Ministry of Economy, Trade and Industry
Font Size Change

Revision of the Common Criteria Recognition Arrangement

On September 8, 2014, the revised Common Criteria Recognition Arrangement (CCRA) in the Field of Information Technology Security (hereinafter referred to as the Revised Arrangement) has been entered into force.

According to the Revised Arrangement, member countries will formulate their new harmonized security criteria as well as common procedures and methods for issuing certifications by IT product field.

From the standpoint of promoting exports of Japanese IT products, the Ministry of Economy, Trade and Industry (METI), jointly with the business community and the Information-technology Promotion Agency, Japan (IPA), will lead the formulation of global criteria, including creating draft proposals of such criteria in the fields of Japan’ competitive products.

1. Background

Recently, the increased number of cyber-attacks using security defects of IT products has led to more information leaks and other IT-related troubles. In addition, concerns about the possibility that unauthorized communication functions that are installed in components of IT products during the manufacturing process will steal information of their organizations are growing. Considering these facts, it is significant for companies to procure products with well-designed, secure systems.

In light of this situation, the governments of countries have prioritized the procurement of the security-certified IT products. However, companies face a challenge in cutting the cost of receiving new certifications from each export counterpart concerning the security of IT products. The CCRA was inaugurated in 2000 to overcome this challenge.*1

*Note 1: The Standards for Information Security Measures for the Central Government Computer Systems, which are the standards for Japan’s government procurement and determined by the Information Security Policy Council, stipulates that the Government of Japan should refer to the list of IT products approved under the Arrangement when it procures such products.

2. Outline of the CCRA

The CCRA is a framework under which member countries mutually recognize certain IT products that have been certified under the global common criteria. There are 26 countries participating in the framework.*2 Japan joined in October 2003.

*Note 2: The 26 countries include the following:
- Certificate authorizing members, which mutually recognize other CCRA members’ certificates (17 countries): Japan, the U.S., the UK, Germany, France, Canada, Malaysia, Turkey, Italy, Sweden, Spain, India, ROK, Norway, the Netherlands, New Zealand, and Australia;
- Certificate consuming members, which recognize certificates issued by other CCRA members (9 countries): Finland, Greece, Israel, Austria, Pakistan, Singapore, Denmark, Hungary, and the Czech Republic.

Once security certifications of IT products have been issued by certification bodies in the certificate authorizing members,*3 they are effective in all the member countries or mutually recognized among them. Such recognized certifications should be those based on the international standard ISO/IEC15408. As security threats vary between different IT product fields the CCRA provides a framework under which the member countries are eligible to formulate security standards, called protection profiles, by IT product field.

*Note 3: Example of certification bodies in the certificate authorizing members
Japan: IPA; the U.S.: National Security Agency (NSA); Germany: Federal Office for Information Security (BSI); France: Network and Information Security Agency (ANSSI); and ROK: National Intelligence Service IT Security Certification Center (NISITSCC).

In Japan, IPA serves as a certification body for IT security and has already issued 429 approvals for such products, placing Japan in fourth place in the member countries.

3. Background and key points of the revision

As more than ten years has passed since the inauguration of the Arrangement, and as the general use by the public highly-advanced IT technology, including networked, remotely controllable devices is common, the expected threats to the technology have also become highly sophisticated and diverse. To address this situation, member countries formulated a variety of their own security standards for procurement, leading to an increasing number of different security standards even within the same IT product field. Such differences in standards force companies to bear the burden of receiving new certifications from each export counterpart.*4

*Note 4: Top three countries that submitted proposals concerning security requirements by field of IT products: the U.S.: 105; Germany 72; and France 47

Furthermore, the fact that the quality of issued security certifications was different between certification bodies in the newly joined member countries and those in the old member countries had become a problem

Considering such a situation, member countries started discussions on this issue in September 2012 and enforced the following Revised Arrangement on September 8, 2014, aiming to harmonize security criteria as well as certification procedures and methods by IT product field:

  1. Formulating new common security criteria harmonized among the member countries by IT product field:

    To deal with the upsurge of various security criteria for the same IT product field, member countries will formulate new collaborative Protection Profile (cPP), the only common security criteria that are harmonized among the members; and

  2. Formulating common procedures and methods for IT security certification:

    To align the quality of IT security certifications among member countries, the member countries will formulate specific procedures and methods for certification, which should be introduced in each IT product field.

4. Future actions

The member countries will discuss and formulate such harmonized security criteria as well as common procedures and methods for issuing certifications by IT product field. From the standpoint of encouraging exports of Japanese IT products, METI, jointly with industry and the IPA, will strive to lead the formulation of global standards, including creating draft proposals for such criteria for Japan’s competitive products, such as complex digital machines.*5

*Note 5: Regarding the 429 certifications conducted in Japan, about 70% (316 products) are certifications for complex digital machines. Other certified products include IC cards, firewalls, systems for preventing unauthorized computer access, and networking equipment.

Release Date

September 10, 2014

Division in Charge

Office for IT Security Policy, Commerce and Information Policy Bureau

Related Information

Information Policy

Ministry of Economy, Trade and Industry
1-3-1 Kasumigaseki, Chiyoda-ku, Tokyo 100-8901, Japan Tel: +81-(0)3-3501-1511
Copyright Ministry of Economy, Trade and Industry. All Rights Reserved.