News and Events

CCDB published the Specification of Functional Requirements for Cryptography

The Common Criteria Development Board (CCDB) Cryptographic Working Group has published the Specification of Functional Requirements for Cryptography Version 1.0 on the CC Portal.

Please visit the Publications page for more information and to access the published document.

New Certificate Consuming Participants

Jordan and Belgium have officially joined the Common Criteria Recognition Arrangement (CCRA) as Certificate Consuming participants. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 33!

Dedicated Security Components Proposed Draft Public Review Period

The DSC iTC has published their latest draft for public review here: https://dsc-itc.github.io/#_public_review. The review period is open until October 11. Instructions for the review can be found in the Proposed Draft Overview here: https://dsc-itc.github.io/v2/2.0PD/Public_review_2.0-PD.pdf. The DSC iTC looks forward to any contributions!

The Dedicated Security Components iTC has published the v2.0 Public Review Draft 2 for comments.

Please visit the DSC-iTC home page for more information about the review period and process.

The HCD iTC has published their collaborative Protection Profile and Supporting Document v1.0e.

Please visit the HCD iTC home page for more information and to access the published documents.

The CCitC TC has published their first iteration of Guidance for CC Evaluations in the Cloud v1.0.

Please visit the CCitC TC home page for more information and to access the published document.

Publication of the Errata and Interpretations document for CC/CEM:2022

The final version of the errata and interpretations for CC/CEM:2022 is now published on the CCRA Portal
(https://www.commoncriteriaportal.org/cc/index.cfm).

Publication of the XML version of CC/CEM:2022

The XML version of the current CC/CEM:2022 is now published on the CCRA Portal (https://www.commoncriteriaportal.org/cc/index.cfm). A special thanks to "Miguel Bañón", WG3 Convenor, who created the XML version, the CCMB Chairs and the ISO Liaison Officer.

NDcPP v3.0 – Errata 20231206 has Published

The Network Fundamentals and Firewalls (NDFW) international Technical Community (iTC) has published Errata version of the Network Device Collaborative Protection Profile (ND cPP) v3.0 and ND SD v3.0. The errata versions replace the v2.2e documents with immediate effect.

iTC/cPP Process Document Officially Released

The CCMC has approved the official release of policy on Establishing International Technical Communities and Developing collaborative Protection Profiles. This document updates the previous draft policy document to simplify the process. Please see the document for further details.

CC in the Cloud Recognized as a Technical Community

The CC in the Cloud Working Group is now recognized by the CCDB as a Technical Community. Information on how to join the TC can be found here.

Portal Site Outage October 14th & 21st

The CC Portal website will be unavailable due to maintenance this Saturday, October 14^th, from 11:00am to 1:00pm EST, and on Saturday, October 21^st (Time TBD). We apologize for any inconvenience this may cause. Please plan accordingly.

Qatar Accepted as Certificate Authorizing Scheme

We are pleased to announce that Qatar has been accepted as a Certificate Authorizing Scheme. With this new incorporation, 18 Certificate Authorizing Schemes operate under the CCRA.

Poland Accepted as Certificate Authorizing Scheme

We are pleased to announce that Poland has been accepted as a Certificate Authorizing Scheme. With this new incorporation, 17 Certificate Authorizing Schemes operate under the CCRA.

Publication of CC:2022 Release 1

The Common Criteria Development Board is pleased to announce publication of CC:2022 Release 1.

New Zealand Transitions to a Certificate-Consuming Nation

After many years of close collaboration between Australia and New Zealand operating the Australasian Certification Authority, New Zealand has decided to relinquish its authorising status and remain in the CCRA as a certificate-consuming nation. This is to better reflect NZ’s level of effort to the Australasian Information Security Evaluation Program (AISEP) and the CCRA.  The AISEP's program name is now changed to 'Australian' from 'Australasian' to better reflect the status of the program that resides in Australia, and as a certificate authorising nation of the CCRA. These changes are effective October 2021.

The HCD iTC has published their collaborative Protection Profile and Supporting Document v1.0.

Please visit the HCD iTC home page for more information and to access the published documents.

The Biometrics Security iTC has published v1.1 of the PP-Module and Supporting Documents

Please visit the Biometrics Security iTC home page to access the published documents.

The HCD iTC has released their cPP draft for final public review

Please visit the HCD Technical Community page to review the draft and the related comment form.  The public commenting period will end on September 5, 2022.

The HCD iTC has released their Supporting Document draft for final public review

Please visit the HCD Technical Community page to review the draft and the related comment form.  The public commenting period will end on September 5, 2022.

