Evaluation Criteria and Security Certifications: Common Criteria, TCSEC, and How to Evaluate Product Security Claims

Hook / Why This Matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Vendors love claiming their products are "certified secure." But certified against what? At what assurance level? Understanding evaluation criteria is the difference between trusting a marketing badge and making an informed procurement decision. It is also a reliable CISSP exam topic that candidates often overlook.

Core Concept Explained Simply

Security evaluation criteria are standardized frameworks for assessing how secure a product or system actually is. They provide a common language for comparing products and a structured process for testing security claims.

TCSEC (The Orange Book)

The Trusted Computer System Evaluation Criteria was the original U.S. standard, published by the Department of Defense in 1983. It defined security levels from D (minimal protection) through A1 (verified design). TCSEC focused primarily on confidentiality and was designed for military classification systems.

TCSEC is historical context. It is no longer used for new evaluations, but the CISSP exam expects you to know it existed and what replaced it.

ITSEC

The Information Technology Security Evaluation Criteria was the European counterpart to TCSEC. It separated functionality from assurance, which was a significant improvement. ITSEC is also historical, replaced by Common Criteria.

Common Criteria (ISO 15408)

Common Criteria is the current international standard for security evaluation. It replaced both TCSEC and ITSEC and is recognized across 31 countries through the Common Criteria Recognition Arrangement.

The key components are:

• Target of Evaluation (TOE): The specific product or system being evaluated. This is critical to understand because the certification applies only to the defined TOE, not the entire product line.
• Protection Profile (PP): A set of security requirements for a category of products (for example, a PP for network firewalls). Buyers use PPs to define what they need.
• Security Target (ST): The vendor's document describing what the TOE does and what security claims are being made.
• Evaluation Assurance Level (EAL 1 through 7): The rigor of the evaluation process, not the strength of the security features.

Understanding EAL Ratings

EAL levels measure how thoroughly a product was tested and reviewed, not how many security features it has:

• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed and tested
• EAL6: Semi-formally verified design and tested
• EAL7: Formally verified design and tested

A product at EAL4 has been more rigorously evaluated than one at EAL2, but that does not mean it has more features or is "more secure" in absolute terms. A product with fewer features at a higher EAL may be more trustworthy than a feature-rich product at a lower EAL.

FIPS 140-2 and FIPS 140-3

These standards specifically validate cryptographic modules. If a product claims to use validated cryptography, FIPS 140 certification is the benchmark. It defines four security levels for cryptographic module implementation, from basic requirements (Level 1) to physical tamper-resistance (Level 4).

CISSP Lens

For the exam, focus on:

• The Common Criteria structure: Protection Profile, Security Target, TOE, and EAL
• The distinction between functionality (what it does) and assurance (how well it was evaluated)
• Understanding that higher EAL means more assurance, not more security features
• Recognizing TCSEC as historical context that Common Criteria replaced
• FIPS 140 for cryptographic module validation specifically

A common exam pattern presents a procurement scenario and asks about certification requirements. The correct answer usually involves specifying the right evaluation standard and understanding what the certification actually covers.

Real-World Scenario

A government agency requires Common Criteria EAL4+ for all firewall procurements. The procurement team finds a certified firewall on the Common Criteria portal. Before purchasing, the security architect reviews the Security Target document and discovers that the TOE covers only the packet filtering engine, not the VPN module or management interface.

This means the certification applies to one component of the firewall, not the entire product. The agency must either require separate certification for additional components, accept the risk for uncertified components, or implement additional controls to compensate.

This scenario illustrates why reading the Security Target is essential. A "Common Criteria certified" label on a product means far less without understanding what specifically was evaluated.

Common Mistakes and Misconceptions

• Assuming higher EAL means "more secure." EAL measures evaluation rigor. A product at EAL7 was evaluated more thoroughly, but EAL does not measure the number or strength of security features.
• Thinking certification covers the entire product. It covers the defined TOE only. Always check the Security Target to understand the scope.
• Ignoring FIPS 140 for cryptographic components. If a product claims validated cryptography, ask for the FIPS 140 certificate number.
• Treating TCSEC ratings as current. TCSEC is historical. Common Criteria is the active standard.
• Confusing certification with accreditation. Certification evaluates a product against criteria. Accreditation is an organizational decision to authorize a system for use.

Actionable Checklist

• Review your procurement requirements for security evaluation criteria
• Check whether critical products have Common Criteria or FIPS certifications on the official validated products lists
• For each certified product, read the Security Target to verify what the TOE actually covers
• Include Common Criteria or FIPS requirements in RFPs for security-critical products
• Understand your regulatory requirements for product certification levels
• Distinguish between product certification and system accreditation in your documentation

Key Takeaways

• Common Criteria replaced TCSEC and ITSEC as the international standard
• EAL measures assurance (how thoroughly tested), not functionality (what it does)
• Certification applies to the specific TOE, not the entire product
• FIPS 140-2/140-3 is the standard for cryptographic module validation
• Use evaluation criteria to inform procurement, not as a substitute for your own testing

Exam-Style Reflection Question

A product is certified at Common Criteria EAL4. A competing product is certified at EAL2 but has more security features. Which provides greater assurance?

Answer: The EAL4 product provides greater assurance because EAL measures the rigor of evaluation and testing, not the number of features. EAL4 means methodically designed, tested, and reviewed. More features at a lower assurance level may actually introduce more risk if those features have not been as thoroughly evaluated.