Question 67 of 530 from exam 400-251: CCIE Security written exam

Question 67 of 530 from exam 400-251: CCIE Security written exam


What does the Common Criteria (CC) standard define?



A. B. C. D. E. F.


The correct answer is D. The Common Criteria (CC) standard is an international standard (ISO 15408) that defines the requirements for evaluating the security properties of information technology (IT) products and systems. It is a framework for evaluating the security features and capabilities of IT products and systems, and it defines the criteria for evaluating and certifying the security of these products and systems.

The CC standard provides a common language and methodology for evaluating the security of IT products and systems. It defines the requirements for security targets, evaluation assurance levels (EALs), and protection profiles (PPs). A security target describes the security requirements for a specific IT product or system, while an evaluation assurance level specifies the level of confidence in the product or system's security features. Protection profiles are sets of security requirements that can be applied to different IT products or systems.

The CC standard is used by governments, militaries, and other organizations to evaluate and certify the security of IT products and systems. It is also used by vendors to demonstrate the security of their products and systems to customers.

Option A is incorrect because the Common Vulnerabilities and Exposures (CVEs) list is a database of known vulnerabilities in software and hardware products.

Option B is incorrect because the U.S. standards for encryption export regulations are defined by the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).

Option C is incorrect because it is not related to the Common Criteria (CC) standard.

Option E is incorrect because the international standards for privacy laws are defined by the General Data Protection Regulation (GDPR) and other similar regulations.

Option F is incorrect because the standards for establishing a security incident response system are defined by organizations like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).