Common Criteria for IT Security Evaluation (ISO/IEC 15408)
International standard for IT security evaluation defining Security Functional Requirements (SFRs) across 11 classes and Security Assurance Requirements (SARs) at 7 Evaluation Assurance Levels (EAL 1-7). Used for product certification through Protection Profiles and Security Targets evaluated by Common Criteria Testing Laboratories. Mutual recognition under the CCRA arrangement across 31 member nations.
Controls: 98
Total Mappings: 120
Publisher: CCRA (Common Criteria Recognition Arrangement) Version: 3.1 R5 (ISO/IEC 15408:2022) AC (14) AU (14) CA (6) CM (5) CP (1) IA (12) MP (1) PL (4) PM (3) PS (1) PT (8) RA (1) SA (8) SC (14) SI (6)
AC Access Control
| Control | Name | Common Criteria References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | CC Part 2 — FMT |
| AC-02 | Account Management | CC Part 2 — FMT |
| AC-03 | Access Enforcement | CC Part 2 — FDP |
| AC-04 | Information Flow Enforcement | CC Part 2 — FDP |
| AC-05 | Separation Of Duties | CC Part 2 — FDPCC Part 2 — FMT |
| AC-06 | Least Privilege | CC Part 2 — FDPCC Part 2 — FMT |
| AC-07 | Unsuccessful Login Attempts | CC Part 2 — FIACC Part 2 — FRU/FTA/FTP |
| AC-08 | System Use Notification | CC Part 2 — FRU/FTA/FTP |
| AC-10 | Concurrent Session Control | CC Part 2 — FRU/FTA/FTP |
| AC-11 | Session Lock | CC Part 2 — FRU/FTA/FTP |
| AC-12 | Session Termination | CC Part 2 — FRU/FTA/FTP |
| AC-16 | Automated Labeling | CC Part 2 — FDP |
| AC-17 | Remote Access | CC Part 2 — FRU/FTA/FTP |
| AC-24 | Access Control Decisions | CC Part 2 — FDP |
AU Audit and Accountability
| Control | Name | Common Criteria References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | CC Part 2 — FAU |
| AU-02 | Auditable Events | CC Part 2 — FAU |
| AU-03 | Content Of Audit Records | CC Part 2 — FAU |
| AU-04 | Audit Storage Capacity | CC Part 2 — FAU |
| AU-05 | Response To Audit Processing Failures | CC Part 2 — FAU |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CC Part 2 — FAU |
| AU-07 | Audit Reduction And Report Generation | CC Part 2 — FAU |
| AU-08 | Time Stamps | CC Part 2 — FAU |
| AU-09 | Protection Of Audit Information | CC Part 2 — FAU |
| AU-10 | Non-Repudiation | CC Part 2 — FAU |
| AU-11 | Audit Record Retention | CC Part 2 — FAU |
| AU-12 | Audit Record Generation | CC Part 2 — FAU |
| AU-13 | Monitoring for Information Disclosure | CC Part 2 — FAU |
| AU-14 | Session Audit | CC Part 2 — FAU |
CA Security Assessment and Authorization
| Control | Name | Common Criteria References |
|---|---|---|
| CA-02 | Security Assessments | CC Part 3 — SARCEM |
| CA-03 | Information System Connections | CC Part 2 — FRU/FTA/FTP |
| CA-04 | Security Certification | CEM |
| CA-06 | Security Accreditation | CC Part 1 — STCCRA |
| CA-07 | Continuous Monitoring | CEM |
| CA-08 | Penetration Testing | CC Part 3 — SARCEM |
CM Configuration Management
CP Contingency Planning
| Control | Name | Common Criteria References |
|---|---|---|
| CP-12 | Safe Mode | CC Part 2 — FPT |
IA Identification and Authentication
| Control | Name | Common Criteria References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | CC Part 2 — FIA |
| IA-02 | User Identification And Authentication | CC Part 2 — FIA |
| IA-03 | Device Identification And Authentication | CC Part 2 — FIA |
| IA-04 | Identifier Management | CC Part 2 — FIA |
| IA-05 | Authenticator Management | CC Part 2 — FIA |
| IA-06 | Authenticator Feedback | CC Part 2 — FIA |
| IA-07 | Cryptographic Module Authentication | CC Part 2 — FCSCC Part 2 — FIA |