The HCD iTC has released their Supporting Document for Public Review Draft 2

The HCD iTC has released their 2nd draft cPP for public review

Please visit the HCD Technical Community page to review the draft and the related comment form.  The public commenting period will end on January 31, 2022.

The HCD iTC has released their Supporting Document for Public Review Draft 1

Please visit the HCD Technical Community page to review the draft and the related comment form.  The public commenting period will end on November 15, 2021.

The Biometrics Security iTC has published the v1.1 Proposed Draft

Please visit the Biometrics Security iTC Status Page for more information about reviewing the draft and how to provide comments. The review period will end on November 5, 2021.

The HCD iTC has released their 1st draft cPP for public review

Please visit the HCD Technical Community page to review the draft and the related comment form.  The public commenting period will end October 8, 2021.

The Biometrics Security iTC has published the v1.1 Public Review Draft 1

Please visit the Biometrics Security iTC Status Page for more information about reviewing the draft and how to provide comments. This review period will end on August 15, 2021.

The Application Software iTC has released their draft documents for public review

Please visit the Application Software Technical Community page to get links to the documents posted on github. The public commenting period will end July 16, 2021.

The Biometrics Security iTC has published the Proposed Draft of the fingerprint presentation attack toolbox for public review

Please visit the Biometrics Security iTC home page for information about reviewing the draft and how to provide comments. The Proposed Draft period will end on May 7, 2021.

The Biometrics Security iTC has released the draft of the fingerprint Presentation Attack toolbox for public review

Please visit the Biometrics Security iTC home page for information about reviewing the draft and how to provide comments. The Public Review 1 period will end on February 5, 2021.

CCDB, CCES, CCMC November Meetings - Scheduled

The CCDB, CCES, plan to meet (virtually) 10-12 November 2020 from 1200-1600 UTC.

The CCMC plans to meet (virtually) on 13 November 2020 from 1100-1700 UTC.

Meeting details have been/will be sent to the committee aliases. 

Please contact the committee chairs with any topics or questions.

Biometrics Security iTC released Proposed (Release) Drafts of eye, face and vein Presentation Attack Toolboxes for public review

Please visit the Biometrics Security iTC home page to review the drafts and provide comments. The Proposed (Release) Draft period will end on October 26, 2020.

The DSC iTC has published their collaborative Protection Profile and Supporting Documents v1.0.

The DSC has also transitioned the project over to Github for all work moving forward. Please visit the DSC iTC home page for more information and to access the published documents.

The Biometrics Security iTC has released the drafts of the eye, face and vein Presentation Attack Toolboxes for public review

Please visit the Biometrics Security iTC home page to review the drafts and provide comments. The Public Review 1 period will end on August 31, 2020.

The DBMS iTC has published their collaborative Protection Profile and Supporting Documents v1.0.

Please visit the DBMS iTC home page to access the published documents.

The Biometrics Security iTC has published their PP-Module and Supporting Documents v1.0

Please visit the Biometrics Security iTC home page to access the published documents.

The DBMS iTC has extended their review period for their draft SD.

Please visit the DBMS Technical Community page to review the draft and the related comment form. 

The public commenting period will end June 5, 2020.

CC Portal Outage on April 15th at 12 p.m. EDT

The CC Portal will be undergoing a planned outage at 12 p.m. EDT on Wednesday, April 15, 2020, until 2 p.m. EDT that afternoon.  During this window of time, all site operations will be unavailable.  Please plan accordingly.  

The DSC iTC has released their draft cPP for public review

Please visit the DSC Technical Community page to review the draft and the related comment form. The public commenting period will end April 8, 2020.

CCDB/ES April Meetings - Canceled

Due to concerns around COVID-19, and the importance of keeping members from potential harm, the April meetings in Putrajaya, MY, have been canceled.

Any urgent matters can be brought to the attention of the CCRA Committee Chairs.

The DBMS iTC has released their draft cPP for public review

Please visit the DBMS Technical Community page to review the draft and the related comment form. The public commenting period will end April 17, 2020.

UK - Change of CCRA Status

The UK’s NCSC (National Cyber Security Centre) considers that effective cybersecurity requires a combination of: appropriate product development, architectural design, situational awareness, and agility of response to threats. Evaluation of individual products can play a part but, for the UK, its relevance, in the wider cybersecurity context , is diminishing and this has been reflected in the limited UK market and developer demand for certification. Following a review of its range of assurance services NCSC has therefore concluded that the operation of a national common criteria certification scheme is no longer an appropriate use of its resources and has ceased to be a certificate producer under the CCRA.

