Update: We greatly appreciate all the feedback we received on this blog article. For new updates, please see our revised handy overview to the new CC:2022 at the end of the blog article.
It all started with Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) in 1983; the German Security Evaluation Criteria (Green Book) in 1989; then The Information Technology Security Evaluation Criteria (ITSEC) from Europe, published in 1991 and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) from Canada in 1993. In addition the US developed the Federal Criteria for information Technology Security in 1992, which introduced the concept of Protection Profiles (PP). All those were input for the development of the Common Criteria (CC) which started in 1993 also as an ISO standard (ISO/IEC 15408). The first version of this standard was published in 1999. After several versions and releases CC 3.1 R5 has been in place since 2017.
And now CC:2022 comes to us, courtesy of the global Common Criteria community. CC:2022 contains major changes so that it is truly a new version and not a refinement of the version 3 standard:
There are now 5 parts plus the CEM (Common Evaluation Methodology):
- Part 1: introduction and general model;
- Part 2: Security functional requirements;
- Part 3: Security assurance requirements;
- Part 4: Framework for the specification of evaluation methods and activities;
- Part 5: Pre-defined packages of security requirements and the
- CEM.
The new CC:2022 adds new SARs (Security Assurance Requirements) and instantiates Exact Conformance which was an addendum previously, thus endorsing the CPP approach. Modularization of the TOE is now also allowed. There are new functional requirements, provision for multi-assurance evaluations and the concept of composition of assurance is introduced with three levels, namely Layered composition, Network/bi-directional composition and Embedded composition. It also defines a framework for the development of evaluation methods and activities to guide the developer of Protection Profiles to tailor assurance activities to the special needs of the security functionality included in the PP.
The expiration date for new evaluations submitted under the CC 3.1 R5 is June 30, 2024.
atsec has prepared a handy overview to the new CC:2022.