Agreement on the recognition of certificates of Common Criteria in the field of information technology security.

The Agreement on the recognition of certificates of Common Criteria in the field of information technology security (known by its initials in english CCRA) specifies the required profile of common criteria Certificates, certification bodies and Evaluation of the security of information technologies.

The Agreement that the use of products and systems of information technology (TI) whose security has been certified is one of the main safeguards to protect the information and the systems that operate them.

The security certificates are issued by recognized certification Agencies to products or it systems (or profiles of protection) that have been successfully evaluated by evaluation services, in accordance with the common standards (ISO/IEC 15408). In Spain the certificates are issued by the The certification body of the national assessment and certification of the It security.

The current version of the Agreement it was ratified and published on 8 september 2014 by 26 countries, including Spain; on the part of our country, the ratification was carried out jointly between the centre Cryptologic, national and the state secretariat for Public administrations. The 26 countries signatories are: Austria, Australia, Canada, united states, denmark, finland, France, greece, hungary, India, Israel, italy, japan, Malaysia, netherlands, new Zealand, norway, Pakistan, united kingdom, czech republic, republic of korea, singapore, sweden and Turkey.

This new version of the agreement that seeks to facilitate the assessment of the security of information technologies are reasonable, comparable, reproducible and efficient. It also promotes better collaboration público-privada through the establishment of so-called international technical communities (international Technical Communities (iTCs)) and the definition of functional requirements of security through the profiles of collaborative protection (collaborative Protection Profiles (cPPs)) applicable to products such as USB devices, firewall, cifradores of cds, etc.

The beneficiaries of the agreement

Among the beneficiaries of the agreement are:

• Public Administrations, to establish the basis of information security and basic infrastructures that handle IT.

• The industry, to find wider markets to products and systems that YOU have the added value of the certificate.

• Consumers (individuals, companies and AA.PP.), in order to have wider choice of products and systems such as insurance certificates to protect your information and services.

The Agreement is interested, in particular, for the National security (Royal Decree 311/2022, of 3 may) that, in connection with the acquisition of products, provides for:

• will be used, in a way commensurate with the category of the system and the level of security, those security products certified with the functionality of the security council related to the object of acquisition, (item 19.1);
• recognizes the Certification body the national assessment and certification of security of information centre, set up National Cryptologic, under article 2.2.c) of the royal decree 421/2004, of 12 march, which regulates the Centre National Cryptologic (item 19.2);
• Use Catalogue of products and services of the Security information and communication technologies (Guide CCN-STIC 105 CPSTIC) the NCC, to choose the products or services provided by a third forming part of the security architecture of the system and those who referencien expressly on the measures of this royal decree (Annex II, measure [op.pl.5 certificates] Components)

Background

The first agreement was ratified on 23 may 2000, in Baltimore (Maryland, United States), by Australia, canada, germany, spain, united states of america, finland, france, greece, italy, netherlands, new Zealand, the netherlands and the united kingdom. Subsequently were incorporating other countries. On behalf of the kingdom of Spain signed that Under the ministry of Public administrations.

From 17 august 2006, spain changed their status in the agreement and became a participant accredited to issue an information technology security.

Forerunner of the agreement was the agreement of mutual recognition of certificates of the evaluation of the security of information technologies, whose geographical scope initially concern to european countries and whose reference standard was first ITSEC, which were subsequently added Common Criteria.