← Frameworks / Evaluation Standard

Common Criteria for IT Security Evaluation (ISO/IEC 15408)

International standard for IT security evaluation defining Security Functional Requirements (SFRs) across 11 classes and Security Assurance Requirements (SARs) at 7 Evaluation Assurance Levels (EAL 1-7). Used for product certification through Protection Profiles and Security Targets evaluated by Common Criteria Testing Laboratories. Mutual recognition under the CCRA arrangement across 31 member nations.

Clauses: 13

Avg Coverage: 55.9%

Publisher: CCRA (Common Criteria Recognition Arrangement) Version: 3.1 R5 (ISO/IEC 15408:2022)

Common Criteria → SP 800-53 SP 800-53 → Common Criteria Coverage Analysis

Clause	Title	SP 800-53 Controls
CC Part 1 — PP	Protection Profile (PP) Development — PP structure, conformance claims, security problem definition, and PP evaluation	PL-02 PL-07 PL-08 SA-04 SA-08 PM-07
CC Part 1 — ST	Security Target (ST) Development — TOE description, security objectives, SFR/SAR selection, and conformance claims	PL-02 PL-08 SA-04 SA-08 SA-17 CA-06
CC Part 2 — FAU	Security Audit (FAU) — audit data generation, analysis, review, event storage, and selection	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 SI-04
CC Part 2 — FCS	Cryptographic Support (FCS) — key management and cryptographic operations	SC-12 SC-13 SC-17 SC-08 SC-28 IA-07 CM-14
CC Part 2 — FDP	User Data Protection (FDP) — access control policy, information flow control, data exchange, and residual information	AC-03 AC-04 AC-05 AC-06 AC-16 AC-24 SC-04 SC-07 SC-08 SC-16 SI-12 MP-06
CC Part 2 — FIA	Identification and Authentication (FIA) — user identification, authentication mechanisms, and authentication failure handling	IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11 IA-12 AC-07
CC Part 2 — FMT	Security Management (FMT) — management functions, security roles, TSF data management, and revocation	AC-01 AC-02 AC-05 AC-06 CM-05 CM-06 CM-07 CM-09 PL-09 PM-02 PS-06
CC Part 2 — FPR	Privacy (FPR) — anonymity, pseudonymity, unlinkability, and unobservability	PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 SI-19
CC Part 2 — FPT	Protection of the TSF (FPT) — fail secure, self-testing, internal TOE transfer, TSF data integrity, replay detection, and state management	SC-04 SC-07 SC-08 SC-24 SI-06 SI-07 SI-16 CM-14 CP-12 SA-11
CC Part 2 — FRU/FTA/FTP	Resource Utilisation (FRU), TOE Access (FTA), and Trusted Path/Channels (FTP)	SC-05 SC-06 SC-10 SC-23 AC-07 AC-08 AC-10 AC-11 AC-12 AC-17 CA-03 SC-11
CC Part 3 — SAR	Security Assurance Requirements (SAR) — EAL levels, vulnerability analysis, development documentation, testing, and life-cycle support	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 CA-02 CA-08 RA-05
CCRA	Common Criteria Recognition Arrangement (CCRA) — mutual recognition, certificate acceptance levels, and certification body accreditation	SA-04 SA-09 PM-08 CA-06
CEM	Common Evaluation Methodology (CEM) — evaluator actions, verdict criteria, evidence requirements, and evaluation technical reports	CA-02 CA-04 CA-07 CA-08 SA-11