CC/CEM Documentation

The Common Criteria is the result of the integration of information technology and computer security criteria. In 1983 the US issued the Trusted Computer Security Evaluation Criteria (TCSEC), which became a standard in 1985. Criteria developments in Canada and European ITSEC countries followed the original US TCSEC work. The US Federal Criteria development was an early attempt to combine these other criteria with the TCSEC, and eventually led to the current pooling of resources towards production of the Common Criteria.

Version 1.0 of the CC was published for comment in January 1996. Version 2.0 took account of extensive review and trials during the next two years and was published in May 1998. Version 2.0 was adopted by the International Organization for Standards (ISO) as an International Standard (ISO 15408) in 1999.

In 2005, the interpretations that had been made to date were incorporated into an update, version 2.3. This was published as ISO/IEC 15408-1:2005, 15408-2:2005, and 15408-3:2005; the corresponding update of the CEM was published as ISO/IEC 18045:2005. In September 2006, CC Version 3.1 was published. The new version provided a major change to the Security Assurance Requirements and incorporated all approved Interpretations. In September 2007, minor changes/corrections were incorporated into Version 3.1 and Revision 2 became official.

The Common Criteria is composed of three parts: the Introduction and General Model (Part 1), the Security Functional Requirements (Part 2), and the Security Assurance Requirements (Part 3). While Part 3 specifies the actions that must be performed to gained assurance, it does not specify how those actions are to be conducted; to address this, the Common Evaluation Methodology (CEM) was created for the lower levels of assurance.

This common methodology is the basis upon which the member nations have agreed to recognize the evaluation results of one another, as specified in the "Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security". This was first signed in 2000 and additional member nations continue to join this agreement.

The CC and CEM continue to evolve as its use spreads. This evolution is propagated through the use of Interpretations, which are formal changes periodically made to the CC/CEM that have been mutually agreed by the participating producing nations.

The following links are to the CC, CEM, and their interpretations, as well as to other informative documents.

 


Official Documents

CC v3.1/CEM v3.1 (September 2012)

 

CC v3.1/CEM v3.1 (July 2009)

 

CC v3.1/CEM v3.1 (September 2007)

 

CC v3.1/CEM v3.1 (September 2006)

 

CC v2.3/CEM v2.3 (August 2005)

This updated set of the CC/CEM reflects the incorporation of all final interpretations of the Version 2 series. This was published as ISO/IEC 15408:2005; the corresponding update of the CEM was published as ISO/IEC 18405:2005.

 


 


Useful Documents

(Note: the following have no official standing within the Common Criteria Project or Arrangement on the Recognition of Common Criteria Certificates)

 


Transition Documents

The following documents provide mappings from CCv2 to CCv3.1.

 


Archived Documents

(Note: the following have no official standing within the Common Criteria Project or Arrangement on the Recognition of Common Criteria Certificates)

 

CC Draft Version 3.0 (June 2005)

The first official public draft of Version 3 of the Common Criteria was made available for public comment and trial use (through December 2005).

 

CC v2.2/CEM v1.2 (January 2004)

This updated set of the CC/CEM reflected the incorporation of all final interpretations through 31 December 2003. All of the changes from CCv2.1/CEMv1.0 were due solely to the final interpretations. For the purposes of evaluations within CCEVS, either version may have been used because the version that is used is identified in all outputs of the evaluation (Security Target, Protection Profile, Validation Report, certificate). This version was never approved as an ISO standard.

 

CC v2.1/CEM v1.0 (August 1999)

This set of the CC/CEM reflects the basis of mutual recognition among the participating schemes. CCv2.1 was published as ISO/IEC 15408:1999.

 

Draft ASE/APE Update (March 2004)

In 2004, the members of the CCRA created a proposed update to the ASE and APE classes, which defined the requirements for STs and PPs. These proposed updates were incorporated into the bodies of the documents that they affected (CC Parts 1 and 3 and the CEM) for convenience.