The Common Criteria Development Board (CCDB)
Source: PIB
Summary
India has been nominated as the Chair of the Common Criteria Development Board (CCDB) for a two-year term from April 2026 to April 2028 — a major recognition of India’s growing global stature in cybersecurity standards and IT product certification.
The CCDB is the technical heart of the Common Criteria Recognition Arrangement (CCRA), an international treaty for mutual recognition of IT security certificates across 38 member nations. It is responsible for developing and maintaining the Common Criteria (CC) standards (ISO/IEC 15408) and the Common Evaluation Methodology (CEM) used worldwide to certify IT products such as firewalls, operating systems, smart cards, and chipsets.
India participates through the Ministry of Electronics and Information Technology (MeitY) and the Standardisation Testing and Quality Certification (STQC) Directorate, and has been a Certificate Authorizing Nation since 2013.
Background & Concept
What is the CCDB?
The Common Criteria Development Board (CCDB) is the technical management body of the Common Criteria Recognition Arrangement (CCRA). While the Common Criteria Management Committee (CCMC) handles policy and governance, the CCDB focuses on technical work — evolving the standards used to evaluate the security of IT products globally.
What is the CCRA?
The Common Criteria Recognition Arrangement (CCRA) is an international agreement signed in 2000 that provides for:
- A common framework for evaluating IT product security.
- Mutual recognition — a certificate issued in one member nation is accepted in all others, eliminating duplicate testing.
- Two categories of members:
- Certificate Authorising (CA) Nations: Can issue internationally recognised certificates (e.g., India, USA, Germany, Japan, Canada, France, South Korea).
- Certificate Consuming (CC) Nations: Recognise certificates but cannot issue them.
What are the Common Criteria (CC)?
The Common Criteria for Information Technology Security Evaluation (CC) — formally ISO/IEC 15408 — is the international standard for certifying the security properties of IT products. It defines:
- Protection Profiles (PPs): Generic security requirements for product categories.
- Security Targets (STs): Specific security claims for a particular product.
- Evaluation Assurance Levels (EAL 1 to EAL 7): Levels of rigour applied during evaluation.
What is the CEM?
The Common Methodology for IT Security Evaluation (CEM) — ISO/IEC 18045 — provides the standardised methodology used by accredited labs to perform Common Criteria evaluations consistently across countries.
Indian Ecosystem
- Nodal Ministry: Ministry of Electronics and Information Technology (MeitY).
- Implementing Agency: STQC Directorate — an attached office of MeitY, providing testing and certification services.
- Indian Common Criteria Certification Scheme (IC3S): Launched by STQC in 2010; recognised under CCRA in 2013.
- Status: India became a Certificate Authorising Nation in 2013 and now chairs the CCDB (2026–2028).
Key Highlights
- India’s Role: Nominated as Chair of the CCDB for the term April 2026 – April 2028.
- Parent Body: Operates under the Common Criteria Recognition Arrangement (CCRA).
- Indian Nodal Agency: MeitY via the STQC Directorate.
- CCRA Membership: 38 member nations participate.
- Certificate Authorising Nation status: India since 2013.
- Core Standards: Common Criteria (ISO/IEC 15408) and CEM (ISO/IEC 18045).
- Common Criteria Portal: Global repository of all certified IT security products, maintained by the CCDB.
Key Functions of the CCDB
| Function | Description |
|---|---|
| Technical Management | Manages the international work programme for developing the Common Criteria (ISO/IEC 15408) and CEM standards. |
| Standardisation | Defines technical evaluation criteria for IT products (firewalls, OS, smart cards, semiconductors). |
| Portal Management | Maintains the Common Criteria Portal, the authoritative global repository of certified secure IT products. |
| Mutual Recognition | Ensures certificates issued in one member nation are valid across all 38 CCRA members without re-testing. |
| Technical Working Groups | Coordinates working groups on emerging tech — IoT, AI, post-quantum cryptography, automotive security. |
India’s Position
India has steadily built capacity in IT security testing:
- STQC Directorate, established in 1980, runs accredited test labs across the country.
- Indian Common Criteria Certification Scheme (IC3S) was launched in 2010.
- India became a Certificate Authorising Nation in 2013, joining a select club (USA, UK, Germany, France, Canada, Japan, Australia, South Korea, Netherlands, etc.).
- India is now poised to drive new global protection profiles for emerging tech sectors during its chairmanship.
