Common Criteria Recognition Arrangement

Following the development of the Common Criteria, the National Institute of Standards and Technology and the National Security Agency, in cooperation and collaboration with the U.S. State Department, worked closely with their partners in the CC Project to produce a mutual recognition arrangement for IT security evaluations. In October 1998, after two years of intense negotiations, government organizations from the United States, Canada, France, Germany, and the United Kingdom signed the historic recognition arrangement for Common Criteria-based IT security evaluations. The Arrangement, officially known as the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security (.pdf), was a significant step forward for government and industry in IT product and protection profile security evaluations. The U.S. Government and its foreign partners in the Arrangement share the following objectives with regard to evaluations of IT products and protection profiles:

  • Ensure that evaluations of IT products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles.
  • Increase the availability of evaluated, security-enhanced IT products and protection profiles for national use.
  • Eliminate duplicate evaluations of IT products and protection profiles.
  • Continuously improve the efficiency and cost-effectiveness of security evaluations and the certification/validation process for IT products and protection profiles.

In October 1999, Australia and New Zealand joined the Mutual Recognition Arrangement increasing the total number of participating nations to seven. Following a brief revision of the original Arrangement to allow for the participation of both certificate-consuming and certificate-producing nations, an expanded Recognition Arrangement was signed in May 2000 at the 1st International Common Criteria Conference by Government organizations from thirteen nations. These include: the United States, Canada, France, Germany, the United Kingdom, Australia, New Zealand, Italy, Spain, the Netherlands, Norway, Finland, and Greece. The State of Israel became the fourteenth nation to sign the Recognition Arrangement in November 2000. As of March 2008, twenty five countries are currently part of the CCRA. Thirteen countries (United States, Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Norway, Spain, South Korea, Sweden, and the UK) are Certificate Producers, and 12 countries (Austria, Czech Republic, Denmark, Finland, Greece, Hungary, India, Israel, Italy, Malaysia, Singapore and Turkey) are Certificate Consumers.

Image of CCRA Producer and Consumer Flags

Participants in Recognition Arrangement

U.S. Management Committee Representatives

Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security, 23 May 2000 PDF Document