Common criteria

The ANSSI defines multiple levels of security for hardware involved in information and mobile networks security*: elementary qualification, based on a CSPN (Level-1 security certification); standard qualification, based on a Common Criteria evaluation EAL3+; enhanced qualification, based on a Common Criteria evaluation EAL4+.

Common Criteria are a set of standards (ISO 15408), created by a collaboration between Canada, the USA and Europe, but world recognized, which goal is to provide an unbiased assessment of information systems and software security. Thanks to this work environment, IT users can implement security profiles to specify functional security requirements and assessors can verify if products meet the required levels of security**. Theoretically then, a product test in any of these 26 countries that recognized the agreement on common criteria should follow the same process and the same requirements.

The common criteria certification is issued by a CESTI (IT security evaluation center) certified by the ANSSI, such as Oppida or Serma Technologies in France for instance. By contacting the ANSSI, in France, an editor can define the possible level of certification for its product, and then contact a CESTI for the assessment. The assessment process is expansive (around 100,000€ for an EAL3+), long (around 12 months), requires a complex and heavy documentation writing for the security target, and forces the editor to make a highly qualified scientist or mathematician associate available for CESTI experts. This evaluation process is only valid for a given version of the product, which is a handicap for small businesses and start-ups. A CESTI has to be independent such that it guarantees objectivity and confidentiality of its work. National organizations such as the ANSSI are in charge of verifying CESTI’s ethics.

Each country is free to define its own rules for information transmission in governmental levels. In France, there is a concept of “restricted transmission” or “Secret défense” (SD). The restricted transmission qualification was, until now, dedicated to government members but, since the last military programming law (LPM), OIV*** are going to be more and more pushed to use mobiles meeting this level of security, which have common criteria based security (EAL5+ for smart cards and EL4+ for applets). To have a European restricted diffusion agreement, an editor has to get its product validated by at least two European countries.

The website keeps an updated list of ISO15408 certified products. The ANSSI website keeps an updated list of qualified products.




***OIV: Opérateur d’Importance Vitale – is a French qualification issued for organisms of high importance (such as nuclear plants, Network backbones, etc.)