"
The OP is 6 months old, but for anyone who ends-up here looking into CC...
Back in 2008, I wrote a paper on the published criticism about CC.
I presented the paper at a DoD conference.
"Common Criteria: A Survey of Its Problems and Criticism"
Department of Defense Cyber Crime Conference 2009, St. Louis, MO, January 2009
I just put the paper on my website, FYI:
https://jimyuill.com/cs-research/comp-sec-papers/
The paper is dated, but may be useful, as some of the problems likely persist.
Abstract: The Common Criteria (CC) is a computer-security standard that some governments use for procurement, e.g., the U.S. Department of Defense. To sell information-security products in these markets, CC certification is required. Much has been published about problems with CC, and there is extensive criticism of CC. For example, a director of the U.S. CC program was recently quoted as saying, "Defending the program is a full-time effort. It is a difficult job." This paper presents a survey of the problems and criticism reported about CC. The paper provides: (a) a categorization for the reported problems, (b) a survey of the reported problems, organized by category, and (c) an annotated guide to the sources that were especially useful and authoritative. This paper is intended as a resource for those who are: evaluating CC for possible use, preparing to use CC, or researching CC itself.
The criticism about CC fell into three categories:
* Problems with CC's effectiveness
* Problems with CC's stated limitations
* Problems with CC implementation
Back in 2008, I wrote a paper on the published criticism about CC.
I presented the paper at a DoD conference.
"Common Criteria: A Survey of Its Problems and Criticism"
Department of Defense Cyber Crime Conference 2009, St. Louis, MO, January 2009
I just put the paper on my website, FYI:
https://jimyuill.com/cs-research/comp-sec-papers/
The paper is dated, but may be useful, as some of the problems likely persist.
Abstract: The Common Criteria (CC) is a computer-security standard that some governments use for procurement, e.g., the U.S. Department of Defense. To sell information-security products in these markets, CC certification is required. Much has been published about problems with CC, and there is extensive criticism of CC. For example, a director of the U.S. CC program was recently quoted as saying, "Defending the program is a full-time effort. It is a difficult job." This paper presents a survey of the problems and criticism reported about CC. The paper provides: (a) a categorization for the reported problems, (b) a survey of the reported problems, organized by category, and (c) an annotated guide to the sources that were especially useful and authoritative. This paper is intended as a resource for those who are: evaluating CC for possible use, preparing to use CC, or researching CC itself.
The criticism about CC fell into three categories:
* Problems with CC's effectiveness
* Problems with CC's stated limitations
* Problems with CC implementation
