About the Common Criteria (CC) scheme
CC is a widely recognised international scheme used to assure security-enforcing products. It provides formal recognition that a developer's claims about the security features of their product are valid and have been independently tested against recognised criteria, to a formalised methodology.
CC meets the needs of government end users, who require formal assurance that the product meets their IA requirements. Where they are to use a product containing cryptography, it may also need a separate NCSC-led cryptographic evaluation.The output of a formal evaluation is a report produced by the Commerical Evaluation Facility (CLEF). The results of this evaluation report are then verified and documented in a certification report, produced by NCSC.
All CC evaluations in the UK are overseen and certified by the Certification Body (CB) based at NCSC. UK certificates are recognised in many countries around the world.
Security evaluations are carried out by independent Commercial Evaluation Facilities (CLEFs). You can find details of the contributions required from the customer and the CLEF in UKSP documents (see Common Criteria collection).
Certification only applies to a specific version of a product. Assurance Maintenance options enable the validity of the certificate to be extended as the product evolves.
Products are tested against a Protection Profile which defines how they should operate.
Work is underway to consider how to support the demand for the creation of collaborative Protection Profiles using 'technical communities' for each significant area of technology. For more information, see Common Criteria Joint Statement of Support
NCSC will consider products that claim conformance to an approved Protection Profile - see Summary of policy of the NCSC Certification Body.
The list of certified products available on the CC portal (http://www.commoncriteriaportal.org/) includes all CC products certified under the UK scheme.
The UK scheme is moving towards a Protection Profile based approach to Common Criteria. To be evaluated under the UK scheme, products must either:
claim conformance to a Collaborative Protection Profile
claim conformance to a UK Endorsed National Protection Profile
be categorised under one of the SOG-IS IT technical domains, with our agreement
We recognise that not every secure product can be evaluated against these criteria. If you require evaluation of a product in a technology area for which no Protection Profile exists, please Contact us
for further guidance.
Applying for CC Certification
You should contact a CLEF to discuss requirements. Product vendors contract directly with the CLEF and agree a charge for the testing work with them. NCSC charge the CLEF a fee, per evaluation.
The Certification Body
The Certification Body is accredited by the United Kingdom Accreditation Service (UKAS) to approved international standards to provide conformity certification for CC.
A voice for the Common Criteria community
The Common Criteria Users Forum (CCUF — http://ccusersforum.org/) provides a communications channel for the CC community.
The Common Criteria Recognition Arrangement (CCRA — www.commoncriteriaportal.org/ccra/) provides for recognition of CC certificates issued by various countries. For a full list, see the CC Portal(www.commoncriteriaportal.org).
Within Europe, recognition of CC certificates up to EAL7 (for IT products related to certain technical domains only) has additionally been agreed under the SOG-IS Agreement by: Finland, France, Germany, Netherlands, Norway, Spain, Sweden and the UK.
Mutual recognition of Information Technology Security Evaluation Criteria (ITSEC) certificates has also been agreed under the SOG-IS agreement.
As the ITSEC assurance approach is obsolete, any continued use of ITSEC should be discussed with the NCSC Certification Body — Contact us
For more information on the international CC and mutual recognition through membership of the CCRA see the relevant page on the CC Portal — www.commoncriteriaportal.org/ccra/.
Other related material
You can find various CC and CC-related documents at Common Criteria collection.
Joint Interpretation Library
How to become an approved test facility