The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.
A Common Criteria testing laboratory is a third-party commercial security testing facility that is accredited to conduct security evaluations for conformance to the Common Criteria international standard. Such facility must be accredited according to ISO/IEC 17025 with its national certification body.
List of laboratory designations by country:
Common Criteria Recognition Arrangement (CCRA) or Common Criteria Mutual Recognition Arrangement (MRA) [1] is an international agreement that recognizes evaluations against the Common Criteria standard performed in all participating countries.
It is mutually understood that, in respect of IT products and protection profiles, the Participants plan to recognise the Common Criteria certificates which have been authorised by any other certificate authorising Participant in accordance with the terms of this Arrangement and in accordance with the applicable laws and regulations of each Participant.
— International Agreement, Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security
There are some limitations to this agreement and, in the past, only evaluations up to EAL4+ were recognized. With on-going transition away from EAL levels and the introduction of NDPP evaluations that “map” to up to EAL4 assurance components continue to be recognized.
In the United States the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits CCTLs to meet National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme requirements and conduct IT security evaluations for conformance to the Common Criteria.
These laboratories must meet the following requirements:
CCTLs enter into contractual agreements with sponsors to conduct security evaluations of IT products and Protection Profiles which use the CCEVS, other NIAP approved test methods derived from the Common Criteria, Common Methodology and other technology based sources. CCTLs must observe the highest standards of impartiality, integrity and commercial confidentiality. CCTLs must operate within the guidelines established by the CCEVS.
To become a CCTL, a testing laboratory must go through a series of steps that involve both the NIAP Validation Body and NVLAP. NVLAP accreditation is the primary requirement for achieving CCTL status. Some scheme requirements that cannot be satisfied by NVLAP accreditation are addressed by the NIAP Validation Body. At present, there are only three scheme-specific requirements imposed by the Validation Body.
NIAP approved CCTLs must agree to the following:
A testing laboratory becomes a CCTL when the laboratory is approved by the NIAP Validation Body and is listed on the Approved Laboratories List.
To avoid unnecessary expense and delay in becoming a NIAP-approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the NIAP prior to entering the NVLAP process.
Additional laboratory-related information can be found in CCEVS publications:
In Canada the Communications Security Establishment Canada (CSEC) Canadian Common Criteria Scheme (CCCS) oversees Common Criteria Evaluation Facilities (CCEF). Accreditation is performed by Standards Council of Canada (SCC) under its Program for the Accreditation of Laboratories – Canada (PALCAN) according to CAN-P-1591, the SCC’s adaptation of ISO/IEC 17025-2005 for ITSET Laboratories. Approval is performed by the CCS Certification Body, a body within the CSEC, and is the verification of the applicant's ability to perform competent Common Criteria evaluations.
Conformance testing — an element of conformity assessment, and also known as compliance testing, or type testing — is testing or other activities that determine whether a process, product, or service complies with the requirements of a specification, technical standard, contract, or regulation. Testing is often either logical testing or physical testing. The test procedures may involve other criteria from mathematical testing or chemical testing. Beyond simple conformance, other requirements for efficiency, interoperability or compliance may apply. Conformance testing may be undertaken by the producer of the product or service being assessed, by a user, or by an accredited independent organization, which can sometimes be the author of the standard being used. When testing is accompanied by certification, the products or services may then be advertised as being certified in compliance with the referred technical standard. Manufacturers and suppliers of products and services rely on such certification including listing on the certification body's website, to assure quality to the end user and that competing suppliers are on the same level.
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.
In computing, security-evaluated operating systems have achieved certification from an external security-auditing organization, the most popular evaluations are Common Criteria (CC) and FIPS 140-2.
The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.
The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules.
Various governments require a certification of voting machines.
Accreditation is the independent, third-party evaluation of a conformity assessment body against recognised standards, conveying formal demonstration of its impartiality and competence to carry out specific conformity assessment tasks.
Product certification or product qualification is the process of certifying that a certain product has passed performance tests and quality assurance tests, and meets qualification criteria stipulated in contracts, regulations, or specifications.
ISO/IEC 17025General requirements for the competence of testing and calibration laboratories is the main ISO standard used by testing and calibration laboratories. In most countries, ISO/IEC 17025 is the standard for which most labs must hold accreditation in order to be deemed technically competent. In many cases, suppliers and regulatory authorities will not accept test or calibration results from a lab that is not accredited. Originally known as ISO/IEC Guide 25, ISO/IEC 17025 was initially issued by the International Organization for Standardization in 1999. There are many commonalities with the ISO 9000 standard, but ISO/IEC 17025 is more specific in requirements for competence and applies directly to those organizations that produce testing and calibration results and is based on somewhat more technical principles. Laboratories use ISO/IEC 17025 to implement a quality system aimed at improving their ability to consistently produce valid results. It is also the basis for accreditation from an accreditation body.
The National Information Assurance Partnership (NIAP) is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency (NSA), and was originally a joint effort between NSA and the National Institute of Standards and Technology (NIST).
A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
Common Criteria Evaluation and Validation Scheme (CCEVS) is a United States Government program administered by the National Information Assurance Partnership (NIAP) to evaluate security functionality of an information technology with conformance to the Common Criteria international standard. The new standard uses Protection Profiles and the Common Criteria Standards to certify the product. This change happened in 2009. Their stated goal in making the change was to ensure achievable, repeatable and testable evaluations.
A Cryptographic Module Testing Laboratory (CMTL) is an information technology (IT) computer security testing laboratory that is accredited to conduct cryptographic module evaluations for conformance to the FIPS 140-2 U.S. Government standard.
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP.
ISO/IEC 17024: Conformity assessment - General requirements for bodies operating certification of persons is an International Standard which specifies criteria for the operation of a Personnel Certification Body. The standard includes requirements for the development and maintenance of the certification scheme for persons upon which the certification is based.
The CESG Claims Tested Mark, formerly CSIA Claims Tested Mark, is a UK Government Standard for computer security.
The Federal Information Processing Standard Publication 140-3,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on March 22, 2019 and it supersedes FIPS 140-2.
IEC 62443 is an international series of standards on "Industrial communication networks - IT security for networks and systems". The standard is divided into different sections and describes both technical and process-related aspects of industrial cybersecurity. It divides the industry into different roles: the operator, the integrators and the manufacturers. The different roles each follow a risk-based approach to prevent and manage security risks in their activities.
eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.