Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Common Criteria in Cybersecurity?
Common Criteria, formally known as Common Criteria for Information Technology Security Evaluation, is an international framework for evaluating the security features of IT products. The ISO/IEC 15408 series defines the framework and helps vendors demonstrate that their products meet specific security requirements through independent evaluation.
The framework gives governments, defense agencies, enterprises, and buyers a standardized way to assess security-sensitive products against defined security claims. Buyers often use it for products such as firewalls, operating systems, smart cards, network devices, databases, security appliances, hardware, software, and firmware.
Key Terms in Common Criteria
Common Criteria uses a few important terms:
- Target of Evaluation: The specific product or system being evaluated.
- Protection Profile: A document that defines security requirements for a type of product, such as a firewall or smart card.
- Security Target: A vendor-supplied document that explains the product’s security claims and the scope of evaluation.
- Security Functional Requirements: The specific security functions the product must provide.
- Security Assurance Requirements: The evidence and evaluation activities needed to show that the product meets its claims.
Evaluation Assurance Levels
Common Criteria uses Evaluation Assurance Levels, or EALs, to describe the depth and rigor of evaluation. These levels range from EAL1 to EAL7.
| Level range | What it generally means |
|---|---|
| EAL1–EAL2 | Basic to moderate assurance, often used for lower-risk evaluations. |
| EAL3–EAL4 | More structured testing, design review, and analysis. |
| EAL5–EAL7 | Higher assurance, usually for specialized or high-risk environments. |
An EAL does not automatically mean one product is “more secure” than another. It only tells buyers how deeply the product was evaluated within the stated scope.
Global Recognition
Common Criteria certifications can be recognized across participating countries through the Common Criteria Recognition Arrangement, or CCRA. This helps reduce the need for vendors to repeat the same evaluation in every country where they want to sell a product. The official Common Criteria Portal explains that certificates issued by certificate-authorizing schemes are recognized by CCRA signatories.
Where Hexnode Fits
Common Criteria focuses on evaluating IT products, not certifying an organization’s overall cybersecurity program. However, organizations that work in regulated or security-sensitive environments still need strong endpoint controls around the products and systems they use.
Hexnode UEM can help IT teams manage devices, enforce security policies, monitor compliance, control app usage, and keep endpoints aligned with internal security requirements. This supports the broader operational discipline needed when deploying and managing security-sensitive technologies.
Frequently Asked Questions (FAQs)
Not exactly. It is mainly a product security evaluation framework, not a full organizational compliance program.
No. It shows that a product was evaluated against specific security claims, scope, and assurance requirements.