The Settlement on the recognition of certificates of Common Criteria in the field of the security of information technology (known by its acronym in English CCRA) specifies the requirements that must fulfil certificates of common criteria, certification bodies and centres of security assessment of information technologies.
The Settlement is based on the premise that the use of products and systems of information technology (YOU) whose safety has been certified is one of the main safeguards to protect the information and systems that handle.
The certificates are issued by security certification agencies granted to products or systems of THEE (or protection profiles) that have been successfully evaluated by evaluation services, according to common criteria (ISO/IEC standard 15408). In Spain certificates are issued by the Organismo de Certificación del Esquema Nacional de Evaluación y Certificación de la Seguridad de las TI.
The current version of the settlement fue ratificada y publicada el 8 de septiembre de 2014 por 26 países, incluyendo a España; por parte de nuestro país, la ratificación se realizó de forma conjunta entre el Centro Criptológico Nacional y la Secretaría de Estado de Administraciones Públicas. Los 26 países firmantes son: Alemania, Australia, Austria, Canadá, Estados Unidos, Dinamarca, España, Finlandia, Francia, Grecia, Hungría, India, Israel, Italia, Japón, Malasia, Países Bajos, Nueva Zelanda, Noruega, Paquistán, Reino Unido, República Checa, República de Corea, Singapur , Suecia y Turquía.
This new version of the settlement seeks to facilitate the evaluation results of safety products of information technologies are reasonable, comparable, reproducible and efficient. Also promotes better collaboration público-privada through the establishment of the so-called international technical communities (international Technical Communities (iTCs)) and the definition of functional requirements of security through profiles of collaborative protection (collaborative Protection Profiles (cPPs)) applicable to products such as USB devices, firewall, cifradores albums, etc.
Among the beneficiaries of the settlement are:
- Public Administrations, to set the foundations of information security and infrastructures thee that the handle.
- The industry, to find wider markets for products and systems YOU with the added value of the certificate.
- Consumers (individuals, corporations and AA.PP.), for greater supply of products and systems certified as safe to protect your information and services.
The Settlement has an interest, in particular, for the National security scheme (Royal Decree 3/2010, of January 8th), in connection with the acquisition of security products stipulates:
- positively valued security certification in the acquisition of products by public administrations, (art. 18.1);
- it recognizes the role of the national certification body (art. 18.3);
- reflects how the use of products whose safety has been certified contributes to the satisfaction of safety requirements proportionate in security measures to adequate protection of information (Annex (II);
- includes a model clause for the sheets of technical requirements ("3/2010, annex V).
The first Line was ratified on 23 May 2000, in Baltimore (Maryland, United States), by Germany, Australia, Canadá, Spain, United States, Finlandia, France, Greece, Italy, Norwegian, New Zelanda, countries low and United Kingdom. They later incorporating other countries. Representing the Kingdom of Spain subscribed to that Line the ministry of Public administrations.
From 17 August 2006, Spain changed his status in the settlement and became participant credited for certificates of security of information technology.
Forerunner of the settlement was the agreement of mutual recognition of certificates of the safety assessment of information technologies, whose geographical scope is fast initially to European countries and whose reference norm first was ITSEC, which is then added Common criteria.