Common Criteria
Encyclopedia
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard
(ISO
/IEC
15408) for computer security
certification. It is currently in version 3.1.
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:
The evaluation process also tries to establish the level of confidence that may be placed in the product's security features through quality assurance
processes:
So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating system
s, smart cards).
Common Criteria certification is sometimes specified for IT procurement. Other standards containing, e.g., interoperation, system management, user training, supplement CC and other product standards. Examples include the ISO/IEC 17799 (Or more properly BS 7799-1, which is now ISO/IEC 27002
) or the German IT-Grundschutzhandbuch.
Details of cryptographic implementation within the TOE are outside the scope of the CC. Instead, national standards, like FIPS 140-2
give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use.
CC was produced by unifying these pre-existing standards, predominantly so that companies selling computer products for the government market (mainly for Defence or Intelligence use) would only need to have them evaluated against one set of standards. The CC was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S.
The compliance with ISO 17025 is typically demonstrated to a National approval authority:
Characteristics of these organizations were examined and presented at ICCC 10.
, but has been a source of debate to those used to the more prescriptive approach of other earlier standards such as TCSEC and FIPS 140
-2.
Windows versions, including Windows Server 2003
and Windows XP
, have been certified at EAL4+, but regular security patches for security vulnerabilities are still published by Microsoft for these Windows systems. This is possible because the process of obtaining a Common Criteria certification allows a vendor to restrict the analysis to certain security features and to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. In this case, the assumptions include A.PEER:
as contained in the Controlled Access Protection Profile (CAPP) to which their STs refer. Based on this and other assumptions, which are not realistic for the common use of general-purpose operating systems, the claimed security functions of the Windows products are evaluated. Thus they should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft.
Whether you run Microsoft Windows in the precise evaluated configuration or not, you should apply Microsoft's security patches for the vulnerabilities in Windows as they continue to appear. If any of these security vulnerabilities are exploitable in the product's evaluated configuration, the product's Common Criteria certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include application of patches to fix the security vulnerabilities within the evaluated configuration. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product's certification by the certification body of the country in which the product was evaluated.
The certified Microsoft Windows versions remain at EAL4+ without including the application of any Microsoft security vulnerability patches in their evaluated configuration. This shows both the limitation and strength of an evaluated configuration.
columnist William Jackson
critically examined Common Criteria methodology and its US implementation by the Common Criteria Evaluation and Validation Scheme (CCEVS). In the column executives from the security industry, researchers, and representatives from the National Information Assurance Partnership (NIAP) were interviewed. Objections outlined in the article include:
In a 2006 research paper, computer specialist David A. Wheeler
suggested that the Common Criteria process discriminates against Free and Open Source Software (FOSS
)-centric organizations and development models. Common Criteria assurance requirements tend to be inspired by the traditional waterfall
software development methodology. In contrast, much FOSS software is produced using modern agile
paradigms. Although some have argued that both paradigms do not align well, others have attempted to reconcile both paradigms.
The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to be impeding the operation of the market:
In early 2011, NSA/CSS published a paper by Chris Salter, which proposed a Protection Profile
oriented approach towards evaluation. In this approach, communities of interest form around technology types which in turn develop protection profiles that define the evaluation methodology for the technology type. The objective is a more robust evaluation. There is some concern that this may have a negative impact on mutual recognition.
International standard
International standards are standards developed by international standards organizations. International standards are available for consideration and use, worldwide...
(ISO
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
/IEC
International Electrotechnical Commission
The International Electrotechnical Commission is a non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology"...
15408) for computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
certification. It is currently in version 3.1.
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
Key concepts
Common Criteria evaluations are performed on computer security products and systems.- Target Of Evaluation (TOE) - the product or system that is the subject of the evaluation.
The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:
- Protection ProfileProtection ProfileA Protection Profile is a document used as part of the certification process according to the Common Criteria . As the generic form of a Security Target , it is typically created by a user or user community and provides an implementation independent specification of information assurance security...
(PP) - a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s used to provide digital signatureDigital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s, or network firewallsFirewall (computing)A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.
- Security TargetSecurity TargetIn an IT product certification process according to the Common Criteria ,a Security Target is the central document, typically provided by the developer of the product,...
(ST) - the document that identifies the security properties of the target of evaluation. It may refer to one or more PPs. The TOE is evaluated against the SFRs (see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a databaseDatabaseA database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.
