News and Events
Dedicated Security Components (DSC) Draft Document Released for Public Review
The Dedicated Security Component (DSC) iTC has released the draft Capabilities, Assumption and Threats document for public review.
Please visit the DSC Technical Community page to review the draft and the related comment form. The public commenting period will end 17 January 2017.
CCDB DBMS WG provides ESR for DBMS cPP for public review
The DBMS WG, consisting of the certification schemes of Sweden and Germany, is pleased to provide the Essential Security Requirements (ESR) for the database management system cPP for public review according to the iTC/cPP process paper.
The WG is happy to receive any comments on the ESR until October 31st via email to Frank.Grefrath@bsi.bund.de and Fritz.Bollmann@bsi.bund.de.
Full Drive Encryption v2.0 Collaborative Protection Profiles Published!
The Full Drive Encryption (FDE) international Technical Community (iTC) has been working collaboratively over the past several months to complete version 2.0 of the FDE Encryption Engine (EE) and FDE Authorization Acquisition (AA) cPPs and Supporting Documents. A special thanks to all who were involved in this effort! More information can be found on the cPP and iTC pages.
New Draft Addendum for Network Device cPP Released for Public Review
The Network iTC has released an additional document for public review as part of the next version of the Network Device PP and SD. This document outlines the SFRs and EAs associated with the addition of DTLS as a secure communications protocol for protecting inter-TOE communications within a distributed TOE.
Please visit the Network Device Technical Community page to review the draft and the related comment form. The public commenting period will end September 2nd, 2016.
Newest Draft of Network Device collaborative Protection Profile and Supporting Document Released for Public Review
The Network iTC is pleased to announce the public review of the next version of the Network Device cPP and Supporting Document. Please visit the Network Device Technical Community page to see the latest drafts and the related comment form. The public commenting period will end August 19, 2016.
CC and CEM Review – Extension of the ISO study period and the CCDB Managed Call for Input
The partially overlapping parallel reviews of Assurance Standards in general by ISO SC27WG3 and of the CC and CEM by the CCDB produced some very useful inputs and have both been extended to 22nd August. The ISO extension call contains some refined/additional questions and can be found here: https://www.commoncriteriaportal.org/files/WG%203%20N1317%20SP_Extension_of_SP.pdf. The CCDB input will use the same process as in <http://www.commoncriteriaportal.org/workinggroups/CCReview.cfm> i.e. inputs need to be supported by a CCRA participant. Please note however that the ISO WG and the CCDB have agreed to share all relevant inputs so either route can be used.
Two New Certificate Consuming Participants
I am pleased to announce that Singapore and Qatar have officially signed the Common Criteria Recognition Agreement (CCRA) as Certificate Consuming participants. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 27!
Please join me in welcoming them into the CCRA.
CCRA Management Committee Chair
Common Criteria Portal Outage 10 June 2016 at 5:00 p.m. EDT
The Common Criteria Portal will be undergoing a planned outage at 5 p.m. EDT on Friday, June 10th 2016, until 9 p.m. EDT that evening. During this window of time, site operations will be unavailable. Please plan accordingly.
Kick-off teleconference for the Dedicated Security Components (DSC) iTC
The kick-off teleconference for the Dedicated Security Components (DSC) international Technical Community (iTC) will be held on Friday April 29th, at 7:00 a.m. EDT.
To join the iTC, please email: iTC-DSC@niap-ccevs.org.
More information on the DSC iTC can be found here: https://www.commoncriteriaportal.org/communities/dedicated_security_components.cfm
Candidate iTC for Dedicated Security Components
The CCDB Dedicated Security Component Working Group has completed the Essential Security Requirements for Dedicated Security Components. Information on how to join the candidate iTC can be found here.
Candidate iTC for Application Software
The CCDB Application Software Working Group has completed the Essential Security Requirements for Application Software. Information on how to join the candidate iTC can be found here.
CC and CEM Review - The CCDB Managed Call for Input
Both the CCDB and ISO SC27WG3 are performing reviews involving the CC and the CEM.
Please click here for more information, as well as instructions on how to provide input to the review process.
You have just 21 days to secure your place at ICCC. Almost 300 delegates are registered for the BIGGEST Common Criteria event in recent years – Be part of it!