As a Certificate Consuming Participant, the UK will continue to recognise CCRA compliant certificates as providing a level of confidence in their respective products. The UK also remains committed to working with the Common Criteria community on the development of relevant Collaborative Protection Profiles (cPPs and their supporting documents), for technologies of interest to the UK, by contributing to associated international technical communities, and to the development of underlying International standards in ISO etc.

New Certificate Consuming Participant

We are pleased to announce the Slovak Republic has officially signed the Common Criteria Recognition Agreement (CCRA) as a Certificate Consuming participant. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 31!

Biometrics Draft cPP Released for Public Review

Dedicated Security Components (DSC) Draft cPP Released for Public Review

The Dedicated Security Component (DSC) iTC has released the draft DSC cPP  for public review. 

Please visit the DSC Technical Community page to review the draft and the related comment form. The public commenting period will end 14 June 2019. 

International Common Criteria Conference

Singapore is pleased to host the 18th International Common Criteria Conference (ICCC) on the 1 - 3 October 2019, in conjunction with the Singapore International Cyber Week (SICW) 2019, at Suntec Singapore Convention & Exhibition Centre.
 
For more details on ICCC 2019, please visit https://www.iccc2019.com

FDE EE cPP v2.0 and FDE AA cPP v2.0 Erratas Published!

The Full Drive Encryption (FDE) international Technical Community (iTC) has published Errata versions of the FDE Encryption Engine (EE) Collaborative Protection Profile (cPP) v2.0, FDE EE Supporting Document (SD) v2.0,  FDE Authorization Acquisition (AA) cPP v2.0, and FDE AA SD v2.0. The Errata versions replace the v2.0 documents with immediate effect.

New Certificate Consuming Participant

We are pleased to announce that Indonesia has officially signed the Common Criteria Recognition Agreement (CCRA) as a Certificate Consuming participant. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 30!

Singapore Accepted as Certificate Authorizing Scheme

With this new incorporation, 18 Certificate Authorizing Schemes operate under the CCRA.

New Certificate Consuming Participant

We are pleased to announce that Poland has officially signed the Common Criteria Recognition Agreement (CCRA) as a Certificate Consuming participant. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 29!

Network Device Collaborative Protection Profile v2.1 Published!

The Network Fundamentals and Firewalls (NDFW) international Technical Community (iTC) has been working collaboratively to complete version 2.1 of the Network Device (ND) cPP and Supporting Document.  A special thanks to all who were involved in this effort!  More information can be found on the cPP and iTC pages.

ND cPP v2.0 - Errata 03142018 and FW cPP v2.0 - Errata 03142018 have Published!

The Network Fundamentals and Firewalls (NDFW) international Technical Community (iTC) has published Errata versions of the Network Device Collaborative Protection Profile (ND cPP) v2.0, ND SD 2.0,  and Stateful Traffic Filter Firewalls Collaborative Protection Profile (FW cPP) v2.0. The errata versions replace the v2.0 documents with immediate effect.

Full Drive Encryption Enterprise Management Collaborative Protection Profile Module v2.0 Published!

The Full Drive Encryption (FDE) international Technical Community (iTC) has been working collaboratively over the past several months to complete version 2.0 of the FDE Enterprise Management collaborative Protection Profile (cPP) Module. A special thanks to all who were involved in this effort! More information can be found on the cPP and iTC pages.

Supporting Document Procedure

The CCDB has posted an updated Supporting Document Procedure, which describes the process for development and approval of Supporting Documents.

ICCC Hosting

The CCRA committees invite individuals/companies to send expressions of interest for hosting future International Common Criteria Conferences to iccc@commoncriteriaportal.org.  In addition, please indicate if you would like to give a 10 minute presentation explaining your ICCC hosting capabilities during the upcoming CCRA meetings in Berlin, 24-27 October 2017.

Addendum for Exact Conformance Extended until December 2018

Trial use of the CCv3.1 R5 Addendum for Exact Conformance is effective immediately for all evaluations against collaborative Protection Profiles (or other PPs claiming exact conformance) starting on or after 31 July 2017.  Users of the Common Criteria are invited to provide comments and feedback on the addendum by 31 December 2017 to their national CCRA scheme.  Comments may also be provided through an international Technical Community which will then be forwarded to the CCRA iTC liaison.  All comments received by 31 December 2017 will be considered prior to finalisation of the Addendum.

*Amended per the CCDB meetings held in 4Q 2017*

The CCDB has extended trial use of the CCv3.1 R5 Addendum for Exact Conformance until 31 December 2018. Users of the Common Criteria are invited to provide comments and feedback on the addendum by 31 December 2018 to their national CCRA scheme.  Comments may also be provided through an international Technical Community which will then be forwarded to the CCRA iTC liaison.  All comments received by 31 December 2018 will be considered prior to finalisation of the Addendum.

