The Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international framework of cybersecurity certification standards. Common Criteria certification assures that the definition, implementation, and evaluation of an eligible IT product or system were performed in a rigorous and repeatable way at a level suitable for the intended environment.
In this article, we provide insight into the latest statistics related to Common Criteria certification. How many countries recognize the Common Criteria certification? Common Criteria certifications are internationally recognized by all CCRA member states which means 31 signatories up to date. There are two types of signatory nations:
How many countries recognize the Common Criteria certification?
Common Criteria certifications are internationally recognized by all CCRA member states which means 31 signatories up to date. There are two types of signatory nations:
Countries with an authorizing role
- The Netherlands
- Republic of Korea
Countries with a consuming role
- Czech Republic
- New Zealand
Which are the 3 most frequently chosen Schemes?
- The most frequently chosen Scheme to this day is the French Scheme called Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI). Currently, 315 products have Common Criteria certification based on the ANNSI Scheme.
- The second most common is the German Scheme called Bundesamt für Sicherheit in der Informationstechnik. 288 products have been evaluated against it up to date.
- The third most popular Scheme so far has been the Dutch Scheme. According to the latest statistical data, 168 eligible IT products got CC certified by NSCIB operated by TÜV Rheinland Nederland B.V.
How many products have Common Criteria certification up to date?
Since 2010, a total of 1645 IT products and services went through the Common Criteria certification process successfully.
Common Criteria Certification Trends
This provides a trusted third-party assurance of product security standards, helping to identify IT systems that are suitable for securing sensitive data and other critical information. As digital transformation continues to accelerate within organizations, the importance of CC certification is becoming more pronounced.
Understanding this kind of trends can aid companies in proactively establishing secure IT solutions and identifying risks to their systems. Recent data has revealed an increase in CC certifications across different industries with higher demand for products with stricter levels of assurance.
The trend towards stricter security standards is also reflected in which products are being most commonly certified. Technical products have traditionally been the main recipients of CC certifications; however, demand for heightened security features for consumer solutions is on the rise and there has been a surge in certifications for consumer items including toys and connected cars.
Overall, Common Criteria Certification trends demonstrate an increased focus on cyber security measures when selecting or evaluating new solutions in order to ensure that confidential assets remain secure from potential risks. Given the dynamic nature of cyber threats, we anticipate this trend will only continue as organizations make cybersecurity a core competency within their existing frameworks.
What kind of products got Common Criteria certification?
The most frequently evaluated products are ICs, Smart Cards, and Smart Card-Related Devices and Systems. There are currently 587 certified products in this category. It is followed by Other Devices and Systems with 232 certifications, besides the Network and Network-Related Devices and Systems with 226 Common Criteria certified products. Data Production products, Operating Systems, and Products for Digital Signatures are also among the products for which Common Criteria certification is a favored alternative.
In the last 4 years, the number of issued certifications has increased by an average of 10%.
Benefits of Common Criteria Certification
This offers many benefits to organizations and users alike. Any IT products—including software and hardware devices—that have been tested and certified to comply with the Common Criteria security standard will benefit from improved security, reduced risk of data breaches, streamlined evaluation processes and increased investment protection.
For organizations, they can enable them to save time in selection of IT products that are trusted to enable secure, reliable operations. It also offers a certain level of assurance that the IT product they purchase is as secure as possible and can withstand any threats.
Certified products are tested against stringent security criteria which verifies their ability to protect data from unauthorized access or alteration. Common Criteria certified solutions provide a higher level of confidence for potential customers by ensuring that their solutions meet established international standards for information security. Furthermore, this provides an evaluation assurance level (EAL) rating which measures the protection capabilities of each product on the basis of tests such as Fuzz Testing, Performance Testing and System Security Testing. This ensures that users will have a better understanding of how their system components interact before installation.
Organizations that use this kind of products can also demonstrate compliance with industry regulations and requirements set forth by government organizations or other enterprises seeking secured user access privileges or sensitive data protection solutions. They can also receive support from industry associations who may provide incentives to those who obtain certifications or seek recognition for best practice in areas such as privacy assurance or industry-wide data confidentiality.
What are the most commonly chosen Evaluation Assurance Levels (EAL)?
EAL demonstrates the level of how comprehensively an IT security product or system has been verified. EALs are assigned a value between 1 and 7, with 1 representing the lowest degree of evaluation and 7 the higher. A higher level Common Criteria evaluation does not necessarily mean that the product is more secure; rather, it indicates that the product has been subjected to additional or deeper examination.
The most common chosen EAL is EAL4+. 334 products have Common Criteria certification on this level. The second most common is EAL5+. This level was chosen for 281 certified products. 201 certified products were evaluated at EAL2+ level, and 128 at EAL6+ level.
The number of Common Criteria certifications shows a slow but steady increase in recent years. According to the most recent Common Criteria Statistic Report, by the time this article was written, 292 IT products had received Common CCertified Products List – Statistics : New CSC Portal Criteria certification internationally in 2023.