Common Criteria Statistics Report 2022

It has now become a tradition that each year JTSEC, an ITSEC consulting company, publishes the annual Common Criteria Statistics Reports, an all-in-one report that collects and analyses all kinds of data on various aspects of the Common Criteria market. We are delighted to share that this year CCLab has made it into to report once again, as we conducted the Common Criteria evaluation project of two products under the Italian Scheme (OCSI). 

We have been eagerly waiting to discover what turns the Common Criteria market took in the previous year, and the report has unveiled some surprising points for us. According to the 2022 Common Criteria Statistics Report, there was a slight decrease in the number of certified products last year, with only 370 products receiving a certification, whereas in 2021 there was a record-high number of certifications, reaching 399. In this article, we highlight the significant findings of the report and show the possible reasons behind them.

‍

What could be the reasons behind the change in certification numbers?

Meanwhile, 2021 was the year of record-breaking numbers, and the output of 2022 slightly decreased compared to the year prior. The overall historical shows that Common Criteria certifications have been growing from 2018 to 2021. The slight decrease in 2022 suggests that the number of certifications has stabilized on the market.

However, there are a few possible explanations for why this decline happened:

• Lack of capacity of each of the laboratories or certification bodies to manage a greater number of certifications.
• Unavailability of some manufacturers to undertake Common Criteria certification, either due to time, cost, or any other reason.
• Creation of other cybersecurity standards that are eating up market share.
• Certifications are delayed until EUCC is published.

What change did the year 2022 bring to the assurance levels?

‍

In 2022, 162 high assurance evaluations (EAL4-EAL7) were carried out, almost reaching the previous year’s volume. The above data shows that the number of high assurance evaluations has stagnated for EAL 4, EAL 5, and EAL 7, while the number of certified products decreased in the low assurance levels. 

Products that were certified using low assurance represented 18,65% of all the evaluations last year, which is 4% lower than the percentage in 2021. The rate of high-assurance evaluations had also increased from 41.12% to 44%, meaning that while the number of certifications was lower in 2022 than the year before, there was a higher rate of high-assurance evaluations. 

On the other hand, the trend to use Protection Profiles on evaluations has been even larger in 2022. Certifications using a Protection Profile with no EAL assigned were very frequent in 2022. In total, 139 products were certified with a Protection Profile without assigned EAL, representing 37,57% of all certifications in 2022. The statistic for top-used  PPs shows that the Protection Profile for Network Devices was the most used in 2022, with 46 certified products.

The Common Criteria Statistics Report of 2022 enables us to better visualize the trends in the market throughout the year and hence estimate its future behavior. In 2022 there was a mild decline in the number of certifications and it is difficult to have a clear conclusion why this happened exactly. In 2023 we are looking forward to continuing the evaluations and hence contributing to the development of the sector.  

In case you have questions about the Common Criteria evaluation procedure, don’t hesitate to get in touch with us!