Certificate Validity

The CCDB has approved a resolution to limit the validity of mutually recognized CC certificates over time.  Certificates will remain on the CPL for five years.  Effective 1 June 2019, certificates with an expired validity period (that is, 5 years or more from the date of certificate issuance) will be moved to an Archive list on the CCRA portal.

Draft Procedure for Public Review

This draft procedure defines the concept of certificate validity and presents a method to extend a certificate's validity date.  We welcome feedback on this document prior to 1 June 2018.  Please contact your national CCRA scheme to provide comments.

New Certificate Consuming Participant

We are pleased to announce that Ethiopia has officially signed the Common Criteria Recognition Agreement (CCRA) as a Certificate Consuming participant. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 28!

International Common Criteria Conference

An International Common Criteria Conference will not occur in 2017.  The CCRA committees are considering ICCC hosting and format options for the future, with more information to be published as decisions are reached.

Full Drive Encryption (FDE) Enterprise Management Draft Available for Public Review

The FDE iTC has released the draft Enterprise Management module for public review.  Please visit the FDE Technical Community page to review the draft and related comment forms.  The public comment period will close on Friday, 26 May 2017.

Network Device Collaborative Protection Profile v2.0 Published!

The Network Fundamentals and Firewalls (NDFW) international Technical Community (iTC) has been working collaboratively over the past several months to complete version 2.0 of the Network Device (ND) cPP and Supporting Document.  A special thanks to all who were involved in this effort!  More information can be found on the cPP and iTC pages.

Publication of CC v3.1 Release 5

The Common Criteria Development Board is pleased to announce publication of CC v3.1 Release 5.

Application Software (AppSW) iTC Draft Document for Public Review

Dedicated Security Components (DSC) Draft Document Released for Public Review

The Dedicated Security Component (DSC) iTC has released the draft Capabilities, Assumption and Threats document for public review. 

Please visit the DSC Technical Community page to review the draft and the related comment form. The public commenting period will end 17 January 2017. 

CCDB DBMS WG provides ESR for DBMS cPP for public review

The DBMS WG, consisting of the certification schemes of Sweden and Germany, is pleased to provide the Essential Security Requirements (ESR) for the database management system cPP for public review according to the iTC/cPP process paper.

The WG is happy to receive any comments on the ESR until October 31st via email to Frank.Grefrath@bsi.bund.de and Fritz.Bollmann@bsi.bund.de.

Full Drive Encryption v2.0 Collaborative Protection Profiles Published!

The Full Drive Encryption (FDE) international Technical Community (iTC) has been working collaboratively over the past several months to complete version 2.0 of the FDE Encryption Engine (EE) and FDE Authorization Acquisition (AA) cPPs and Supporting Documents.  A special thanks to all who were involved in this effort!  More information can be found on the cPP and iTC pages.

New Draft Addendum for Network Device cPP Released for Public Review

The Network iTC has released an additional document for public review as part of the next version of the Network Device PP and SD. This document outlines the SFRs and EAs associated with the addition of DTLS as a secure communications protocol for protecting inter-TOE communications within a distributed TOE.

Please visit the Network Device Technical Community page to review the draft and the related comment form. The public commenting period will end September 2^nd, 2016.

Newest Draft of Network Device collaborative Protection Profile and Supporting Document Released for Public Review

The Network iTC is pleased to announce the public review of the next version of the Network Device cPP and Supporting Document. Please visit the Network Device Technical Community page to see the latest drafts and the related comment form. The public commenting period will end August 19, 2016.

CC and CEM Review – Extension of the ISO study period and the CCDB Managed Call for Input

The partially overlapping parallel reviews of Assurance Standards in general by ISO SC27WG3 and of the CC and CEM by the CCDB produced some very useful inputs and have both been extended to 22^nd August. The ISO extension call contains some refined/additional questions and can be found here: https://www.commoncriteriaportal.org/files/WG%203%20N1317%20SP_Extension_of_SP.pdf. The CCDB input will use the same process as in <http://www.commoncriteriaportal.org/workinggroups/CCReview.cfm> i.e. inputs need to be supported by a CCRA participant. Please note however that the ISO WG and the CCDB have agreed to share all relevant inputs so either route can be used.

Two New Certificate Consuming Participants

I am pleased to announce that Singapore and Qatar have officially signed the Common Criteria Recognition Agreement (CCRA) as Certificate Consuming participants. Their acceptance into the CCRA will greatly benefit the longevity and strength of the arrangement, increasing the number of CCRA participants to 27!

Please join me in welcoming them into the CCRA.

