accesskey _ mod _ content

Settlement on the recognition of certificates of Common Criteria in the field of information technology security.

El Arreglo sobre el Reconocimiento de los Certificados de Criterios Comunes en el campo de la Seguridad de la Tecnología de la Información (conocido por sus siglas en inglés CCRA) especifica los requisitos que han de cumplir los Certificados de Criterios Comunes, los Organismos de Certificación y los Centros de Evaluación de la seguridad de las tecnologías de la información.

The Settlement is premised on the use of products and systems of information technology (TI) whose security has been certified is one of the main safeguards to protect the information and the systems that operate them.

The security certificates are issued by recognized certification Agencies to products or it systems (or profiles of protection) that have been successfully evaluated by evaluation services, in accordance with the common standards (ISO/IEC 15408). In Spain the certificates are issued by the The certification body of the national assessment and certification of the It security. (Opens in new window)

The current version of the Settlement (Opens in new window) it was ratified and published on 8 september 2014 by 26 countries, including Spain; on the part of our country, the ratification was carried out jointly between the centre Cryptologic, national and the state secretariat for Public administrations. The 26 countries signatories are: Austria, Australia, Canada, united states, denmark, finland, France, greece, hungary, India, Israel, italy, japan, Malaysia, netherlands, new Zealand, norway, Pakistan, united kingdom, czech republic, republic of korea, singapore, sweden and Turkey.

Esta nueva versión del Arreglo persigue facilitar que los resultados de la evaluación de los productos de seguridad de las tecnologías de la información sean razonables, comparables, reproducibles y eficientes. También promueve una mejor colaboración público-privada a través del establecimiento de las denominadas comunidades técnicas internacionales (international Technical Communities (iTCs)) y la definición de requisitos funcionales de seguridad a través de los perfiles de protección colaborativos (collaborative Protection Profiles (cPPs)) aplicables a productos tales como dispositivos USB, cortafuegos, cifradores de discos, etc.

Among the beneficiaries of the settlement are:

  • Las Administraciones Públicas, para establecer las bases de la seguridad de la información y de las infraestructuras de TI que la manejan.
  • The industry, to find wider markets to products and systems that YOU have the added value of the certificate.
  • Los consumidores (particulares, empresas y AA.PP.), para contar con mayor oferta de productos y sistemas certificados como seguros para proteger su información y servicios.

The arrangement has interest in particular, for the National security (Royal Decree 3/2010, on 8 january) that, in connection with the acquisition of products, provides for:

  • se valore positivamente la certificación de seguridad en la adquisición de productos por parte de las Administraciones Públicas, (art. 18.1);
  • recognizes the role of the national certification body (item 18 (3));
  • shows how the use of products whose security may be certified contributes to the satisfaction of safety requirements so provided in the security measures for the adequate protection of information (Annex II);
  • it includes model clause to the technical requirements (RD 3/2010, annex V).


The first settlement was ratified on 23 may 2000, in Baltimore (Maryland, United States), by Australia, canada, germany, spain, united states of america, finland, france, greece, italy, netherlands, new Zealand, the netherlands and the united kingdom. Subsequently were incorporating other countries. On behalf of the kingdom of Spain signed that Under the ministry of Public administrations.

From 17 august 2006, spain changed its status in the settlement and became a participant accredited to issue an information technology security.

Forerunner of the settlement was the agreement of mutual recognition of certificates of the evaluation of the security of information technologies, whose geographical scope initially concern to european countries and whose reference standard was first ITSEC, which were subsequently added Common Criteria.

Subscribe to the youtube channel of OBSAE
Subscribe to the youtube channel of OBSAE