For full details, see: www.iccc15.org.uk
Draft USB cPP Released for Public Review
The preliminary USB cPP is available for public review. For more details, go to this topic in USB portable storage devices.
Voluntary Termination of Infocomm Development Authority Singapore
The Infocomm Development Authority (IDA) Singapore have advised that they are voluntarily terminating their participation in the CCRA.
Despite best efforts from elected representatives of the three CCRA committees who worked with representatives of IDA Singapore to consider alternate solutions, IDA Singapore have decided to Voluntarily Terminate their CCRA Participation. IDA Singapore advised that local conditions have meant that they were unable to resource the program responsible for CCRA activities at a level that they saw as satisfactory. IDA Singapore continue to recognise the valuable contribution the CCRA makes in raising the level of assurance of IT products in cyber defence.
The CCRA members and CCUF representative continue to collaborate working together in improving cyber security through the development of collaborative Protection Profiles.
The first collaborative Protection Profiles have been published!
The Full Drive Encryption (FDE) and Network Device (ND) international Technical Communities (iTC) have been working collaboratively over the past several months to complete the
FDE Encryption Engine (EE), FDE Authorization Acquisition (AA), Network Device, and Firewall cPPs. A special thanks to all who were involved in this groundbreaking effort!
December Newsletters have been Posted
The USB iTC Security Problem Definition (SPD) has been posted for comment
The USB iTC Security Problem Definition (SPD) has been posted for comment.
Twenty-six countries agree on reform to improve cyber security certification through international public-private collaboration
(New Delhi, September 8th 2014) The governments of twenty-six nations have today ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security (a k a Common Criteria Recognition Arrangement – CCRA). The purpose of the revision is to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.
To accomplish these goals, it has been agreed that international Technical Communities (iTCs) should be established. Such iTCs should promote fair competition in an international, multi-stakeholder, multi-sector environment with participation from both public and private sector. Through the collaboration in the iTC:s, security functional requirements and security testing requirements for products in targeted technical areas (such as firewalls, USB storage devices, full drive encryption products etc.) will be agreed and defined in collaborative Protection Profiles (cPPs) and supporting documents in accordance with the Common Criteria for Information Technology Security Evaluation standard (ISO/IEC 15408). The ultimate goal of the reform is to facilitate reasonable, comparable, reproducible and cost-effective IT-security evaluation results for such products.
The new collaborative approach agreed by the twenty-six CCRA signatory nations gives private sector stakeholders the opportunity to work with CCRA national governments in order to maximize market acceptance for each cPP, avoid unnecessary duplication of security requirement specifications for each technology domain, and share the effort of cPP development. Participation of product vendors in this process will promote fair competition and encourage increased availability of evaluated and certified ICT products including state-of-the-art technologies. Security testing laboratories also will contribute to iTC:s, promoting consistency between testing laboratories and alignment of effective IT-security testing activities.
The CCRA Committees will govern application of the updated arrangement including consideration and approval of technology areas, iTCs and supporting documents.
Today’s ratification of the new CCRA marks the beginning of a 36-month transition period. Product evaluations already in progress can continue according to the previous version of the CCRA. During the transition period, participating nations also have agreed to recognize re-certifications and maintenance addenda issued according to the previous version of the CCRA. After September 8th 2017, mutually recognized certificates will either require protection profile-based evaluations or claim conformance to evaluation assurance levels 1 through 2 in accordance with the new CCRA.
Several CCRA nations already have implemented the updated approach to Common Criteria IT-security evaluations with promising results. International technical communities are currently working in the areas of USB storage devices, full drive encryption, network device and firewall, with approximately 10 nations and 10-20 vendors participating in each iTC. Collaborative PPs are expected to be completed this September, when the 15th annual International Common Criteria Conference (ICCC) will be hosted by India (see http://www.15icccindia.com/).
