The ANSSI has signed two mutual certificate recognition agreements
European mutual recognition agreement: SOG-IS
SOG-IS European recognition agreement dated 2010 enables the certificates recognition between the signatory states of certificates issued by their certification body. This agreement supersedes the [1999 SOG-IS recognition agreement->doc294].
At the moment, two technical domains are concerned by this agreement for the high level of recognition: “smart cards and similar devices” and “hardware devices with security boxes”.
France is recognized for those two technical domains up to EAL7.
For the other technical domains, the recognition applies up CC EAL4.
The signatory countries of the agreement are:
- France – ANSSI (www.ssi.gouv.fr)
- Germany – BSI (www.bsi.bund.de)
- Austria – Federal Chancellery (www.digitales.oesterreich.gv.at)
- Spain – OCSTI (www.oc.ccn.cni.es)
- Finland – FICORA (www.ficora.fi)
- Italy – OCSI (www.ocsi.isticom.it)
- Norway – SERTIT(www.sertit.no)
- Netherlands – NLNCSA (www.tuv-nederland.nl)
- United Kingdom – NCSC (www.ncsc.gov.uk)
- Sweden – FMV/CSEC (www.csec.se)
Certification bodies qualified for the “smart cards and similar devices” technical domain are:
Common Criteria Mutual Recognition Arrangement: CCRA
The latest Common Criteria Mutual Recognition Arrangement is applicable since September 8th, 2014.
This new agreement defines a new type of Protection profile (PP) in its K annex: Collaborative PP (cPP). This PP has a dedicated evaluation method specifying the generics CC. The evaluation method and the associated cPP are written by an international Technical Communities (iTC). Specific cPP evaluation methods are approved within the CCRA.
The CCRA recognition limits are now defined based on the used evaluation approach:
- in case of an evaluation based on generic CC (whether a standard PP is taken into account or not), there is mutual recognition up to EAL2 and ALC_FLR;
- in case of an evaluation compliant with a cPP, the mutual recognition applies at the same level as the one set in the cPP. By default the cPP evaluation level is limited to EAL2. This level may be extended up to EAL4 if the iTC can demonstrate that the work is objective enough to be implemented by all CCRA schemes.
Finally, a transition plan between the 2 agreement versions was agreed on (see article 17 of the new agreement).
Until September 8th 2017, can be recognized up to level EAL 4 (i.e. based on previous agreement version):
- Product evaluations registered before September 8th, 2014
- Product maintenance or re-evaluation where a certificate was previously emitted based on the previous agreement version.
Certificates recognised within the scope of this agreement are issued with the following mark:
The signatory countries of the agreement who issue certificates and their certification bodies are:
- France : l’ANSSI, formerly DCSSI (www.ssi.gouv.fr)
- Germany : BSI (www.bsi.bund.de)
- Australia and New Zealand : AISEP (www.dsd.gov.au)
- Canada : CSE (www.cse-cst.gc.ca)
- Korea : ITSCC (www.kecs.go.kr)
- Spain : CCN (www.oc.ccn.cni.es)
- India :IC3S (www.commoncriteria-india.gov.in)
- Italia : OCSI (www.ocsi.isticom.it)
- Japan : IPA (www.ipa.go.jp)
- Malaysia : Cybersecurity Malaysia (www.cybersecurity.my)
- Norway : SERTIT(www.sertit.no)
- Netherlands : NSCIB (www.tuv-nederland.nl)
- United Kingdom : NCSC (www.ncsc.gov.uk)
- Sweden : FMV/CSEC (www.fmv.se)
- Turkey : TSE, (bilisim.tse.org.tr)
- USA : NIAP(www.nsa.gov)
The common criteria website lists the countries that recognize these certificates, even if they don’t produce any :