Getting a Lab Accreditation

The CCEVS is currently undergoing some program adjustments, to include resource constraints for accrediting new candidate laboratories. At this time, we are not accepting letters of intent to become a candidate Common Criteria Testing Laboratory.

IT security evaluations are conducted by commercial testing laboratories accredited by National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the Evaluation Body. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTL). NVLAP accreditation is the primary requirement for becoming a CCTL. The purpose of the NVLAP accreditation is to ensure that laboratories meet requirements of ISO/IEC Guide 25, General Requirements for the Competence of Calibration and Testing Laboratories and the specific scheme requirements for IT security evaluations.

With respect to NVLAP, the scope of accreditation is defined to be the particular test methods that a laboratory will use in conducting IT security evaluations. A testing laboratory will chose its scope of accreditation from a list of approved test methods developed by the Validation Body. The Validation Body maintains a NIAP Approved Test Methods List for use by a laboratory in selecting its proposed scope of accreditation. The Validation Body will coordinate with NVLAP to assure that appropriate accreditation is made available to CCTLs. Once NVLAP accreditation is received and any additional scheme-specific requirements are met, the CCTL will be placed on the NIAP Approved Laboratories List. Placement on the approved laboratories list enables the CCTL to conduct IT security testing within the scope of its NVLAP accreditation. Figure 3 depicts the typical process flow for laboratory accreditation and approval.

A testing laboratory interested in becoming a CCTL must:

  1. receive NVLAP accreditation for the appropriate scope of test methods;
  2. satisfy NIAP CCEVS specific requirements.

At present, there are only three scheme-specific requirements imposed by the Validation Body. NIAP approved CCTLs must:

  1. reside with the U.S. and be a non-governmental legal entity, duly organized and incorporated, validly existing, and in good standing under the laws of the state where the laboratory intends to do business;
  2. agree to accept U.S. Government technical oversight and validation of evaluation-related activities in accordance with the policies and procedures established by the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS);
  3. agree to accept U.S. Government participants in selected Criteria evaluations conducted by the laboratory in accordance with the policies and procedures established by the NIAP CCEVS.

To avoid unnecessary expense and delay in becoming a NIAP approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the Validation Body prior to entering the NVLAP process. A sample letter of intent is provided in Annex H of Scheme Publication #1.

The Validation Body reserves the right to levy additional scheme-specific requirements (either technical or administrative), as necessary, when deemed to be in the interest of the U.S. Government and overall evaluation and validation effort.
--->