Greg Hills

CCRA Management Committee Chair

Common Criteria Portal Outage 10 June 2016 at 5:00 p.m. EDT

The Common Criteria Portal will be undergoing a planned outage at 5 p.m. EDT on Friday, June 10th 2016, until 9 p.m. EDT that evening.  During this window of time, site operations will be unavailable.  Please plan accordingly.

Kick-off teleconference for the Dedicated Security Components (DSC) iTC

The kick-off teleconference for the Dedicated Security Components (DSC) international Technical Community (iTC) will be held on Friday April 29th, at 7:00 a.m. EDT.

To join the iTC, please email: iTC-DSC@niap-ccevs.org. 

More information on the DSC iTC can be found here: https://www.commoncriteriaportal.org/communities/dedicated_security_components.cfm

Candidate iTC for Dedicated Security Components

The CCDB Dedicated Security Component Working Group has completed the Essential Security Requirements for Dedicated Security Components. Information on how to join the candidate iTC can be found here.

Candidate iTC for Application Software

The CCDB Application Software Working Group has completed the Essential Security Requirements for Application Software. Information on how to join the candidate iTC can be found here.

CC and CEM Review - The CCDB Managed Call for Input

Both the CCDB and ISO SC27WG3 are performing reviews involving the CC and the CEM.

Please click here for more information, as well as instructions on how to provide input to the review process.

ICCC Update

You have just 21 days to secure your place at ICCC.  Almost 300 delegates are registered for the BIGGEST Common Criteria event in recent years – Be part of it!  

For full details, see:   www.iccc15.org.uk

Draft USB cPP Released for Public Review

The preliminary USB cPP is available for public review. For more details, go to this topic in USB portable storage devices.

Voluntary Termination of Infocomm Development Authority Singapore

The Infocomm Development Authority (IDA) Singapore have advised that they are voluntarily terminating their participation in the CCRA.

Despite best efforts from elected representatives of the three CCRA committees who worked with representatives of IDA Singapore to consider alternate solutions, IDA Singapore have decided to Voluntarily Terminate their CCRA Participation.  IDA Singapore advised that local conditions have meant that they were unable to resource the program responsible for CCRA activities at a level that they saw as satisfactory.  IDA Singapore continue to recognise the valuable contribution the CCRA makes in raising the level of assurance of IT products in cyber defence.

The CCRA members and CCUF representative continue to collaborate working together in improving cyber security through the development of collaborative Protection Profiles.

The first collaborative Protection Profiles have been published!

The Full Drive Encryption (FDE) and Network Device (ND) international Technical Communities (iTC) have been working collaboratively over the past several months to complete the 

FDE Encryption Engine (EE), FDE Authorization Acquisition (AA), Network Device, and Firewall cPPs. A special thanks to all who were involved in this groundbreaking effort! 

More information can be found on the cPP and iTC pages.

December Newsletters have been Posted

Newsletter updates providing status and contact information for both the Full Disk Encryption and Network Device/Firewall collaborative Protection Profiles have been posted.

The USB iTC Security Problem Definition (SPD) has been posted for comment

The USB iTC Security Problem Definition (SPD) has been posted for comment.

Twenty-six countries agree on reform to improve cyber security certification through international public-private collaboration

(New Delhi, September 8th 2014) The governments of twenty-six nations have today ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security (a k a Common Criteria Recognition Arrangement – CCRA). The purpose of the revision is to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.

To accomplish these goals, it has been agreed that international Technical Communities (iTCs) should be established. Such iTCs should promote fair competition in an international, multi-stakeholder, multi-sector environment with participation from both public and private sector. Through the collaboration in the iTC:s, security functional requirements and security testing requirements for products in targeted technical areas (such as firewalls, USB storage devices, full drive encryption products etc.) will be agreed and defined in collaborative Protection Profiles (cPPs) and supporting documents in accordance with the Common Criteria for Information Technology Security Evaluation standard (ISO/IEC 15408). The ultimate goal of the reform is to facilitate reasonable, comparable, reproducible and cost-effective IT-security evaluation results for such products.

The new collaborative approach agreed by the twenty-six CCRA signatory nations gives private sector stakeholders the opportunity to work with CCRA national governments in order to maximize market acceptance for each cPP, avoid unnecessary duplication of security requirement specifications for each technology domain, and share the effort of cPP development. Participation of product vendors in this process will promote fair competition and encourage increased availability of evaluated and certified ICT products including state-of-the-art technologies. Security testing laboratories also will contribute to iTC:s, promoting consistency between testing laboratories and alignment of effective IT-security testing activities.