This complements India’s broader cyber and digital initiatives — National Cyber Security Policy (2013), CERT-In (2004), Cyber Surakshit Bharat, Digital India Mission (2015), India AI Mission (2024), and Semicon India Programme (2021).
Challenges
- Capacity of Indian Labs: India still has a limited number of CC-accredited evaluation labs compared to the US, Germany, or South Korea.
- High-Assurance Evaluations (EAL 5+): Most Indian certifications are at lower assurance levels; building EAL 5/6/7 capability requires deeper investment in cryptography and formal methods.
- Emerging Tech Pace: Rapid evolution of AI, IoT, quantum computing, post-quantum cryptography challenges the relatively slow CC standardisation process.
- Geopolitical Fragmentation: Tech-bloc politics (US–China decoupling) can fragment global recognition arrangements.
- Skilled Manpower: Shortage of cybersecurity professionals trained in formal CC evaluation methodologies.
- Integration with Other Standards: Aligning CC with FIPS, ETSI EN 303 645, ISO 27001, and sectoral standards (telecom, automotive, healthcare) remains an ongoing challenge.
Keywords & Definitions
▸ Common Criteria Development Board (CCDB): The technical body of the CCRA responsible for developing and maintaining the Common Criteria and CEM standards.
▸ Common Criteria Recognition Arrangement (CCRA): An international treaty (2000) for mutual recognition of IT security evaluation certificates among 38 member nations.
▸ Common Criteria Management Committee (CCMC): The policy-level governing body of the CCRA; CCDB reports technical work to it.
▸ Common Criteria (CC): International standard (ISO/IEC 15408) for IT product security evaluation, covering Protection Profiles, Security Targets, and Evaluation Assurance Levels.
▸ ISO/IEC 15408: Formal ISO/IEC standard codifying the Common Criteria framework.
▸ Common Evaluation Methodology (CEM): Methodology (ISO/IEC 18045) used by labs to conduct Common Criteria evaluations consistently.
▸ Protection Profile (PP): A template specifying security requirements for a category of IT products (e.g., firewalls, smart cards).
▸ Security Target (ST): A document describing the security claims of a specific product being evaluated.
▸ Evaluation Assurance Level (EAL 1–7): Graded levels of evaluation rigour — EAL1 (functionally tested) to EAL7 (formally verified design and tested).
▸ Certificate Authorising Nation: A CCRA member country authorised to issue internationally recognised CC certificates (India since 2013).
▸ Certificate Consuming Nation: A CCRA member that recognises certificates but does not issue them.
▸ STQC (Standardisation Testing and Quality Certification) Directorate: An attached office of MeitY (established 1980), providing testing and certification services in India.
▸ MeitY (Ministry of Electronics and Information Technology): The nodal Indian ministry for electronics, IT, cybersecurity, and digital governance.
▸ IC3S (Indian Common Criteria Certification Scheme): India’s CC certification scheme run by STQC; launched in 2010, recognised under CCRA in 2013.
▸ CERT-In (Indian Computer Emergency Response Team): National nodal agency (established under the IT Act, 2000) for responding to cybersecurity incidents.
▸ National Cyber Security Policy (2013): India’s first formal cyber security policy framework. (A new National Cyber Security Strategy is under finalisation.)
▸ Mutual Recognition Arrangement (MRA): Bilateral or multilateral arrangements where conformity assessment results (testing, certification) of one country are accepted by another.
▸ Information Technology Act, 2000: India’s primary law on cyber and digital matters; provides legal recognition for electronic transactions and offences.
▸ Common Criteria Portal: The official global website (www.commoncriteriaportal.org) maintained by the CCDB, listing all CC-certified products.
▸ Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to be secure against attacks by quantum computers.
▸ Semicon India Programme: Launched in 2021 to develop a sustainable semiconductor and display ecosystem in India.
Question Section (MCQs)
Q1. The Common Criteria Development Board (CCDB) operates under which of the following international arrangements?
(a) Wassenaar Arrangement (b) Common Criteria Recognition Arrangement (CCRA) (c) Missile Technology Control Regime (MTCR) (d) Australia Group
Q2. Consider the following statements regarding the Common Criteria Development Board (CCDB):
- It is responsible for the technical management and evolution of the Common Criteria standards.
- India has been nominated as the Chair of the CCDB for the term April 2026 to April 2028.
- The CCDB primarily handles high-level policy matters of the CCRA.
Which of the statements given above are correct?
