World Library  
Flag as Inappropriate
Email this Article

Common Criteria Testing Laboratory

Article Id: WHEBN0007214571
Reproduction Date:

Title: Common Criteria Testing Laboratory  
Author: World Heritage Encyclopedia
Language: English
Subject: CCTL, National Voluntary Laboratory Accreditation Program, Security Target, Computer security procedures, Cryptographic Module Testing Laboratory
Collection: Computer Security Procedures, Evaluation
Publisher: World Heritage Encyclopedia

Common Criteria Testing Laboratory

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

A Common Criteria testing laboratory is a third-party commercial security testing facility that is accredited to conduct security evaluations for conformance to the Common Criteria international standard. Such facility must be accredited according to ISO/IEC 17025 with its national certification body.

List of laboratory designations by country:

  • In the US they are called Common Criteria Testing Laboratory (CCTL)
  • In Canada they are called Common Criteria Evaluation Facility (CCEF)
  • In the UK they are called Commercial Evaluation Facilities (CLEF)
  • In France they are called Centres d’Evaluation de la Sécurité des Technologies de l’Information (CESTI)
  • In Germany they are called IT Security Evaluation Facility (ITSEF)


  • Common Criteria Recognition Arrangement 1
  • United States 2
    • CCTL requirements 2.1
    • CCTL accreditation 2.2
  • Canada 3
  • Notes 4
  • External links 5

Common Criteria Recognition Arrangement

Common Criteria Recognition Arrangement (CCRA) or Common Criteria Mutual Recognition Arrangement (MRA) [1] is an international agreement that recognizes evaluations against the Common Criteria standard performed in all participating countries.

There are some limitations to this agreement and, in the past, only evaluations up to EAL4+ were recognized. With on-going transition away from EAL levels and the introduction of NDPP evaluations that “map” to up to EAL4 assurance components continue to be recognized.

United States

In the United States the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) accredits CCTLs to meet National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme requirements and conduct IT security evaluations for conformance to the Common Criteria.

CCTL requirements

These laboratories must meet the following requirements:

  • NIST Handbook 150, NVLAP Procedures and General Requirements
  • NIST Handbook 150-20, NVLAP Information Technology Security Testing — Common Criteria
  • NIAP specific criteria for IT security evaluations and other NIAP defined requirements

CCTLs enter into contractual agreements with sponsors to conduct security evaluations of IT products and Protection Profiles which use the CCEVS, other NIAP approved test methods derived from the Common Criteria, Common Methodology and other technology based sources. CCTLs must observe the highest standards of impartiality, integrity and commercial confidentiality. CCTLs must operate within the guidelines established by the CCEVS.

To become a CCTL, a testing laboratory must go through a series of steps that involve both the NIAP Validation Body and NVLAP. NVLAP accreditation is the primary requirement for achieving CCTL status. Some scheme requirements that cannot be satisfied by NVLAP accreditation are addressed by the NIAP Validation Body. At present, there are only three scheme-specific requirements imposed by the Validation Body.

NIAP approved CCTLs must agree to the following:

  • Located in the U.S. and be a legal entity, duly organized and incorporated, validly existing and in good standing under the laws of the state where the laboratory intends to do business
  • Accept U.S. Government technical oversight and validation of evaluation-related activities in accordance with the policies and procedures established by the CCEVS
  • Accept U.S. Government participants in selected Common Criteria evaluations.

CCTL accreditation

A testing laboratory becomes a CCTL when the laboratory is approved by the NIAP Validation Body and is listed on the Approved Laboratories List.

To avoid unnecessary expense and delay in becoming a NIAP-approved testing laboratory, it is strongly recommended that prospective CCTLs ensure that they are able to satisfy the scheme-specific requirements prior to seeking accreditation from NVLAP. This can be accomplished by sending a letter of intent to the NIAP prior to entering the NVLAP process.

Additional laboratory-related information can be found in CCEVS publications:

  • #1 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Organization, Management, and Concept of Operations and Scheme Publication
  • #4 Common Criteria Evaluation and Validation Scheme for Information Technology Security — Guidance to Common Criteria Testing Laboratories


In Canada the Communications Security Establishment Canada (CSEC) Canadian Common Criteria Scheme (CCCS) oversees Common Criteria Evaluation Facilities (CCEF). Accreditation is performed by Standards Council of Canada (SCC) under its Program for the Accreditation of Laboratories – Canada (PALCAN) according to CAN-P-1591, the SCC’s adaptation of ISO/IEC 17025-2005 for ITSET Laboratories. Approval is performed by the CCS Certification Body, a body within the CSEC, and is the verification of the applicant's ability to perform competent Common Criteria evaluations.


  1. ^ "Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security" (PDF). CSEC. 2013. Retrieved 2013-03-03. 

External links

  • US: Common Criteria Evaluation and Validation Scheme
  • US: Common Criteria Testing Laboratories
  • Canada: Common Criteria Scheme
  • Canada: Common Criteria Evaluation Facilities
  • Common Criteria Recognition Agreement
  • List of Common Criteria evaluated products
  • ISO/IEC 15408 — available free as a public standard
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.