The CCRA Committees will govern application of the updated arrangement including consideration and approval of technology areas, iTCs and supporting documents.

Today’s ratification of the new CCRA marks the beginning of a 36-month transition period. Product evaluations already in progress can continue according to the previous version of the CCRA. During the transition period, participating nations also have agreed to recognize re-certifications and maintenance addenda issued according to the previous version of the CCRA. After September 8th 2017, mutually recognized certificates will either require protection profile-based evaluations or claim conformance to evaluation assurance levels 1 through 2 in accordance with the new CCRA.

Several CCRA nations already have implemented the updated approach to Common Criteria IT-security evaluations with promising results. International technical communities are currently working in the areas of USB storage devices, full drive encryption, network device and firewall, with approximately 10 nations and 10-20 vendors participating in each iTC. Collaborative PPs are expected to be completed this September, when the 15th annual International Common Criteria Conference (ICCC) will be hosted by India (see http://www.15icccindia.com/).

With the astounding increased use of information and communication technology in the global society and with a rapidly increasing need for reliance on ICT-products, discussions were initiated about how Common Criteria and CCRA (which was initially ratified in 1999) could be reformed to meet this demand. After years of discussions among the national governments represented in CCRA, the management committee in September 2012 provided a vision statement for the future direction Common Criteria and the CCRA. Through the vision statement the CCRA management committee noted that the general security level of general ICT certified products needed to be raised without severely impacting price and timely availability of these products. To support that goal, the level of standardization should be increased by building Technical Communities (TC) developing collaborative Protection Profiles (“cPPs”) and supporting documents, in order to reach reasonable, comparable, reproducible and cost-effective evaluation results.

In September 2013, the management committee agreed in principle on the text of the new CCRA that would implement the vision statement. This text was made available for legal review and confirmation of readiness to sign to all CCRA nations at that time. At the meeting with the CCRA management committee in Istanbul March 21st this year, the final plan for ratification of the new CCRA was agreed. In July 2014 all nations had confirmed their readiness to sign the new CCRA and the final signature procedure could commence. The new CCRA was finally ratified on September 8th, 2014.

The chair of the CCRA management committee, Mr. Dag Ströman from Swedish government, notes that:

“Supported unanimously by twenty-six nations, the new CCRA represents one of the most significant and exciting reforms to improve cyber security at an international level. Within the framework of the new CCRA, stakeholders in cyber security are invited to define security functional and assurance requirements in international Technical Communities. Via open, transparent and consensus based public-private collaboration, the intricate balance between IT-security and the associated cost to achieve such security can be agreed. The intent is to achieve a higher degree of harmonization of security requirements and avoid unnecessary fragmentation. Such fragmentation is costly for the vendors, whom otherwise may have to certify products several times against similar but disparate national requirements. Another important goal is to make the development of IT-security requirements based on Common Criteria more agile and able to adapt over time to the ever changing threat landscape. The new CCRA is the result of many nations and people’s hard efforts. It has the potential to notably improve cyber security, which is absolutely essential in today’s global society.”

Using the international standard Common Criteria (ISO/IEC 15408), system users can specify their security functional- and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and security testing laboratories can evaluate the products to determine if they actually meet the claims. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use that is comparable.

Through the Common Criteria Recognition Arrangement (CCRA), Twenty-six nations recognize certifications of IT-security products based on Common Criteria. The signatories of the new CCRA are government representatives from the following nations: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Malaysia, the Netherlands, New Zealand, Norway, Pakistan, Republic of Korea, Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States.

Full Disk Encryption collaborative Protection Profiles (cPPs) have been posted for comment

The Full Disk Encryption: Authorization Acquisition cPP and Supporting Document and the Full Disk Encryption: Encryption Engine cPP and Supporting Document have been posted and are available for review.  Please visit the Full Disk Encryption’s Technical Community to see the latest drafts and the related comment form.  Comments are requested by Friday, September 19th.

August newsletters have been posted

Newsletter updates providing status and contact information for both the Full Disk Encryption and Network Device/Firewall collaborative Protection Profiles have been posted.

Message from the chair of the CCRA Management Committee regarding the status of the ratification of the new CCRA

The ratification of the new CCRA is making good progress.  All nations of the current CCRA have completed their national process and formally acknowledged that they are ready to sign the new CCRA. The process of signing the new CCRA will soon commence. Once all signatures has been collected, the new CCRA is ratified and is in force. A date for when the new CCRA is ratified cannot be announced beforehand, since the CCRA participants cannot in advance commit to a date by which all signatures will have been collected. There have been no significant changes made to the text compared to what previously have been announced at the CC-portal. The draft of the new CCRA is found here.

Dag Ströman,

Chair, CCRA Management Committee.