| IA-08 | Identification and Authentication (Non-Organizational Users) | CC Part 2 — FIA |
| IA-09 | Service Identification and Authentication | CC Part 2 — FIA |
| IA-10 | Adaptive Authentication | CC Part 2 — FIA |
| IA-11 | Re-authentication | CC Part 2 — FIA |
| IA-12 | Identity Proofing | CC Part 2 — FIA |
MP Media Protection
| Control | Name | Common Criteria References |
|---|---|---|
| MP-06 | Media Sanitization And Disposal | CC Part 2 — FDP |
PL Planning
PM Program Management
PS Personnel Security
| Control | Name | Common Criteria References |
|---|---|---|
| PS-06 | Access Agreements | CC Part 2 — FMT |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | Common Criteria References |
|---|---|---|
| PT-01 | Policy and Procedures | CC Part 2 — FPR |
| PT-02 | Authority to Process Personally Identifiable Information | CC Part 2 — FPR |
| PT-03 | Personally Identifiable Information Processing Purposes | CC Part 2 — FPR |
| PT-04 | Consent | CC Part 2 — FPR |
| PT-05 | Privacy Notice | CC Part 2 — FPR |
| PT-06 | System of Records Notice | CC Part 2 — FPR |
| PT-07 | Specific Categories of Personally Identifiable Information | CC Part 2 — FPR |
| PT-08 | Computer Matching Requirements | CC Part 2 — FPR |
RA Risk Assessment
| Control | Name | Common Criteria References |
|---|---|---|
| RA-05 | Vulnerability Scanning | CC Part 3 — SAR |
SA System and Services Acquisition
| Control | Name | Common Criteria References |
|---|---|---|
| SA-03 | Life Cycle Support | CC Part 3 — SAR |
| SA-04 | Acquisitions | CC Part 1 — PPCC Part 1 — STCC Part 3 — SARCCRA |
| SA-08 | Security Engineering Principles | CC Part 1 — PPCC Part 1 — STCC Part 3 — SAR |
| SA-09 | External Information System Services | CCRA |
| SA-10 | Developer Configuration Management | CC Part 3 — SAR |
| SA-11 | Developer Security Testing | CC Part 2 — FPTCC Part 3 — SARCEM |
| SA-15 | Development Process, Standards, and Tools | CC Part 3 — SAR |
| SA-17 | Developer Security and Privacy Architecture and Design | CC Part 1 — STCC Part 3 — SAR |
SC System and Communications Protection
| Control | Name | Common Criteria References |
|---|---|---|
| SC-04 | Information Remnance | CC Part 2 — FDPCC Part 2 — FPT |
| SC-05 | Denial Of Service Protection | CC Part 2 — FRU/FTA/FTP |
| SC-06 | Resource Priority | CC Part 2 — FRU/FTA/FTP |
| SC-07 | Boundary Protection | CC Part 2 — FDPCC Part 2 — FPT |
| SC-08 | Transmission Integrity | CC Part 2 — FCSCC Part 2 — FDPCC Part 2 — FPT |
| SC-10 | Network Disconnect | CC Part 2 — FRU/FTA/FTP |
| SC-11 | Trusted Path | CC Part 2 — FRU/FTA/FTP |
| SC-12 | Cryptographic Key Establishment And Management | CC Part 2 — FCS |
| SC-13 | Use Of Cryptography | CC Part 2 — FCS |
| SC-16 | Transmission Of Security Parameters | CC Part 2 — FDP |
| SC-17 | Public Key Infrastructure Certificates | CC Part 2 — FCS |
| SC-23 | Session Authenticity | CC Part 2 — FRU/FTA/FTP |
| SC-24 | Fail in Known State | CC Part 2 — FPT |
| SC-28 | Protection of Information at Rest | CC Part 2 — FCS |
SI System and Information Integrity
| Control | Name | Common Criteria References |
|---|---|---|
| SI-04 | Information System Monitoring Tools And Techniques | CC Part 2 — FAU |
| SI-06 | Security Functionality Verification | CC Part 2 — FPT |
| SI-07 | Software And Information Integrity | CC Part 2 — FPT |
| SI-12 | Information Output Handling And Retention | CC Part 2 — FDP |
| SI-16 | Memory Protection | CC Part 2 — FPT |
| SI-19 | De-identification | CC Part 2 — FPR |