go to NIST home page go to CSRC home page go to Focus Areas page go to Publications page go to Advisories page go to Events page go to Site Map page go to ITL home page CSRC home page link
header image with links

 CSRC Homepage
 CSRC Site Map

   Search CSRC:

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Guidance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - ICAT Alerts

 News & Events  
   - Federal News
   - Security Events

 Services For the: 
   - Federal Community
   - Vendor
   - User

 Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

 Search NIST's ICAT
 Vulnerability Archive:
   Enter vendor, software, or keyword

ITL Security Bulletins header image  

An Overview Of The Common Criteria Evaluation And Validation Scheme

By Patricia Toth,
Computer Security Division,
Information Technology Laboratory,
National Institute of Standards and Technology


Recent advances in information technologies and the proliferation of computing systems and networks worldwide have raised the level of concern about security in both the public and private sectors. Security concerns are motivated by an increasing use of information technology (IT) products and systems throughout government and industry in a variety of areas—from electronic commerce to national defense. Consumers have access to a growing number of security-enhanced IT products with different capabilities and limitations and must make important decisions about which products provide an appropriate degree of protection for their information.

To help consumers select commercial off-the-shelf IT products that meet their security requirements and to help manufacturers of those products gain acceptance in the global marketplace, NIST and the National Security Agency (NSA) have established a program under the National Information Assurance Partnership (NIAP) to evaluate IT product conformance using international standards. The program, officially known as the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) for IT Security, or Common Criteria Scheme in abbreviated form, is a partnership between the public and private sectors.

What is Product Evaluation and Validation?

IT security is defined as the protection of information from unauthorized disclosure, modification, or loss of use by countering threats to that information arising from human or systems-generated activities, malicious or otherwise. Countering threats to an IT product (e.g., firewalls, databases, operating systems) and mitigating risk helps to protect the confidentiality and integrity of information and also ensure its availability.

Consumers of IT products need to have confidence in the security features of those products. Consumers need to be able to compare various products to understand their capabilities and limitations. Confidence in a particular IT product can be based on the reputation of the developer, past experience with the developer, or the demonstrated competence of the developer in building products through recognized assessments. The consumer could also test the product directly and obtain the necessary results. Dependence on reputation lacks measurable results and testing requires substantial, costly duplication of effort.

The Common Criteria Scheme enables consumers to obtain an impartial assessment of an IT product by an independent laboratory. This security evaluation includes an analysis of the IT product and the testing of the product for conformance to a set of security requirements. The specific IT product being evaluated is referred to as the Target of Evaluation (TOE). The security requirements for that product are described in its security target. IT security evaluations are composed from analysis and testing, distinguishing these activities from the more traditional forms of conformance testing in other areas. All of these activities are carried out using recognized standards and procedures.

To increase consistency among IT security laboratories, the CCEVS reviews the final evaluation results. This review provides independent confirmation that an IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the laboratory are consistent with the facts presented in the evaluation. This review, known as validation, is intended to promote consistency of IT security evaluations and comparability of results for all evaluations conducted within the scheme.

The evaluation, the independent validation of evaluation results, and the documentation resulting from these processes provide valuable information for consumers about the security capability of IT products. However, consumers will still need to review this information carefully and assess its applicability to their needs (e.g., the situation and operating environment in which the product will actually be used).

Scheme Objectives

NIAP has the following objectives in developing, operating, and maintaining an evaluation and validation scheme:

  • To meet the needs of government and industry for cost-effective evaluation of IT products;
  • To encourage the growth of independent commercial security testing laboratories and the development of a private sector security testing industry;
  • To ensure that security evaluations of IT products are performed using specific international standards;
  • To increase the availability of evaluated IT products; and
  • To participate in international recognition arrangements.

The scheme is intended to serve many communities of interest with very diverse roles and responsibilities, including IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives.

Scheme Overview

The principal participants in the NIAP Common Criteria Evaluation and Validation Scheme are:

  • Sponsors of IT Security Evaluations
  • NIAP Validation Body (NIST/NSA)
  • Common Criteria Testing Laboratories

In addition to the principal participants listed above, the NIST National Voluntary Laboratory Accreditation Program (NVLAP) plays an important role in supporting the scheme requirements for the use of accredited laboratories to perform IT evaluations.

In the context of the Common Criteria Scheme, a sponsor is the party requesting and paying for the security evaluation of an IT product or protection profile by an accredited testing laboratory. The sponsor is often the product or profile developer, but could also be a government agency, industry consortium, or other organization seeking to obtain an IT security evaluation.