The CCMC has released the FDE portal page

Read about Full Disk Encryptor in Technical Communites.

The CCMC has released the FW/ND portal page

Read about Network Fundamentals and Firewalls in Technical Communites.

Message from the chair of the CCRA Management Committee regarding the status of the ratification of the new CCRA

At the ICCC in Orlando an overview of the new  CCRA that had been agreed in principle by the CCRA Management Committee was presented, together with the rules for transition between the old ("current") and new CCRA. It was stated that the arrangement agreed in principle would undergo legal review in each country before final signing could commence and that it was expected that it would take between 6-12 months before the new arrangement would be ratified.

At the CCRA meeting in Istanbul the Management Committee discussed the status of the legal review of the CCRA and the plan for how to complete the signature procedure. The schedule for the revised CCRA advertised in Orlando looks so far to be accurate and the final ratification progress as expected. However, a date for when the new CCRA is ratified cannot be announced beforehand, since the CCRA participants cannot in advance commit to a date by which all signatures will have been collected.

When the new CCRA comes into force, it will be announced via the CC-portal.

Through the article 2 of the new CCRA, nations mutually recognise certificates with claims of compliance against Common Criteria assurance components of either:

1. a collaborative Protection Profile (cPP), developed and maintained in accordance with Annex K, with assurance activities selected from Evaluation Assurance Levels up to and including level 4 and ALC_FLR, developed through an International Technical Community endorsed by the Management Committee; or
2. Evaluation Assurance Levels 1 through 2 and ALC_FLR2.

Effective on the date of ratification, the signatories of the new CCRA agree:

a)      To recognize conformant certificates issued under the new CCRA;

b)      to recognise conformant certificates issued under the previous version the CCRA;

c)       to recognise certificates resulting from products accepted into the certification process prior to approval of the new CCRA according to the previous version of the arrangement; and

d)      for a period of 36 months from the date of ratification to recognise re-certifications and maintenance addenda issued according to the previous version of the CCRA. Thereafter, all participants shall limit recognition of certifications issued in accordance with Article 2.

The ratification of the new CCRA is still in progress.  All but a very few nations have completed their national process and formally acknowledged that they are ready to sign the new CCRA. A few nations are still processing this matter according to their national procedures. In the meanwhile, the Management Committee has agreed to make the draft text of the new CCRA publicly available. It should be noted that the text of the new CCRA is made available "as-is"; the text is not yet formally ratified and may still be subject for updates without notice.

The draft of the new CCRA is found here.

Dag Ströman,

Chair, CCRA Management Committee.

Australia has posted a Position Statement

Australia has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found in USB Portable Storage Device Position Statements.

USB iTC Informal Get-together During RSA

There will be an informal get-together during the RSA Conference in San Francisco. Anyone who has an interest to participate in the USB iTC that is to be established is invited to join us on Tuesday 5.30pm at:

Johnny Foley's
243 O'Farrell St, San Francisco, CA 94102
http://www.johnnyfoleys.com/

USB iTC Kick-off Meeting

The USB iTC kick-off will be held March 5th at 20.00 GMT. The time was chosen to allow for participation from the largest number of nations spread across multiple timezones around the world. The logistics of the meeting are still being worked. The intent is to use a teleconference capability that has been offered by one of the USB vendors, which can host a large number of concurrent connections.

Details, including the agenda, will be posted on the CC Portal and the USB Secure Alliance website when they become available

PLEASE NOTE: This meeting is aimed at vendors/Labs/etc who expect to actively participate in the USB iTC. To keep the USB kick-off meeting efficient, a set of more general teleconferences will also be provided on a number of dates (and times) during March - (details to follow) and those who are interested, but whose focus may be in other technologies, are encouraged to take part in those calls instead.

USB iTC Registration

The interim group of vendors who are assisting in the establishment of the USB iTC have created a registration form at their website here -> http://www.secureusballiance.org/register where stakeholders can get registered for participation in the iTC.  The iTC will be an independent entity, where vendors, schemes, labs, and other agencies can collaborate in a transparent and consensus-based manner."

UK has posted a Position Statement

UK has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found  in USB Portable Storage Device Position Statements

Germany has posted a Position Statement

Germany has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found  in USB Portable Storage Device Position Statements

Sweden has posted a Position Statement

Sweden has posted a Position Statement regarding the USB Portable Storage Device ESR. Other Position Statements pertaining to the USB effort can be found  in USB Portable Storage Device Position Statements

CCDB USB Working Group Announcement

The CCDB USB Working Group has completed the Essential Security Requirements for a USB Portable Storage Device. Information on international Technical Communities can be found here, and information
pertaining to the USB effort can be found here.