With the astounding increased use of information and communication technology in the global society and with a rapidly increasing need for reliance on ICT-products, discussions were initiated about how Common Criteria and CCRA (which was initially ratified in 1999) could be reformed to meet this demand. After years of discussions among the national governments represented in CCRA, the management committee in September 2012 provided a vision statement for the future direction Common Criteria and the CCRA. Through the vision statement the CCRA management committee noted that the general security level of general ICT certified products needed to be raised without severely impacting price and timely availability of these products. To support that goal, the level of standardization should be increased by building Technical Communities (TC) developing collaborative Protection Profiles (“cPPs”) and supporting documents, in order to reach reasonable, comparable, reproducible and cost-effective evaluation results.
In September 2013, the management committee agreed in principle on the text of the new CCRA that would implement the vision statement. This text was made available for legal review and confirmation of readiness to sign to all CCRA nations at that time. At the meeting with the CCRA management committee in Istanbul March 21st this year, the final plan for ratification of the new CCRA was agreed. In July 2014 all nations had confirmed their readiness to sign the new CCRA and the final signature procedure could commence. The new CCRA was finally ratified on September 8th, 2014.
The chair of the CCRA management committee, Mr. Dag Ströman from Swedish government, notes that:
“Supported unanimously by twenty-six nations, the new CCRA represents one of the most significant and exciting reforms to improve cyber security at an international level. Within the framework of the new CCRA, stakeholders in cyber security are invited to define security functional and assurance requirements in international Technical Communities. Via open, transparent and consensus based public-private collaboration, the intricate balance between IT-security and the associated cost to achieve such security can be agreed. The intent is to achieve a higher degree of harmonization of security requirements and avoid unnecessary fragmentation. Such fragmentation is costly for the vendors, whom otherwise may have to certify products several times against similar but disparate national requirements. Another important goal is to make the development of IT-security requirements based on Common Criteria more agile and able to adapt over time to the ever changing threat landscape. The new CCRA is the result of many nations and people’s hard efforts. It has the potential to notably improve cyber security, which is absolutely essential in today’s global society.”
Using the international standard Common Criteria (ISO/IEC 15408), system users can specify their security functional- and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and security testing laboratories can evaluate the products to determine if they actually meet the claims. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use that is comparable.
Through the Common Criteria Recognition Arrangement (CCRA), Twenty-six nations recognize certifications of IT-security products based on Common Criteria. The signatories of the new CCRA are government representatives from the following nations: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Malaysia, the Netherlands, New Zealand, Norway, Pakistan, Republic of Korea, Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States.
Full Disk Encryption collaborative Protection Profiles (cPPs) have been posted for comment
The Full Disk Encryption: Authorization Acquisition cPP and Supporting Document and the Full Disk Encryption: Encryption Engine cPP and Supporting Document have been posted and are available for review. Please visit the Full Disk Encryption’s Technical Community to see the latest drafts and the related comment form. Comments are requested by Friday, September 19th.
Network Device and Stateful Traffic Filtering Firewall collaborative Protection Profiles (cPPs) have been posted for comment
Both the Network Device and Stateful Traffic Filtering Firewall cPPs and associated Supporting Documents have been posted and are available for review. Please visit the Network Fundamentals and Firewalls Technical Community to see the latest drafts and the related comment forms. Comments are requested by Friday, September 19, 2014.
August newsletters have been posted
Message from the chair of the CCRA Management Committee regarding the status of the ratification of the new CCRA
The ratification of the new CCRA is making good progress. All nations of the current CCRA have completed their national process and formally acknowledged that they are ready to sign the new CCRA. The process of signing the new CCRA will soon commence. Once all signatures has been collected, the new CCRA is ratified and is in force. A date for when the new CCRA is ratified cannot be announced beforehand, since the CCRA participants cannot in advance commit to a date by which all signatures will have been collected. There have been no significant changes made to the text compared to what previously have been announced at the CC-portal. The draft of the new CCRA is found here.
Chair, CCRA Management Committee.
The CCMC has released the FDE portal page
Read about Full Disk Encryptor in Technical Communites.
The CCMC has released the FW/ND portal page
Read about Network Fundamentals and Firewalls in Technical Communites.
Message from the chair of the CCRA Management Committee regarding the status of the ratification of the new CCRA
At the ICCC in Orlando an overview of the new CCRA that had been agreed in principle by the CCRA Management Committee was presented, together with the rules for transition between the old ("current") and new CCRA. It was stated that the arrangement agreed in principle would undergo legal review in each country before final signing could commence and that it was expected that it would take between 6-12 months before the new arrangement would be ratified.
