Common Criteria (ISO/IEC 15408)

Common Criteria is an international standard for evaluating the security properties of IT products. Evaluations are conducted against Protection Profiles and result in EAL (Evaluation Assurance Level) ratings.

What Common Criteria evaluates

Common Criteria (CC, formally ISO/IEC 15408) is an international framework for evaluating IT product security. A product is evaluated against a Protection Profile (PP) that specifies threats, security objectives, and functional requirements, or against a vendor-defined Security Target (ST). The result is an Evaluation Assurance Level (EAL) from EAL1 (functionally tested) to EAL7 (formally verified design and tested). Most commercial enterprise products certify at EAL2-EAL4+; EAL5-7 are reserved for high-assurance defense and intelligence systems.

When CC matters in AI procurement

Common Criteria is rarely the primary ask for SaaS AI vendors, but it shows up frequently for buyers in defense, intelligence, government, and some critical infrastructure. The U.S. National Information Assurance Partnership (NIAP) only recognizes CC evaluations against approved Protection Profiles; non-PP evaluations are not accepted for U.S. national security systems. For AI buyers in regulated sectors, the question is usually whether the underlying compute, OS, or HSM is CC-certified, not the AI application itself.

Cost and limitations

CC evaluations are expensive ($100K-$1M+) and slow (often 12-24 months). They evaluate a specific product version at a specific configuration; a software update may invalidate the certification or require a maintenance evaluation. Common Criteria certifies that a product implements its security functions correctly; it does not validate that the security functions are appropriate for the buyer's threat model. Treat it as one input among many, not as a substitute for procurement-specific diligence.