We (previously as CESG, now as the NCSC) have been working with the international Common Criteria Development Board (CCDB) to address concerns regarding the efficiency and effectiveness of the Common Criteria process.
In 2014, the CCDB agreed to use 'technical communities' (consisting of end users, consumers, developers, evaluators and Certification Bodies) to develop Proctection Profiles (PPs) and supporting documents for each significant area of technology. The long-established technical community for smartcards showed how such an approach can be used to manage subjectivity in the evaluation process, in a consistent way.
We support the formation of these technical communities and we are providing inputs to each of them — with vulnerability, mitigation and assessment evidence inputs being particularly important. We are working to have this aligned with the Security Characteristics used in the Commercial Product Assurance (CPA) process at Foundation Grade.
As of September 2015, requests for certifications (whether for new evaluation or re-evaluations) — other than those for 'smartcards and similar devices' or 'hardware devices with security boxes' — must claim conformance to a Collaborative Protection Profile or UK endorsed National Protection Profile. However, the Certification Body will still consider requests for assurance maintenance involving 'minor' changes, at the original EAL, for a period of two years from the original certification date.