Common Criteria Consulting

Phoenix Consulting Services offers consulting services to companies that are either undertaking or considering undertaking a Common Criteria (CC) evaluation.

The CC is a multi-part standard for the evaluation of the security properties of IT products. The accepted international standard for IT product security evaluations, the CC is recognized under the CC Recognition Agreement (CCRA) by the CCRA Members. Product certification is immediately recognized by industry experts as proof that a product has been subject to a rigorous, comprehensive examination by independent third party security experts, and certified by national authorities.

Originally published in 1996, v1.0 of the CC was an initiative between Canada, France, Germany, Netherlands, UK, and the USA to develop criteria for evaluation of IT security useful within the international community. In 1999 version 2.0 of the CC was adopted as ISO/IEC 15408, opening the way to worldwide mutual recognition of evaluation results. The current version of the standard is v3.1, published in September 2006.

The US government was the first to issue requirements for Common Criteria certification of IA products; originally specified in NSTISSP #11 in January 2000, revised in July 2003, and March 2005.

In the US, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body is responsible for the management of Common Criteria evaluations.

The role of a consultant in a Common Criteria evaluation has been addressed in a FAQ published on the CCEVS website. (FAQs About Evaluation Consultants) Additional discussion of the role of independent consultants assisting in an evaluation was published by the Common Criteria Users' Forum (CCUF) in the Summary Report from the October 2004 meeting.