At the CCRA meeting in Istanbul the Management Committee discussed the status of the legal review of the CCRA and the plan for how to complete the signature procedure. The schedule for the revised CCRA advertised in Orlando looks so far to be accurate and the final ratification progress as expected. However, a date for when the new CCRA is ratified cannot be announced beforehand, since the CCRA participants cannot in advance commit to a date by which all signatures will have been collected.
When the new CCRA comes into force, it will be announced via the CC-portal.
Through the article 2 of the new CCRA, nations mutually recognise certificates with claims of compliance against Common Criteria assurance components of either:
- a collaborative Protection Profile (cPP), developed and maintained in accordance with Annex K, with assurance activities selected from Evaluation Assurance Levels up to and including level 4 and ALC_FLR, developed through an International Technical Community endorsed by the Management Committee; or
- Evaluation Assurance Levels 1 through 2 and ALC_FLR2.
Effective on the date of ratification, the signatories of the new CCRA agree:
a) To recognize conformant certificates issued under the new CCRA;
b) to recognise conformant certificates issued under the previous version the CCRA;
c) to recognise certificates resulting from products accepted into the certification process prior to approval of the new CCRA according to the previous version of the arrangement; and
d) for a period of 36 months from the date of ratification to recognise re-certifications and maintenance addenda issued according to the previous version of the CCRA. Thereafter, all participants shall limit recognition of certifications issued in accordance with Article 2.
The ratification of the new CCRA is still in progress. All but a very few nations have completed their national process and formally acknowledged that they are ready to sign the new CCRA. A few nations are still processing this matter according to their national procedures. In the meanwhile, the Management Committee has agreed to make the draft text of the new CCRA publicly available. It should be noted that the text of the new CCRA is made available "as-is"; the text is not yet formally ratified and may still be subject for updates without notice.
The draft of the new CCRA is found here.
Chair, CCRA Management Committee.
Australia has posted a Position Statement
Australia has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found in USB Portable Storage Device Position Statements.
USB iTC Informal Get-together During RSA
There will be an informal get-together during the RSA Conference in San Francisco. Anyone who has an interest to participate in the USB iTC that is to be established is invited to join us on Tuesday 5.30pm at:
243 O'Farrell St, San Francisco, CA 94102
USB iTC Kick-off Meeting
The USB iTC kick-off will be held March 5th at 20.00 GMT. The time was chosen to allow for participation from the largest number of nations spread across multiple timezones around the world. The logistics of the meeting are still being worked. The intent is to use a teleconference capability that has been offered by one of the USB vendors, which can host a large number of concurrent connections.
Details, including the agenda, will be posted on the CC Portal and the USB Secure Alliance website when they become available
PLEASE NOTE: This meeting is aimed at vendors/Labs/etc who expect to actively participate in the USB iTC. To keep the USB kick-off meeting efficient, a set of more general teleconferences will also be provided on a number of dates (and times) during March - (details to follow) and those who are interested, but whose focus may be in other technologies, are encouraged to take part in those calls instead.
USB iTC Registration
The interim group of vendors who are assisting in the establishment of the USB iTC have created a registration form at their website here -> http://www.secureusballiance.org/register where stakeholders can get registered for participation in the iTC. The iTC will be an independent entity, where vendors, schemes, labs, and other agencies can collaborate in a transparent and consensus-based manner."
UK has posted a Position Statement
UK has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found in USB Portable Storage Device Position Statements
Germany has posted a Position Statement
Germany has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found in USB Portable Storage Device Position Statements
Sweden has posted a Position Statement
Sweden has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found in USB Portable Storage Device Position Statements
CCDB USB Working Group Announcement
The CCDB USB Working Group has completed the Essential Security Requirements for a USB Portable Storage Device. Information on international Technical Communities can be found here, and information
pertaining to the USB effort can be found here.
India to host 2014 International Common Criteria Conference!
