Common Criteria Recognition Arrangement

CCRA Participants

Certificate Producers

Australia
Australia
Canada
Canada
France
France
Germany
Germany
Italy
Italy
Japan
Japan
Malaysia
Malaysia
Netherlands
Netherlands
Norway
Norway
New Zealand
New Zealand
South Korea
South Korea
Spain
Spain
Sweden
Sweden
Turkey
Turkey
United Kingdom
United Kingdom
United States
United States

Certificate Consumers

Austria
Austria
Czech Republic
Czech Republic
Denmark
Denmark
Finland
Finland
Greece
Greece
Hungary
Hungary
India
India
Israel
Israel
Pakistan
Pakistan
Singapore
Singapore

Following the development of the Common Criteria, the National Institute of Standards and Technology and the National Security Agency, in cooperation and collaboration with the U.S. State Department, worked closely with their partners in the CC Project to produce a mutual recognition arrangement for IT security evaluations. In October 1998, after two years of intense negotiations, government organizations from the United States, Canada, France, Germany, and the United Kingdom signed the historic recognition arrangement for Common Criteria-based IT security evaluations. The Arrangement, officially known as the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security (.pdf), was a significant step forward for government and industry in IT product and protection profile security evaluations. The U.S. Government and its foreign partners in the Arrangement share the following objectives with regard to evaluations of IT products and protection profiles:

  • Ensure that evaluations of IT products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles.
  • Increase the availability of evaluated, security-enhanced IT products and protection profiles for national use.
  • Eliminate duplicate evaluations of IT products and protection profiles.
  • Continuously improve the efficiency and cost-effectiveness of security evaluations and the certification/validation process for IT products and protection profiles.

In October 1999, Australia and New Zealand joined the Mutual Recognition Arrangement increasing the total number of participating nations to seven. Following a brief revision of the original Arrangement to allow for the participation of both certificate-consuming and certificate-producing nations, an expanded Recognition Arrangement was signed in May 2000 at the 1st International Common Criteria Conference by Government organizations from thirteen nations. These include: Australia, Canada, Finland, France, Germany, Greece, Italy, the Netherlands, New Zealand, Norway, Spain, the United Kingdom, the United States. The State of Israel became the fourteenth nation to sign the Recognition Arrangement in November 2000.

As of November 2010, twenty-six countries are currently part of the CCRA. Fifteen countries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, Norway, South Korea, Spain, Sweden, Turkey, the United Kingdom, and the United States) are Certificate Producers, and eleven countries (Austria, Czech Republic, Denmark, Finland, Greece, Hungary, India, Israel, Malaysia, Pakistan, and Singapore) are Certificate Consumers.