The International standard CC---is the evaluation and certification of information security products
The CC (Common criteria) is the result of the harmonization of existing norms by the International Organization for Standardization, and is currently the most comprehensive evaluation criterion.
June 1996, CC first edition released;
May 1998, CC second Edition released;
October 1999 CC version V2.1 released, and becomes the ISO standard.
The main ideas and frameworks of CC are taken from ITSEC and FC, and the concept of "protection contour" is fully highlighted. CC divides the evaluation process into functional and guaranteed two parts, which are divided into seven levels: EAL1, EAL2, EAL3, EAL4, EAL5, EAL6, and EAL7. Each level requires an evaluation of 7 functional classes, namely configuration management, distribution and operation, development process, guidance documentation, life-time technical support, testing, and vulnerability assessment.
eal4+ certification is a special certification of safety and security evaluation of the "Information Technology security assessment guidelines," one of the evaluation level, currently up to the EAL7 level.
The eal4+ is a new part of the evaluation on the basis of the EAL4 level, which is the highest level of security guaranteed by the International Smart card products at present. In 1996, seven Parties of the six countries signed the general guideline on Information Technology Security Assessment (CC1.0). In 1998, the United States, the United Kingdom, Canada, France and Germany signed a written accreditation agreement. Later this standard is called the CC standard, namely CC2.0. CC2.0 version in 1999 became the International Standard ISO/IEC 15408, China in 2001, the equivalent of GB/t 18336.
Points to note:
1. There are altogether 7 grades from EAL1 to EAL7. The higher the level , the more secure the system's security features are, the more security requirements to be met through certification.
2.EAL does not measure the security of the system itself , it only indicates the degree of rigor of the test . To achieve a specific EAL level, a product or system needs to meet specific security requirements. Most requirements include design documentation, design analysis, functional testing, and penetration testing. The higher the level, the more detailed documentation, analysis, and testing is required. Generally achieving higher EAL certification requires more time and money. A specific level of EAL certification indicates that the product or system meets all security assurance requirements at that level.
CC EAL Certification