Defining Security Requirements with the Common Criteria: Applications, Adoptions, and Challenges

TL;DR

This paper reviews the Common Criteria standard for ICT security evaluation, analyzing its adoption, challenges, and best practices, with insights from the Australian DACCA project to promote trust in cybersecurity products.

Contribution

It provides a systematic review of the CC standards, discusses adoption barriers, shares lessons from the DACCA project, and offers best practices and future directions for cybersecurity assurance.

Findings

Identification of key barriers to CC adoption

Lessons learned from the DACCA project implementation

Recommendations for developing effective Protection Profiles

Abstract

Advances of emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers' confidence and markets' trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security certification. In this paper, we conduct a systematic review of the CC standards and its adoptions. Adoption barriers of the CC are also investigated based on the analysis of current trends in security evaluation. Specifically, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project that promotes the CC among stakeholders in ICT security products related to specification, development, evaluation, certification and approval, procurement, and deployment. Best practices on developing Protection Profiles, recommendations, and future directions for trusted cybersecurity advancement are presented.