The Indian Common Criteria Certification Scheme(IC3S) has been set up by the Ministry of Electronics and Information Technology (MeitY) as part of Cyber Security Assurance initiatives of the Government of India.The purpose of the scheme is to evaluate and certify IT Security Products and Protection Profiles (PP) against the requirements of Common Criteria Standards, at assurance levels EAL 1 through EAL4. The main players in this programme are Developer of IT Security Products or Protection Profiles, Sponsors, Common Criteria Test Laboratory (CCTL) and Certification Body.The scheme provides National Certification,under the International Mutual Recognition Arrangement with the other member countries of CCRA (Common Criteria Recognition Arrangement),acceptable in all the member countries.
Along with other countries, India has already become a member CCRA as a Certificate Authorizing Nation. As per the article 1 of the CCRA, Certificates issued by one member countries are accepted in other countries without re-certification. Only Government Body can be the Certification Body of the country and in our case MeitY/STQC is the certification body.
Common Criteria evaluation is an impartial assessment of an IT product by an independent body.This provides users of such products with confidence in the security functionality provided.It also provides users with a metric to compare the security capabilities of products that they are intending to buy.The IT products to be evaluated are referred to as the Target of Evaluation (TOE).Certification provides independent confirmation of the validity of evaluation results, and thereby ensures comparability of these results across all evaluations under the scheme and facilitates mutual recognition of results between national schemes.Certification confirms that the TOE needs its security target to the claimed assurance level and that the evaluation has been conducted in accordance with the Standard of the scheme i.e. Common Criteria (eq.: ISO 15408).
The participation in the scheme and its associated evaluation & certification activities is strictly voluntary (unless mandated by government policy or regulations).In addition, organizations may undertake alternative activities to use Common Criteria and to demonstrate product conformance to IT security requirements.
The Certification Body is the STQC Directorate, Ministry of Electronics and Information Technology, Govt. of India. The Certification Body has been established under the official administration procedures of Govt. of India to meet the requirements of ISO 17065.
