Military Standard of the People's Republic of China-Commission of Science,Technology and Industry for National Defence
Latest
GJB 5371.1-2005
Scope
This section defines the basic criteria for evaluating the security characteristics of information technology products and systems. For reasons of history and continuity, it is referred to as CC-Common Criteria. By establishing such a common criterion library, the results of information technology security assessment can be understood by more readers. Aiming at the security functions and corresponding guarantee measures of information technology products and systems in the process of security assessment, CC provides a set of general requirements to make the results of various independent security assessments comparable. The evaluation process establishes a confidence level for the security functions of products and systems and corresponding assurance measures that meet these requirements. Evaluation results can help users determine whether information technology products and systems are sufficiently secure for their applications, and whether hidden security risks in use can be tolerated. CC can be used as a guide for the development and procurement of products and systems with information technology security functions. In the evaluation process, such products and systems are called evaluation objects (TOE--Target of Evaluation), such as: operating systems, computer networks, distributed systems, and applications. CC involves the protection of information to avoid unauthorized information disclosure, modification and inability to use, and the corresponding protection types are usually referred to as confidentiality, integrity and availability respectively. In addition to the above three aspects, CC is also applicable to other aspects of information security. CC focuses on man-made information threats, whether they are malicious or not. But CC can also be used for threats caused by non-human factors. In addition, CC can also be applied to other information technology fields, but for fields other than information technology security in the strict sense, CC does not make commitments. CC applies to information technology security measures implemented by hardware, firmware and software. When some specific assessments are only applicable to certain implementation methods, this will be indicated in the relevant guideline. Some content is not within the scope of CC because it involves special professional technology or only foreign technology of information technology security, for example: a) CC does not include those security measures that are not directly related to information technology security measures and are administrative management security measures. Evaluation Criteria. However, it should be recognized that an important part of TOE security is achieved through administrative security measures such as organizational, personal, physical, and procedural monitoring. When administrative security measures affect the ability of information technology security measures to resist certain threats, such administrative security measures are considered to be a prerequisite for the safe use of TOE in the operating environment of TOE. b) For the assessment of physical aspects of information technology security (such as electromagnetic radiation control), although many concepts of CC are applicable, they are not specific to this field, but some aspects of TOE physical protection will also be specifically involved. c) CC does not involve evaluation methodology, nor does it involve the management model or legal framework for evaluation agencies to use this rule, but it is hoped that CC can be used for evaluation in an environment with such a framework and methodology. d) The process of evaluating results for product and system approval does not belong to the scope of CC. Product and system approval is an administrative management process whereby information technology products and systems are authorized to be put into use in their entire operating environment. The evaluation focuses on the information technology security part of products and systems, and those operating environments that directly affect the safe use of information technology elements, so the evaluation results are an effective basis for the approval process. However, when other technologies are more suitable for evaluating non-information technology related When system or product security features and their relationship with information technology security are concerned, the approver shall separately approve these aspects. e) CC does not include criteria for evaluating the inherent quality of cryptographic algorithms. If a separate evaluation of the cryptomathematical properties embedded in the TOE is required, such evaluation must be provided in the evaluation regime using the CC.
GJB 5371.1-2005 history
2005GJB 5371.1-2005 Evaluation criteria for IT security Part 1:Introduction and general model