- Security Functional Requirements (SFRs) - specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, an SFR may state how a user acting a particular role might be authenticatedAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles).
The evaluation process also tries to establish the level of confidence that may be placed in the product's security features through quality assurance
Quality Assurance
Quality assurance, or QA for short, is the systematic monitoring and evaluation of the various aspects of a project, service or facility to maximize the probability that minimum standards of quality are being attained by the production process...
processes:
- Security Assurance Requirements (SARs) - descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively.
- Evaluation Assurance LevelEvaluation Assurance LevelThe Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
(EAL) - the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly 'augmenting' requirements in a few areas with requirements from a higher level. Higher EALs do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively verifiedVerification and ValidationIn software project management, software testing, and software engineering, verification and validation is the process of checking that a software system meets specifications and that it fulfills its intended purpose...
.
So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, smart cards).
Common Criteria certification is sometimes specified for IT procurement. Other standards containing, e.g., interoperation, system management, user training, supplement CC and other product standards. Examples include the ISO/IEC 17799 (Or more properly BS 7799-1, which is now ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
) or the German IT-Grundschutzhandbuch.
Details of cryptographic implementation within the TOE are outside the scope of the CC. Instead, national standards, like FIPS 140-2
FIPS 140-2
The Federal Information Processing Standard Publication 140-2, , is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules...
give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use.
History
CC originated out of three standards:- ITSECITSECThe Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective...
- The European standard, developed in the early 1990s by FranceFranceThe French Republic , The French Republic , The French Republic , (commonly known as France , is a unitary semi-presidential republic in Western Europe with several overseas territories and islands located on other continents and in the Indian, Pacific, and Atlantic oceans. Metropolitan France...
, GermanyGermanyGermany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...
, the NetherlandsNetherlandsThe Netherlands is a constituent country of the Kingdom of the Netherlands, located mainly in North-West Europe and with several islands in the Caribbean. Mainland Netherlands borders the North Sea to the north and west, Belgium to the south, and Germany to the east, and shares maritime borders...
and the UK. It too was a unification of earlier work, such as the two UK approaches (the CESG UK Evaluation Scheme aimed at the defence/intelligence market and the DTI Green Book aimed at commercial use), and was adopted by some other countries, e.g. Australia. - CTCPECCTCPECCTCPEC is the Canadian Trusted Computer Product Evaluation Criteria. It is a computer security standard published in 1993 by the Communications Security Establishment to provide an evaluation criteria on IT products....
- The Canadian standard followed from the US DoD standard, but avoided several problems and was used jointly by evaluators from both the U.S. and Canada. The CTCPEC standard was first published in May 1993. - TCSEC - The United States Department of DefenseUnited States Department of DefenseThe United States Department of Defense is the U.S...
DoD 5200.28 Std, called the Orange Book and parts of the Rainbow SeriesRainbow SeriesThe Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
. The Orange Book originated from Computer Security work including the Ware Report, done by the National Security AgencyNational Security AgencyThe National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
and the National Bureau of Standards (the NBS eventually became NISTNational Institute of Standards and TechnologyThe National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
) in the late 1970s and early 1980s. The central thesis of the Orange Book follows from the work done by Dave Bell and Len LaPadula for a set of protection mechanisms.
CC was produced by unifying these pre-existing standards, predominantly so that companies selling computer products for the government market (mainly for Defence or Intelligence use) would only need to have them evaluated against one set of standards. The CC was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S.
Testing organizations
All testing laboratories must comply with ISO 17025, and certification bodies will normally be approved against either ISO/IEC Guide 65 or BS EN 45011.The compliance with ISO 17025 is typically demonstrated to a National approval authority:
- In Canada, the Standards Council of CanadaStandards Council of Canada- About the SCC :The Standards Council of Canada is a federal Crown corporation with the mandate to promote efficient and effective voluntary standardization. Located in Ottawa, Ontario, the Standards Council has a 15-member governing Council and a staff of approximately 90...
(SCC) accredits Common Criteria Evaluation Facilities - In France, the comité français d’accréditation (COFRAC) accredits Common Criteria evaluation facilities, commonly called Centres d’Evaluation de la Sécurité des Technologies de l’Information (CESTI). Evaluations are done according to norms and standards specified by the Agence nationale de la sécurité des systemes d’information (ANSSI).
