI, ANSSI, NIAP, and the emerging EUCC.

Reference guide to EAL1 through EAL7 - what each Evaluation Assurance Level requires, what it measures, and how it affects procurement decisions.

What Protection Profiles are, how they work in Common Criteria evaluations, and why they matter for procurement and compliance.

Definitions of Common Criteria (ISO/IEC 15408) terms: EAL, PP, ST, TOE, SFR, SAR, TSF, CCRA, EUCC, SESIP, cPP, and more.

EAL1 is the lowest Common Criteria assurance level: independent confirmation that a product behaves as documented. Suitable when threats are low and trust in the vendor is adequate.

EAL2 is the workhorse Common Criteria assurance level: a high-level design review with independent vulnerability analysis, and the CCRA mutual-recognition cap for non-cPP evaluations.

EAL3 extends EAL2 with development environment security controls, systematic life-cycle definition, and deeper test coverage. Less common than EAL2 or EAL4 in practice.

EAL4 is the highest assurance level generally achievable on commercial products without re-engineering for assurance. Standard for smart cards, HSMs, and many government-used products.

EAL5 introduces semiformal design notation, full implementation representation, and covert channel analysis. Typical for smart card ICs and high-assurance OS kernels.

EAL6 requires semiformal verification of design correspondence and layered internals, paired with High attack potential vulnerability analysis. Rare, reserved for high-risk TOEs.

EAL7 is the highest Common Criteria assurance level: formal verification that the TOE design implements the security policy, for TOEs small enough to be amenable to mathematical proof.

BSI (Bundesamt für Sicherheit in der Informationstechnik) is Germany's Common Criteria certification body and one of the largest authorizing schemes under the CCRA.

ANSSI (Agence nationale de la sécurité des systèmes d'information) operates France's national CC scheme and is a major issuer of high-assurance smart card and embedded certificates.

NIAP (National Information Assurance Partnership) runs the U.S. Common Criteria scheme and mandates exact-conformance evaluations against approved Protection Profiles.

The Canadian Centre for Cyber Security (CCCS) operates Canada's CC scheme, emphasising collaborative Protection Profile evaluations and Technical Community participation.

JISEC is Japan's Common Criteria certification scheme, operated under IPA, covering copiers and MFPs, network products, and a range of IT security products.

SERTIT is Norway's Common Criteria certification body, operated under NSM, issuing CC certificates recognized across CCRA member nations.

KCMVP is South Korea's national validation programme for cryptographic modules used by Korean public institutions, run by the NSR under the National Intelligence Service.

EUCC is the European Union's Common Criteria-based cybersecurity certification scheme, adopted under the EU Cybersecurity Act and replacing SOG-IS for member states.

SESIP is GlobalPlatform's CC-aligned security evaluation methodology for IoT platforms and components, defining lighter-weight assurance levels SESIP 1 through 5.

EMVCo runs independent security evaluation programmes for payment terminals, smart cards, and mobile payment components on behalf of the major payment networks.

PSA Certified is a tiered IoT security certification programme co-authored by Arm, Brightsight, CAICT, Prove & Run, Riscure, and UL (with TrustCB as certification body), offering laboratory evaluation at Levels 2 through 4.

MIFARE is NXP's family of contactless smart card ICs for transit, access, and loyalty. Individual MIFARE products are evaluated under Common Criteria at high EALs.

Security evaluation activities associated with the European Space Agency, tracked alongside commercial Common Criteria certifications for components used in space systems.