CCEVS establishes policies and procedures in the interest of the public and private sectors. It also provides technical guidance to those laboratories, validates the results of IT security evaluations for conformance to the Common Criteria, and serves as an interface to other nations on the recognition of such evaluations.

Commercial testing laboratories accredited by NVLAP and recognized by the NIAP Validation Body conduct IT security evaluations. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTLs). NVLAP accreditation is the primary requirement for becoming a CCTL. The purpose of the NVLAP accreditation is to ensure that laboratories meet the requirements of ISO/IEC Guide 25, General Requirements for the Competence of Calibration and Testing Laboratories, and are competent to perform the test methods used for IT security evaluations.

The NIAP Validation Body assesses the results of a security evaluation conducted by a CCTL within the scheme and when appropriate, issues a Common Criteria certificate. The certificate, together with its associated validation report, confirms that an IT product or protection profile has been evaluated at an accredited testing laboratory using the Common Methodology for conformance to the Common Criteria. The certificate also confirms that the IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the testing laboratory are consistent with the evidence presented during the evaluation.

The CCEVS maintains a NIAP Validated Products List containing all IT products and protection profiles successfully completing evaluation and validation under the scheme. CCEVS will also provide a means to list products and profiles validated by international arrangement partners.

Guidance to Consumers

It is important that consumers of IT products and protection profiles understand how to interpret the results of IT security evaluations and validations. These results are described in evaluation technical reports produced by CCTLs and summarized in the associated validation reports and Common Criteria certificates published by the NIAP Validation Body.

An IT product is typically evaluated in a controlled laboratory setting. In that regard, there are some general assumptions made about the operational environment where the product is ultimately to be employed subsequent to the security evaluation. In some cases, an evaluated IT product may be integrated into a more complex configuration of products that compose an IT system. The actual environment of use may also be significantly different from the one described in the original assumptions set forth in the security target. In the end, consumers must assess the overall contribution to assurance made by the evaluated IT product. When making assessments, there are several things a consumer should consider. They must realize that

  • The accuracy and completeness of security evaluation results are dependent on the accuracy and completeness of the information and documentation provided to the CCTL by the sponsor of the evaluation;
  • The quality of a security target (i.e., security specification) and the reported results of an IT product evaluated against that security target are a function of how well the product is able to be described under the Common Criteria and the degree to which the Common Methodology and the derivative test methods are able to measure conformance to the security target; and
  • The security evaluation results are only applicable to that particular version and release of the product in its evaluated configuration.

Consumers are responsible for determining the security impact of installing or operating an evaluated IT product in a configuration other than the configuration in which it was evaluated.

Evaluation Assurance Levels

The Common Criteria Evaluation Assurance Levels (EALs) have been developed with the goal of preserving the concepts drawn from the U.S. TCSEC and European ITSEC so that results of previous evaluations remain relevant. Using the table below, general equivalency statements are possible but should be made with caution, as the levels do not define assurance in the same manner.










D: Minimal Protection






C1: Discretionary Security Protection





C2: Controlled Access Protection


B1: Labeled Security Protection





B2: Structured Protection



B3: Security Domains



A1: Verified Design


Assurance levels define a scale for measuring the criteria for the evaluation of Protection Profiles and Security Targets. EALs are constructed from assurance components. EALs provide an increasing scale of requirements that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs listed below. The increase in assurance across the levels is accomplished by substituting hierarchically higher assurance components from the same assurance family and by the addition of assurance components from other assurance families.

The seven EALs are as follows:

EAL1   -           functionally tested

EAL2   -           structurally tested

EAL3   -           methodically tested and checked

EAL4   -           methodically designed, tested and reviewed

EAL5   -           semi-formally designed and tested

EAL6   -           semi-formally verified design and tested

EAL7   -           formally verified design and tested


The CCEVS will help consumers select commercial off-the-shelf IT products that meet their security requirements. The CCEVS will also provide for consistent evaluation and validation results. Valuable information for consumers about the security of IT security products will be provided.

For More Information

Additional information on the Common Criteria Evaluation and Validation Scheme can be found at http://niap.nist.gov/cc-scheme.

Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.


Last updated: February 21, 2003
Page created: October 29, 2000

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to webmaster-csrc@nist.gov
NIST is an Agency of the U.S. Commerce Department's
Technology Administration