Ccra Common Criteria Recognition Agreement

In early 2011, the NSA/CSS published a paper by Chris Salter proposing a profile-based approach to evaluation. In this approach, interest groups are formed around types of technologies that, in turn, develop protection profiles that define the method of evaluating the type of technology. [12] The objective is a more robust assessment. There is a concern that this will have a negative impact on mutual recognition. [13] – Some systems may choose to use the term validation rather than certification. For the purposes of this recognition regime, terms are considered equivalent in meaning and purpose, as expressed in the Annex A glossary. The United Kingdom has also developed a number of alternative systems in which the time, costs and overheads of mutual recognition hinder the functioning of the market: in addition to the Common Criteria standard, there is also a Common Criteria MRA (Mutual Recognition Arrangement) sub-contract in which each party recognizes evaluations according to the common Criteria standard of other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand joined in 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. Since then, the arrangement has been renamed the Common Criteria Recognition Arrangement (CCRA) and membership has expanded further.

Within the CCRA, only evaluations up to EAL 2 are mutually recognized (including increase with troubleshooting). Under the old ITSEC agreement, European countries generally recognize higher LICAs. The EAL5 and EEA5 assessments tend to refer to the security requirements of the host country`s government. In September 2012, a majority of CCRA members issued a vision statement that lowers mutual recognition of CC-rated products at EAL 2 (including increase with troubleshooting). In addition, this vision indicates an outlier level of security and evaluations will be limited to compliance with protection profiles that do not have a specified level of security. This will be done by technical working groups developing PPs on a global scale and a transition period is not yet fully defined. This assumption is included in the Control Access Protection Profile (CAPP) to which its products comply. Based on these and other assumptions that may not be realistic for the joint use of multi-purpose operating systems, the claimed security features of Windows products will be evaluated. Therefore, they should only be considered safe in the specified circumstances assumed, including designated as an evaluated configuration.

Procedures with the terms “Several CBs in a country / commercial CBs” and “Time criteria required to transfer from a participant consuming a certificate to a certificate authorizing the participant” are to be consulted by nations considering applying for certificate status authorizing the participant. These procedures extend the management committee`s decisions regarding the implementation of the agreement. Each certificate authorizing the CCRA participant ensures that evaluations are conducted to high and consistent standards. This system of recognition of IT security certification standards between Member States is called mutual recognition (MR) and makes it unnecessary to duplicate an evaluation. This agreement is currently limited to the first four levels of security of common Criteria: EAL1 to EAL4 without cryptographic functionality.

Comments are closed.