The Common Criteria Recognition Arrangement (CCRA) was established in 1998 for each international partner of the arrangement to recognise a Common Criteria certificate awarded by a certificate-authorising participant. Initially the CCRA comprised Canada, France, Germany, the United Kingdom and the United States. It now includes 26 nations. Australia and New Zealand joined the CCRA in 1999.
Consumers can be confident that each certificate-authorising participant of the CCRA ensures that evaluations are performed to high and consistent standards. This arrangement for recognising standards of IT security certification between member countries is called mutual recognition and eliminates the need for duplicating an evaluation.
This agreement is currently limited to the first two security levels of the CC, EAL1 to EAL2, without cryptographic functionality. Certifications governed by this arrangement are treated as being included on the ASD Evaluated Products List (EPL). Products certified above CC EAL2 by another CCRA scheme are considered, in terms of fulfilling Information Security Manual (ISM) requirements, to be at CC EAL2 assurance level.
Caveats may relate to the use of some products within Australian and New Zealand government agencies. This applies particularly to products employing cryptography, which require an additional review by ASD called an ASD Cryptographic Evaluation.