- In the UK the United Kingdom Accreditation Service (UKAS) accredits Commercial Evaluation Facilities (CLEF)
- In the US, the National Institute of Standards and TechnologyNational Institute of Standards and TechnologyThe National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
(NIST) National Voluntary Laboratory Accreditation ProgramNational Voluntary Laboratory Accreditation ProgramNational Voluntary Laboratory Accreditation Program is a National Institute of Standards and Technology program which provides an unbiased third-party test and evaluation program to accredit laboratories in their respective fields to the ISO 17025 standard...
(NVLAP) accredits Common Criteria Testing Laboratories (CCTL) - In Germany, the Bundesamt für Sicherheit in der Informationstechnik (BSI)
- In Spain, the National Cryptologic Center (CCN)
Characteristics of these organizations were examined and presented at ICCC 10.
Mutual recognition arrangement
As well as the Common Criteria standard, there is also a sub-treaty level Common Criteria MRA (Mutual Recognition Arrangement), whereby each party thereto recognizes evaluations against the Common Criteria standard done by other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand joined 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. The Arrangement has since been renamed Common Criteria Recognition Arrangement (CCRA) and membership continues to expand. Within the CCRA only evaluations up to EAL 4 are mutually recognized (Including augmentation with flaw remediation). The European countries within the former ITSEC agreement typically recognize higher EALs as well. Evaluations at EAL5 and above tend to involve the security requirements of the host nation's government.List of Abbreviations
- CC: Common Criteria
- EAL: Evaluation Assurance Level
- IT: Information Technology
- PP: Protection Profile
- SF: Security Function
- SFP: Security Function Policy
- SOF: Strength of Function
- ST: Security Target
- TOE: Target of Evaluation
- TSP: TOE Security Policy
- TSF: TOE Security Functions
- TSC: TSF Scope of Control
- TSFI: TSF Interface
Requirements
Common Criteria is very generic; it does not directly provide a list of product security requirements or features for specific (classes of) products: this follows the approach taken by ITSECITSEC
The Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective...
, but has been a source of debate to those used to the more prescriptive approach of other earlier standards such as TCSEC and FIPS 140
FIPS 140
The 140 series of Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptography modules...
-2.
Value of certification
If a product is Common Criteria certified, it does not necessarily mean it is completely secure. For example, various MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows versions, including Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
and Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, have been certified at EAL4+, but regular security patches for security vulnerabilities are still published by Microsoft for these Windows systems. This is possible because the process of obtaining a Common Criteria certification allows a vendor to restrict the analysis to certain security features and to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. In this case, the assumptions include A.PEER:
Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems.
as contained in the Controlled Access Protection Profile (CAPP) to which their STs refer. Based on this and other assumptions, which are not realistic for the common use of general-purpose operating systems, the claimed security functions of the Windows products are evaluated. Thus they should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft.
Whether you run Microsoft Windows in the precise evaluated configuration or not, you should apply Microsoft's security patches for the vulnerabilities in Windows as they continue to appear. If any of these security vulnerabilities are exploitable in the product's evaluated configuration, the product's Common Criteria certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include application of patches to fix the security vulnerabilities within the evaluated configuration. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product's certification by the certification body of the country in which the product was evaluated.
The certified Microsoft Windows versions remain at EAL4+ without including the application of any Microsoft security vulnerability patches in their evaluated configuration. This shows both the limitation and strength of an evaluated configuration.
Criticisms
In August 2007, Government Computing News (GCN)GCN
GCN may refer to:*Nintendo GameCube, a video game console*Gamma Ray Burst Coordinates Network, a system by which Gamma-Ray Burst information is relayed from the first responding observatory to the rest of the GRB community...
columnist William Jackson
William Jackson
-In politics:*William Jackson , US Congressman from Massachusetts*William Jackson , Secretary to the Philadelphia Convention and member of the U.S. Continental Army...
critically examined Common Criteria methodology and its US implementation by the Common Criteria Evaluation and Validation Scheme (CCEVS). In the column executives from the security industry, researchers, and representatives from the National Information Assurance Partnership (NIAP) were interviewed. Objections outlined in the article include:
- Evaluation is a costly process (often measured in hundreds of thousands of US dollars) -- and the vendor's return on that investment is not necessarily a more secure product
- Evaluation focuses primarily on assessing the evaluation documentation, not on the actual security, technical correctness or merits of the product itself. For U.S. evaluations, only at EAL5 and higher do experts from the National Security Agency participate in the analysis; and only at EAL7 is full source code analysis required.