From the Chair of the CCRA Management Committee:
"It is with great pleasure that I’m able to announce the host for the 2014 ICCC. Our newest Certificate Authorizing Member, India, has graciously invited the CCRA to their country for the CCRA/CCUF 2014 Quarter 3 meetings and the International Common Criteria Conference. Please visit the CCRA Portal ICCC tab for future updates on date, venue and their hosting web site.
Dag Ströman, Chair CCRA Management Committee"
India Accepted as Certificate Authorizing Scheme.
On August 30th 2013, the CCRA Management Committee voted yes to accept India as a certificate authorizing participant in the CCRA.
With this acceptance, 17 Certificate Authorizing Schemes operate under the CCRA.
CCRA Management Committee Chair's ICCC Announcement
The following presentation was given by the CCRA Management Committee Chair regarding the agreement to a revised CCRA and Transition Plan.
Common Criteria Users Forum.
The Common Criteria Users Forum (CCUF) mission is to provide a voice and communications channel amongst the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and other interested parties.
The CCUF web page is located at: http://www.ccusersforum.org.
CCRA Management Committee Vision statement for the future direction of the application of the CC and the CCRA
The CCRA Management Committee (CCMC) has at the meeting in Paris, September 17 2012, agreed on a Vision Statement for the future direction of the application of the CC and the CCRA.
6th Newsletter for the 13th ICCC now available!
The 6th Newsletter for the 13th ICCC is now available from the 13th ICCC website. Please visit http://www.iccc2012paris.com/en/downloads to download the newsletter.
May Newsletter for the ICCC 2012 in Paris now available.
The May edition of the ICCC 2012 in Paris is now available. Click here to read this paper online.
ICCC2012 Newsletter available.
From the chairman of the French Scheme:
"I am pleased to inform you that the ICCC 2012 organisation committee has issued the first Newsletter for ICCC 2012. You can retrieve it from the ICCC 2012 website at http://www.iccc2012paris.com/en/downloads."
CCDB Request For Comments
As announced at the last ICCC, the CCDB is trialing a process of requesting comments on selected items. This document, Characterizing Attacks to Fingerprint Verification Mechanisms is the first example of the use of this process. The document will be discussed by the CCDB at their meeting on 20/21 March and comments, via your national CC schemes, before that date are therefore welcomed.
At the CCDB meeting in March 2012, the topic of requesting comments for this document was discussed. All agreed to extend the comment date to 1 Sept 2012. It will be added to the CCDB agenda at the Sept 2012 meeting.
13th International Common Criteria Conference
The 13th International Common Criteria Conference will take place from 18 - 20 September 2012 in Paris, France.
Malaysia accepted as Certificate Authorizing Scheme
With this new incorporation, 15 Certificate Authorizing Schemes operate under the CCRA.
ICCC 12 Abstract Submissions Being Accepted
The due date for abstract submissions for the 2011 ICCC is 31 May 2011. Submit your abstract at http://12iccc.cybersecurity.my/papers.html.
Turkey accepted as Certificate Authorizing Scheme
With this new incorporation, 14 Certificate Authorizing Schemes operate under the CCRA.
Regarding the application of CC by non-members of the CCRA
“The Management Committee of the Common Criteria Recognition Arrangement is aware that there are Common Criteria evaluation- and certification schemes established by countries who are not participants of the Arrangement.
The MC members share information about this development and discuss any potential consequences this has for their respective governments and other stake holders of the CCRA.
The governments of respective CCRA participant are informed about the result of these discussions and each government may act as it deem appropriate, which may include bi-lateral and/or multilateral dialogue.
The participants of the CCRA continues to share the original objectives of the arrangement and note that CCRA is open for new applications for membership.”
The Common Criteria Portal is under transition to a new management team. All previous user functionality should be available as they were previously, with some initial modifications to improve functionality. If you experience any issues, please contact us and include the page(s) on which you experienced the issue(s), your web browser name and version, and your contact information. We will correct the problem as soon as possible and reply back.
Italy accepted as Certificate Authorizing Scheme
With this new incorporation, 13 Certificate Authorizing Schemes operate under the CCRA.
New release 3 of the CC/CEM v3.1!
Release 3 of the CC/CEM v3.1 is now available.
New guides on transition to CC v3.1 and developer documentation!
New guides on transition to CC v3.1 and developer documentation are now available