Common Criteria Customer FAQ

Common Criteria fundamentals

Question: What is Common Criteria?

Answer: Common Criteria (CC) is an international standard (ISO/IEC 15408) for certifying the security functions of IT products. It provides a structured way for vendors to implement security and for consumers to verify that those claims are true.

The framework is governed by the Common Criteria Recognition Arrangement (CCRA), which now includes over 30 member nations. Under this agreement, a certification achieved in one member country, like the U.S., is recognized by all others.

• In the U.S.: CC is managed by the Content from www.niap-ccevs.org is not included.National Information Assurance Partnership (NIAP), operated by the NSA.
• Protection Profiles (PPs): Today, the focus has shifted away from general "Assurance Levels" (EALs) toward collaborative Protection Profiles (cPPs). These are specific, technology-driven requirements, for example, Full Disk Encryption, Firewalls, or Operating Systems, developed by international technical communities to ensure testing is consistent and relevant to modern threats.

Question: How does Common Criteria work?

Answer: The process has evolved to be more agile to keep pace with rapid software releases:Content from docs.google.com is not included.1

1. The Target of Evaluation (TOE): The vendor defines exactly what is being tested, like Red Hat Enterprise Linux 9.x on specific x86 and IBM hardware.
2. Lab Evaluation: A third-party, accredited laboratory tests the TOE against the relevant Protection Profile.
3. Certification: Once the lab and the national authority, such as NIAP, agree the requirements are met, the product is added to the Product Compliant List (PCL).

*Note on EAL vs. PP: In the past, people focused on "EAL levels" like EAL4. In 2026, the U.S. and many partners almost exclusively use Protection Profiles, as they provide more measurable, repeatable security results for specific technologies.

Red Hat products and compliance

Question: Why does Red Hat prioritize Common Criteria?

Answer: Common Criteria certification is a baseline requirement for U.S. National Security Systems (NSS) and many global government, defense, and critical infrastructure sectors (Finance, Healthcare, Energy). Red Hat invests in these certifications to ensure our customers can deploy RHEL in high-security environments without administrative friction.1

Question: Which Red Hat products are currently certified?

Answer: Red Hat Enterprise Linux (RHEL) remains our flagship certified platform. We maintain a "rolling" certification strategy for major versions (RHEL 8 and RHEL 9).

• Red Hat Enterprise Linux (RHEL): Currently certified against the Protection Profile for General Purpose Operating Systems for several versions of RHEL 8 and RHEL 9.
• JBoss Enterprise Application Platform: Currently certified at an EAL 2+ level for version 8.1.
• Cloud & Automation: We increasingly pursue certifications for components of the OpenShift (Kubernetes) ecosystem to support containerized workloads in regulated environments.

Question: Are minor releases of RHEL such as 9.4 to 9.6 certified?

Answer: Because software moves faster than the certification process, the "Certified Configuration" usually refers to a specific minor version and kernel. However, in 2026, the industry has moved toward Assurance Maintenance. This prevents customers from having to choose between being "Certified" and being "Patched."

Question: I need to deploy today, but the latest version is "In Evaluation."

Answer: Under National Security Policy, if a certified version is not available for your specific needs, you are often permitted to use a version that is currently "In Evaluation." Red Hat provides transparency through the NIAP "Products in Progress" list so your Authorizing Official (AO) can see that the certification is underway.

Question: How do I keep my CC-configured system patched?

Answer: RHEL uses DNF (Dandified YUM). You can maintain your security baseline while applying critical fixes using the following commands:

Bash

# Check for available security updates

dnf updateinfo list security

# Apply only updates that have a Security Advisory (RHSA)

dnf upgrade \--security

Most government auditors now prefer a system that is patched against known vulnerabilities (CVEs) over a system that perfectly matches a two-year-old "certified" configuration. We recommend using Red Hat Lightspeed (formerly Red Hat Insights) and OpenSCAP to automate compliance auditing and ensure your system stays within the spirit of the Common Criteria guidelines.

Question: You didn’t answer all my questions. Where do I go for more help?

Answer: Red Hat Support is available anytime a customer, or potential customer, has a question about a Red Hat product.

Resources

• This content is not included.Red Hat Common Criteria Certifications
• This content is not included.Common Criteria Portal