- The effort and time necessary to prepare evaluation evidence and other evaluation-related documentation is so cumbersome that by the time the work is completed, the product in evaluation is generally obsolete
- Industry input, including that from organizations such as the Common Criteria Vendor's Forum, generally has little impact on the process as a whole
In a 2006 research paper, computer specialist David A. Wheeler
David A. Wheeler
David A. Wheeler is a computer scientist. He is best known for his work on Open source software/Free-libre software and Computer security.-Open Source Software:...
suggested that the Common Criteria process discriminates against Free and Open Source Software (FOSS
Foss
Foss may refer toPeople*Foss , people with the last name Foss*Foss Shanahan , New Zealand diplomat*Foss Westcott , English bishop...
)-centric organizations and development models. Common Criteria assurance requirements tend to be inspired by the traditional waterfall
Waterfall model
The waterfall model is a sequential design process, often used in software development processes, in which progress is seen as flowing steadily downwards through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation and Maintenance.The waterfall...
software development methodology. In contrast, much FOSS software is produced using modern agile
Agile software development
Agile software development is a group of software development methodologies based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams...
paradigms. Although some have argued that both paradigms do not align well, others have attempted to reconcile both paradigms.
Alternative approaches
Throughout the lifetime of CC, it has not been universally adopted even by the creator nations, with, in particular, cryptographic approvals being handled separately, such as by the Canadian / US implementation of FIPS-140, and the CESG Assisted Products Scheme (CAPS) in the UK.The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to be impeding the operation of the market:
- The CESG System Evaluation (SYSn) and Fast Track Approach (FTA) schemes for assurance of government systems rather than generic products and services, which have now been merged into the CESG Tailored Assurance Service (CTAS)
- The CESG Claims Tested Mark (CCT Mark), which is aimed at handling less exhaustive assurance requirements for products and services in a cost and time efficient manner
In early 2011, NSA/CSS published a paper by Chris Salter, which proposed a Protection Profile
Protection Profile
A Protection Profile is a document used as part of the certification process according to the Common Criteria . As the generic form of a Security Target , it is typically created by a user or user community and provides an implementation independent specification of information assurance security...
oriented approach towards evaluation. In this approach, communities of interest form around technology types which in turn develop protection profiles that define the evaluation methodology for the technology type. The objective is a more robust evaluation. There is some concern that this may have a negative impact on mutual recognition.
See also
- Bell-LaPadula modelBell-LaPadula modelThe Bell-LaPadula Model is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense multilevel...
- Usability testingUsability testingUsability testing is a technique used in user-centered interaction design to evaluate a product by testing it on users. This can be seen as an irreplaceable usability practice, since it gives direct input on how real users use the system...
- ISO 9241ISO 9241ISO 9241 is a multi-part standard from the International Organization for Standardization covering ergonomics of human-computer interaction. It is managed by the ISO...
- ISO/IEC 18045
- ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
- Semantic webSemantic WebThe Semantic Web is a collaborative movement led by the World Wide Web Consortium that promotes common formats for data on the World Wide Web. By encouraging the inclusion of semantic content in web pages, the Semantic Web aims at converting the current web of unstructured documents into a "web of...
- Verification and ValidationVerification and ValidationIn software project management, software testing, and software engineering, verification and validation is the process of checking that a software system meets specifications and that it fulfills its intended purpose...
- Information AssuranceInformation AssuranceInformation assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
- China Compulsory CertificateChina Compulsory CertificateThe China Compulsory Certificate mark, commonly known as CCC Mark, is a compulsory safety mark for many products sold on the Chinese market. It became effective on May 1, 2002...
External links
- The official website of the Common Criteria Project
- The Common Criteria standard documents
- Compliance evaluation in the United States
- List of Common Criteria evaluated products
- Towards Agile Security Assurance
- Important Common Criteria Acronyms
- Common Criteria Vendors Forum
- Additional Common Criteria Information on Google Knol
- OpenCC Project - free Apache license CC docs, templates and tools