ABSTRACT
In December 1999, ISO/IEC 15408, Parts 1-3 (Criteria for IT Security Evaluation), was approved as an international standard. The Common Criteria (CC) are considered
the
international standard for information technology (IT) security and provide a complete methodology, notation, and syntax for specifying security requirements, designing a security architecture, and verifying the security integrity of an “as built” product, system, or network. Roles and responsibilities for a variety of stakeholders are defined, such as:
Customers —
corporations, government agencies, and other organizations who want to acquire security products, systems, and networks
Developers —
(a) system integrators who implement or manage security systems and networks for customers, and (b) vendors who manufacture and sell commercial “off the shelf” (COTS) security products
Evaluators —
accredited Common Criteria Testing Laboratories, which perform an independent evaluation of the security integrity of a product, system, or network
Many organizations and government agencies require the use of CC-certified products and systems and use the CC methodology in their acquisition process. For example, in the United States, NSTISSP #11 (National Information Assurance Acquisition Policy)
mandated the use of CC-evaluated IT security products in critical infrastructure systems starting in July 2002.