About The Common Criteria

Purpose of the Arrangement

The Participants in this Arrangement share the following objectives:

  1. to ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles;
  2. to improve the availability of evaluated, security-enhanced IT products and protection profiles;
  3. to eliminate the burden of duplicating evaluations of IT products and protection profiles;
  4. to continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation* process for IT products and protection profiles.

The purpose of this Arrangement is to advance those objectives by bringing about a situation in which IT products and protection profiles which earn a Common Criteria certificate can be procured or used without the need for further evaluation. It seeks to provide grounds for confidence in the reliability of the judgements on which the original certificate was based by requiring that a Certification/Validation Body (CB) issuing Common Criteria certificates should meet high and consistent standards.

A Management Committee, composed of senior representatives from each signatory’s country, has been established to implement the Arrangement and to provide guidance to the respective national schemes conducting evaluation and validation activities. To view a list of current arrangement members, please click on the menu option 'list of CCRA members' on the left.

A complete copy (in pdf format) of the Common Criteria Recognition Arrangement can be obtained by left clicking on the link below. (Note: The document may be saved by right clicking on the link below and selecting "save as").

Procedures that supplement the Arrangement

The procedures titled 'Multiple CBs within one country / Commercial CBs' and 'Time criteria required to transfer from a Certificate Consuming Participant to a Certificate Authorising Participant' are to be consulted by those nations that are planning to apply for the status of Certificate Authorising Participant. These procedures expand on decisions made by the Management Committee, implementing the Arrangement.

The procedure titled 'Voluntary Periodic Assessments' is to be consulted by those Qualified Participants that are scheduled to undergo their periodic assessment. The procedure expands on information contained within the CCRA, Annex D 'Voluntary Periodic Assessments'.

The procedure titled 'Conducting a Shadow Certification' is to be consulted by those Schemes that have submitted an application to become a Qualified Participant. The procedure expands on information contained within the CCRA, Annex G 'New Compliant Certification/Validation Bodies'.

Past and Upcoming ICCC Conferences that support the CC and CCRA

* Certain Schemes may choose to employ the term validation instead of certification. For the purpose of this recognition arrangement, the terms are deemed to be equivalent in their meaning and intended purpose as reflected in the Glossary at Annex A.