India to host 2014 International Common Criteria Conference!

From the Chair of the CCRA Management Committee:

"It is with great pleasure that I’m able to announce the host for the 2014 ICCC. Our newest Certificate Authorizing Member, India, has graciously invited the CCRA to their country for the CCRA/CCUF 2014 Quarter 3 meetings and the International Common Criteria Conference. Please visit the CCRA Portal ICCC tab for future updates on date, venue and their hosting web site.
Dag Ströman, Chair CCRA Management Committee"

India Accepted as Certificate Authorizing Scheme.

On August 30^th 2013, the CCRA Management Committee voted yes to accept India as a certificate authorizing participant in the CCRA.

With this acceptance, 17 Certificate Authorizing Schemes operate under the CCRA.

CCRA Management Committee Chair's ICCC Announcement

The following presentation was given by the CCRA Management Committee Chair regarding the agreement to a revised CCRA and Transition Plan.

CCRA MC Chair Report to 14th ICCC

Common Criteria Users Forum.

The Common Criteria Users Forum (CCUF) mission is to provide a voice and communications channel amongst the CC community including the vendors, consultants, testing laboratories, Common Criteria organizational committees, national schemes, policy makers, and other interested parties.

The CCUF web page is located at: http://www.ccusersforum.org.

CCRA Management Committee Vision statement for the future direction of the application of the CC and the CCRA

The CCRA Management Committee (CCMC) has at the meeting in Paris, September 17 2012, agreed on a Vision Statement for the future direction of the application of the CC and the CCRA.

6th Newsletter for the 13th ICCC now available!

The 6th Newsletter for the 13th ICCC is now available from the 13th ICCC website. Please visit http://www.iccc2012paris.com/en/downloads to download the newsletter.

May Newsletter for the ICCC 2012 in Paris now available.

The May edition of the ICCC 2012 in Paris is now available. Click here to read this paper online.

ICCC2012 Newsletter available.

From the chairman of the French Scheme:

"I am pleased to inform you that the ICCC 2012 organisation committee has issued the first Newsletter for ICCC 2012. You can retrieve it from the ICCC 2012 website at http://www.iccc2012paris.com/en/downloads."

CCDB Request For Comments

As announced at the last ICCC, the CCDB is trialing a process of requesting comments on selected items. This document, Characterizing Attacks to Fingerprint Verification Mechanisms is the first example of the use of this process. The document will be discussed by the CCDB at their meeting on 20/21 March and comments, via your national CC schemes, before that date are therefore welcomed.

At the CCDB meeting in March 2012, the topic of requesting comments for this document was discussed. All agreed to extend the comment date to 1 Sept 2012. It will be added to the CCDB agenda at the Sept 2012 meeting.

13th International Common Criteria Conference

The 13th International Common Criteria Conference will take place from 18 - 20 September 2012 in Paris, France.

Malaysia accepted as Certificate Authorizing Scheme

With this new incorporation, 15 Certificate Authorizing Schemes operate under the CCRA.

ICCC 12 Abstract Submissions Being Accepted

The due date for abstract submissions for the 2011 ICCC is 31 May 2011. Submit your abstract at http://12iccc.cybersecurity.my/papers.html.

12th International Common Criteria Conference

Turkey accepted as Certificate Authorizing Scheme

With this new incorporation, 14 Certificate Authorizing Schemes operate under the CCRA.

Regarding the application of CC by non-members of the CCRA

“The Management Committee of the Common Criteria Recognition Arrangement is aware that there are Common Criteria evaluation- and certification schemes established by countries who are not participants of the Arrangement.

The MC members share information about this development and discuss any potential consequences this has for their respective governments and other stake holders of the CCRA.

The governments of respective CCRA participant are informed about the result of these discussions and each government may act as it deem appropriate, which may include bi-lateral and/or multilateral dialogue.

The participants of the CCRA continues to share the original objectives of the arrangement and note that CCRA is open for new applications for membership.”

The Common Criteria Portal is under transition to a new management team. All previous user functionality should be available as they were previously, with some initial modifications to improve functionality. If you experience any issues, please contact us and include the page(s) on which you experienced the issue(s), your web browser name and version, and your contact information. We will correct the problem as soon as possible and reply back.

Italy accepted as Certificate Authorizing Scheme

With this new incorporation, 13 Certificate Authorizing Schemes operate under the CCRA.

New release 3 of the CC/CEM v3.1!

Release 3 of the CC/CEM v3.1 is now available.

New guides on transition to CC v3.1 and developer documentation!

New guides on transition to CC v3.1 and developer documentation are now available