The Internet belongs to everyone. Let’s keep it that way.

Protect Net Neutrality
Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


CCUF - Common Criteria

A brief introduction to the Common Criteria for the CC User Forum.

Lachlan Turner

on 13 August 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of CCUF - Common Criteria

Common Criteria?
Pre-canned set of assurance requirements.
Protection Profile
Set of functional AND assurance req's
Evaluation Process
The Common Criteria User Forum mission is to provide a voice and communications channel amongst the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and other interested parties.
Functional requirements
Security Target
Assurance requirements
FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user.
ATE_FUN.2.2D The developer shall provide test documentation.
ATE_FUN.2.1C The test documentation shall consist of test plans, expected test results and actual test results.
ATE_FUN.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
Capstone document that drives evaluation.
e.g. EAL1
ADV_FSP.1 Basic functional specification
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
ATE_IND.1 Independent testing - conformance
AVA_VAN.1 Vulnerability survey
Encrypted Storage
Operating System
Network Device
Multi-Function Device
Security Management
Protection Profile Examples:
Vendor's Claims
Requirements incorporated into Security Target
Actions to be performed by the developer and evaluator to generate assurance.
Security functionality that the product must provide.
Optionally referenced by PPs and STs
1 - 7
International recognition only to EAL4
Is there a Protection Profile for my product?
PP Evaluation
EAL Evaluation
Precludes evaluation in some schemes
Acceptance criteria apply
You determine scope / functions
No US PCL listing
Automatic acceptance
Development may be needed to meet PP requirements
Entropy requirements tricky
US PCL Listing for NIAP PPs
Eligibility (if EAL)
Security Target
Entropy Description (USA)
Results in 'in-evaluation' listing
Documentation Review
Security Target
Design (EAL)
Life-cycle (EAL)
Testing documents (EAL)
Functional Testing
Penetration Testing
Product generally shipped to lab
Certification Report
Product Listings
What is the Common Criteria?
The Common Criteria (CC) is an international standard for evaluating the security properties of IT products. It defines a framework for the oversight of evaluations, syntax for specifying the security requirements to be met and a methodology for evaluating those requirements. The CC is used by governments and other organizations around the world to assess the security of information technology products and is often specified as a pre-requisite to procurement.

For more information or to obtain the standard:
Full transcript