Ccra Common Criteria Recognition Agreement

The United Kingdom has also put in place a number of alternative systems where it has been found that the deadlines, costs and overheads of mutual recognition hamper the functioning of the market: any certificate authorising the CCRA participant ensures that assessments are carried out to high and consistent standards. This system of recognition of IT security certification standards between Member States is called Mutual Recognition (MR) and makes double assessment superfluous. This agreement is currently limited to the first four security levels of the Common Criteria: EAL1 to EAL4, without cryptographic functionality. This assumption is included in the Access to Control Protection Profile (CAPP) to which its products are engaged. Based on these and other assumptions, which may not be realistic for the common use of primary-purpose operating systems, the claimed security features of Windows products will be evaluated. Therefore, they should only be considered safe in the specified circumstances, also known as evaluated configurations. The procedures entitled “Multiple Certification Bodies in a Country/Trade Certification Bodies” and “Time Criteria for the Transfer of a Certificate Authorizing a Certificate to a Participant in the Certificate Authorizer” should be consulted by nations considering applying for Certificate Holding Participant status. These procedures extend the decisions taken by the Management Committee with a view to the implementation of the Agreement. In addition to the common Criteria standard, there is also a Common Criteria MRA (Mutual Recognition Arrangement) sub-treaty in which each party recognizes assessments based on the common Criteria standard, which are performed by other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand were added in 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. Since then, the arrangement has been renamed the Common Criteria Recognition Arrangement (CCRA) and membership continues to grow. Within the CCRA, only evaluations up to EAL 2 are mutually recognized (including the increase with correction of errors). European countries under the previous ITSEC agreement generally also recognise higher EPAs.

Assessments of EAL5 and more generally focus on the security requirements of the host country government. In September 2012, a majority of CCRA members issued a vision statement to reduce mutual recognition of products rated CC to EAL 2 (including increase with error correction). In addition, this vision indicates a drop in reliability levels and assessments will be limited to compliance with protection profiles that do not have a specified security level. This is achieved through technical working groups that develop PPs on a global scale and a transitional period has not yet been fully defined. In early 2011, the NSA/CSS published a paper by Chris Salter proposing an assessment approach based on the protection profile. In this approach, interest groups are formed around types of technologies which, in turn, develop protection profiles that define the methodology for assessing the type of technology. [12] The objective is a more robust assessment. There are some concerns that this could have a negative impact on mutual recognition.

[13] * Some systems may choose to use the concept of validation rather than certification. For the purposes of this Recognition Convention, the terms shall be considered equivalent in their meaning and specific purpose, as stated in the glossary in Annex A. `It is assumed that all other systems with which the EU communicates are subject to the same management control and operate under the same security policy restrictions. . . .

This entry was posted in Geen categorie. Bookmark the permalink.