This writeup presents a overview GAP analysis between the Common Criteria (CC) version 3.1 Revision 5 (April 2017) and the newly released Common Criteria (CC) 2022. The purpose of this analysis is to highlight key differences, updates, and improvements introduced in the 2022 version. The Common Criteria framework serves as an international standard for evaluating and certifying the security of information technology products. As the cybersecurity landscape continues to evolve, the newer version of CC introduces various enhancements to keep pace with technological advancements, industry best practices, and modern security requirements.
This write up serves as a resource for evaluators to better understand the key changes in CC:2022 and how to effectively apply the updated criteria during security evaluations of Target of Evaluation (TOE) products.
| Document Changes | ||||
| CC v3.1R5 | CC:2022 | GAP Analysis | Remark: Where evaluator will used the listed document. | |
| Part 1 | Introduction and general model, April 2017 Version 3.1 Revision 5, CCMB-2017-04-001 | Introduction and general model, November 2022 CC:2022 Revision 1, CCMB-2022-11-001 | The newer version introduces significant updates, reflecting the latest advancements and lessons learned from using the CC over the years. It includes new concepts, updated methodologies, and enhanced clarity in the evaluation process. | Should use for background information, reference purposes, and for guidance on the structure of PPs, PP-Modules, PPConfigurations, STs and composition. Shall use when evaluating PPs, PPConfigurations and STs. Refer to ERRATA v1.1 |
| Part 2 | Security functional components, April 2017 Version 3.1 Revision 5, CCMB-2017-04-002 | Security functional components, November 2022 CC:2022 Revision 1, CCMB-2022-11-002 | This revision introduces updates that reflect the evolution of security practices, incorporating lessons learned, technological advancements, and changes in the threat landscape. | Shall use for reference when evaluating security functional components given in packages, PPs and PP-Modules or security functional requirements (SFRs) in STs. Refer to ERRATA v1.1 |
| Part 3 | Security assurance components, April 2017 Version 3.1 Revision 5, CCMB-2017-04-003 | Security assurance components, November 2022 CC:2022 Revision 1, CCMB-2022-11-003 | New security assurance requirements or components introduced in the new CC version. | Shall use for reference when evaluating security functional components given in packages, PPs, PP-Modules and PPConfigurations or security assurance requirements in STs. Refer to ERRATA v1.1 |
| Part 4 | N/A | Framework for the specification of evaluation methods and activities, November 2022 CC:2022 Revision 1, CCMB-2022-11-004 | New chapter in the CC:2022. | Should use for reference purposes and for guidance in the structure of evaluation methods and activities. Should use when formulating specific evaluation methods and activities. Refer to ERRATA v1.1 |
| Par 5 | N/A | Pre-defined packages of security requirements, November 2022 CC:2022 Revision 1, CCMB-2022-11-005 | New chapter in the CC:2022. | Shall use for reference when evaluating PPs, PP-Modules and PPConfigurations or STs claiming conformance to pre-defined packages of security requirements. ERRATA not applicable. |
| CEM | Evaluation methodology, April 2017 Version 3.1 Revision 5, CCMB-2017-04-004 | Evaluation methodology, November 2022 CEM:2022 Revision 1, CCMB-2022-11-006 | Reflect updates to align with modern industry practices and standards. Introduces new evaluation methodologies, updated assessment criteria, and revised implementation procedures to address advancements in technology and changes in industry standards. | Shall use for evaluation activities. Refer to ERRATA v1.1 |
| ERRATA v1.1 | N/A | * Published 1-Feb-2024 * CCRA and applicable to ISO/IEC 15408/18045 * Mostly typos/bugs/outdated reference, new terms definition and etc. | Errata refer to corrections or updates made to the official document after its publication. These corrections address errors, ambiguities, or omissions identified in the original text. Errata ensure that the document remains accurate and up-to-date. | * Errata in the context of Common Criteria (CC) 2022 refer to corrections or updates made to the official document after its publication. These corrections address errors, ambiguities, or omissions identified in the original text. Errata ensure that the document remains accurate and up-to-date. |
| Page Counts | Remark | |||
| Part 1 | 106 | 167 | :+61 | |
| Part 2 | 323 | 297 | :-26 | |
| Part 3 | 247 | 211 | :-36 | |
| Part 4 | N/A | 26 | :+26 | |
| Par 5 | N/A | 39 | :+39 | |
| CEM | 430 | 471 | :+42 | |
| ERRATA v1.1 | N/A | 188 | :+188 | |
| Total | 1106 | 1211 | :+356 | |
Prepared by: Nur Sharifah Idayu Mat Roh [7 October 2024]