Common Criteria Evaluation Journey

Before diving into the evaluation process, let’s briefly revisit what Common Criteria involves. Common Criteria is a systematic and standardized framework for evaluating and certifying the security features of information technology (IT) products and systems.  It simplifies the process of assessing and comparing the security capabilities of different products and promotes interoperability by establishing a common standard, builds trust through tangible certification, and ensures continuous improvement by adapting to emerging threats and technologies.

Step 1: Preparation and Planning

The process begins with a very careful and precise preparation and planning. The product developer or vendor, seeking Common Criteria certification, must clearly define the security objectives of the product. This includes specifying the intended environment of use, the security features to be evaluated, and the target assurance level. A well-thought-out security target document is crafted, outlining the product’s security architecture and functionality.

What is Assurance Level?

Common Criteria establishes a structured hierarchy known as Evaluation Assurance Levels (EALs), ranging from EAL1 to EAL7, indicating the depth of security evaluations for information technology products. Each level represents a progressively higher level of security assurance. EAL1 involves basic functional testing for products with minimal security requirements, while EAL4 signifies a significant step with methodical design analysis, extensive testing, and comprehensive security reviews, suitable for commercial applications with moderate to high-security needs. EAL7, the highest level, requires formal verification and strict testing, reserved for products in the most sensitive and critical security environments. The choice of assurance level depends on the specific security needs, with higher levels providing increased confidence but requiring more extensive evaluations.

Step 2: Evaluation Kick-off

Once the preparation is completed, the evaluation officially kicks off. This stage involves the selection of an accredited Common Criteria evaluation facility or laboratory. The evaluation facility acts as an independent third party responsible for conducting the assessment. The product developer and the evaluation facility collaborate to establish the scope of the evaluation and define the evaluation plan.

Step 3: Security Analysis and Design Assessment

With the evaluation plan in place, the evaluation team dives into the security analysis and design assessment. This stage involves a thorough examination of the product’s security features, architecture, and design against the defined security requirements. The goal is to identify and address potential vulnerabilities or weaknesses in the product’s security design.

Step 4: Implementation Assessment

After the design assessment, implementation assessment starts. Here, the evaluation team inspects the product under tests closely and critically, examining the actual implementation of security mechanisms within the product. This involves code reviews, testing, and validation to ensure that the implemented security features align with the specified security requirements.

Step 5: Testing and Vulnerability Analysis

Testing is a critical phase in the Common Criteria Evaluation Process. The product is subjected to a series of tests to confirm its security functionality and its ability to resist attacks. This stage includes penetration testing, vulnerability analysis, and other testing methodologies to assess the product’s robustness against potential threats.

Step 6: Evaluation Report and Certification

Once the evaluation is complete, the evaluation facility compiles a detailed evaluation report. This report provides a comprehensive overview of the assessment, including findings, test results, and recommendations. The certification body reviews the report and, if the product meets the criteria, issues the Common Criteria certificate. This certificate attests that the product has undergone a thorough evaluation and adheres to the specified security requirements.

How long does it take?

The time it takes for a product to obtain Common Criteria certification can vary widely and depends on several factors, including the complexity of the product, the assurance level sought, the thoroughness of the evaluation process, and the efficiency of the certification process. Typically, the certification process involves various stages, including preparation, evaluation, and documentation, and it can take several months to over a year. Factors such as the completeness of the documentation provided, the responsiveness of the product developer to any issues raised during the evaluation, and the workload of the certification body can influence the overall duration. It’s advisable to work closely with the designated evaluation facility and certification body to get a more accurate estimate based on the specific details of the product and certification requirements.


In the continually expanding digital realm, the Common Criteria Evaluation Process acts as a reassuring point of reference. By navigating through each step of this process, product developers and organizations can demonstrate their commitment to cybersecurity excellence. As technology continues to advance, the Common Criteria framework stands as a reliable guardian, ensuring that the products we rely on are fortified against the relentless rise and widespread impact of cyber threats.