CCRA (Common Criteria Recognition Arrangement)

Since 2006, the OC/CNN has been the authorised body empowered to issue certificates in the scope of CCRA (Common Criteria Recognition Arrangement), which is the mutual international recognition of certificates agreement “Common Criteria” for the functional security on ICT products. 26 industrialized countries currently belong to the “Common Criteria”. This certificate is the result of the analysis of security of products and systems, which aims to provide security to the object of evaluation itself (OE).

The functional certification and evaluation focuses on what OC does and how it does it, analysing if there is any vulnerability -due to either an incorrect implementation of the OE functions or because such functions aren’t effective enough- that could lead to a security problem. Both correctness and effectiveness of the OE functions are evaluated. For example, an OE that consisted of a software program which has an access control function based on a secret alphanumeric code might have the following security problems:

  1. Correctness problem: the development of the program has not taken into account the use of special alphanumeric characters; therefore, once the user introduces them, the function fails and allows unauthorized access to it.
  2. Effectiveness problem: the function works properly but it was designed with no more than 4 characters of length, which then makes brute force attacks possible within shorter periods of time than the ones planned when the security objectives were first set.