Is the Common Criteria Community Growing?

common criteria

The short answer is, "yes." A longer answer follows. 

The National Security Agency/Central Security Service (NSA/CSS) leads the United States Government (USG) in cryptology that encompasses both signals intelligence (SIGINT) and information assurance (now referred to as cybersecurity) products and services. It also enables computer network operations (CNO) to gain a decisive advantage for the United States and its allies under all circumstances.  For data-at-rest encryption, the NSA supports two programs: Type 1 and Commercial Solutions for Classified (CSfC). The Type 1 encryption products can be considered government off-the-shelf (GOTS) and follow the NSA's classified test and evaluation processes.  The CSfC encryption products can be regarded as commercial off-the-shelf (COTS) and follow publicly available test and evaluation common criteria (CC) processes. For a CSfC product to be approved by the NSA, it must be tested and evaluated by the National Information Assurance Partnership (NIAP).

Common Criteria


The United States is an Active Member of the CC Community

NIAP is responsible for the United States implementation of CC, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. In addition, NIAP manages a national program for developing protection profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. In partnership with the National Institute of Standards and Technology (NIST), NIAP also approves Common Criteria Testing Laboratories to conduct these security evaluations in private sector operations across the United States. COTS product developers select and hire a lab from the list to perform the CC evaluations and then report those findings to NIAP.  

The Common Criteria Recognition Arrangement (CCRA) is an international organization that is the driving force for the most comprehensive available mutual recognition of secure IT products. The participants in this arrangement share the following objectives:

  1. To ensure that evaluations of information technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles;
  2. To improve the availability of evaluated, security-enhanced IT products and protection profiles;
  3. To eliminate the burden of duplicating evaluations of IT products and protection profiles; and
  4. To continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation process for IT products and protection profiles.

Once a COTS encryption product is certified by NIAP for CC compliance, it will be listed not only on the NIAP Product Compliant List but also by CCRA on the Certified Products list. All 31 members of the CCRA recognize these certified products (as of August 2020). There are currently 17 Certificate Authorizing Members and 14 Certificate Consuming Members. Thus, an evaluation performed by an approved lab and certified by the CCRA member body in one country is recognized by all members of the CCRA — there is no need to reevaluate an IT product in each country. This process is a massive time-saver for consumers of IT products in these 31 countries (and potentially for other non-member countries too).  

CCRA Membership is Growing

From only four members in 1998 to 31 members in 2020, the CCRA has continually grown since its initial organization. CCRA membership is expected to continue to grow in the future. 

Year Number of CCRA Members
1998 4
1999 7
2000 14
.... ….
2018 29
2020 31

As countries recognize the benefits of CCRA membership, the CCRA continues to grow. As a result, IT product consumers in those countries save time and money by using certified products recognized by their respective countries.

COTS IT product developers are also reaping the benefits of getting a product certified and listed by the CCRA. Certified products are immediately recognized by 31 countries worldwide, which gives IT product developers a broader export market readily available.