(a) 1 and 2 only (b) 2 and 3 only (c) 1 and 3 only (d) 1, 2 and 3
Q3. The Common Criteria (CC) standards used for IT security evaluation are formally codified as:
(a) ISO/IEC 27001 (b) ISO/IEC 15408 (c) ISO/IEC 9001 (d) ISO/IEC 20000
Q4. India’s nodal agency for participation in the CCDB is:
(a) Defence Research and Development Organisation (DRDO) (b) STQC Directorate under the Ministry of Electronics and Information Technology (MeitY) (c) Indian Computer Emergency Response Team (CERT-In) (d) Bureau of Indian Standards (BIS)
Q5. India became a Certificate Authorising Nation under the CCRA in which year?
(a) 2005 (b) 2010 (c) 2013 (d) 2018
Q6. Consider the following statements about the Common Criteria Recognition Arrangement (CCRA):
- It enables mutual recognition of IT security certificates across member nations.
- It currently has 38 member nations.
- It is a legally binding treaty under the United Nations system.
Which of the statements given above are correct?
(a) 1 and 2 only (b) 2 and 3 only (c) 1 and 3 only (d) 1, 2 and 3
Q7. The ‘Evaluation Assurance Level (EAL)’ under the Common Criteria framework ranges from:
(a) EAL 1 to EAL 5 (b) EAL 1 to EAL 7 (c) EAL 0 to EAL 9 (d) EAL 1 to EAL 10
Q8. The Indian Common Criteria Certification Scheme (IC3S) is run by:
(a) NIC (b) STQC Directorate (c) C-DOT (d) NCIIPC
Q9. Which of the following technologies are typically evaluated under the Common Criteria framework?
- Firewalls
- Operating Systems
- Smart Cards
- Semiconductors
Select the correct answer using the code given below:
(a) 1 and 2 only (b) 1, 2 and 3 only (c) 2, 3 and 4 only (d) 1, 2, 3 and 4
Q10. Match the following:
| Body / Standard | Function |
|---|---|
| A. CCDB | 1. Policy-level governance of CCRA |
| B. CCMC | 2. India’s national CC certification scheme |
| C. CEM | 3. Technical management and standards development |
| D. IC3S | 4. Common methodology for IT security evaluation |
Select the correct answer:
(a) A-3, B-1, C-4, D-2 (b) A-1, B-3, C-2, D-4 (c) A-3, B-2, C-1, D-4 (d) A-4, B-1, C-3, D-2
Answer Key with Explanations
▸ Q1 → (b) The CCDB operates under the Common Criteria Recognition Arrangement (CCRA), an international arrangement signed in 2000 for mutual recognition of IT security certificates. The other options (Wassenaar, MTCR, Australia Group) are export-control regimes, not IT-security frameworks.
▸ Q2 → (a) 1 and 2 only Statements 1 and 2 are correct. Statement 3 is wrong — high-level policy is handled by the Common Criteria Management Committee (CCMC), not the CCDB. The CCDB is the technical body.
▸ Q3 → (b) ISO/IEC 15408 The Common Criteria are formally codified as ISO/IEC 15408, while the evaluation methodology (CEM) is codified as ISO/IEC 18045. ISO/IEC 27001 is a separate standard for Information Security Management Systems (ISMS).
▸ Q4 → (b) India participates through the STQC Directorate under MeitY, which also runs the Indian Common Criteria Certification Scheme (IC3S).
▸ Q5 → (c) 2013 India became a Certificate Authorising Nation under the CCRA in 2013, joining the select group of nations that can issue internationally recognised CC certificates.
▸ Q6 → (a) 1 and 2 only Statements 1 and 2 are correct. Statement 3 is wrong — the CCRA is not a UN treaty; it is an international arrangement signed by participating governments and is not legally binding in the manner of UN treaties.
▸ Q7 → (b) EAL 1 to EAL 7 Common Criteria defines seven Evaluation Assurance Levels (EAL1 to EAL7) — from “functionally tested” (EAL1) to “formally verified design and tested” (EAL7).
▸ Q8 → (b) STQC Directorate The Indian Common Criteria Certification Scheme (IC3S) is run by the STQC Directorate of MeitY, with accredited evaluation labs across India.
▸ Q9 → (d) 1, 2, 3 and 4 All four — firewalls, operating systems, smart cards, and semiconductors (along with network devices, biometric devices, mobile devices) — are routinely evaluated under the Common Criteria framework.
▸ Q10 → (a) A-3, B-1, C-4, D-2 CCDB — technical management and standards development; CCMC — policy-level governance; CEM — common methodology for IT security evaluation; IC3S — India’s national CC certification scheme.
