India CCDB Chairmanship 2026: Common Criteria ISO/IEC 15408

The Common Criteria for Information Technology Security Evaluation (CC) is an international standard (ISO/IEC 15408) for certifying the security properties of IT products and systems. It provides a structured framework under which vendors describe security features, independent testing laboratories evaluate those claims, and certification bodies issue recognised certificates.

The framework emerged from the convergence of national security evaluation standards from the United States, Canada, France, Germany, and the United Kingdom in the early 1990s. Version 1.0 was finalised in 1996; version 2.0 (1998) became the foundation for the CCRA; version 2.1 was adopted as ISO 15408 in 1999. The standard is currently at version 2022 Revision 1.

The CC framework is built around three core concepts:

• Protection Profile (PP): Defines a standardised set of security requirements for a product category — e.g., firewalls, smart cards, or operating systems.
• Security Target (ST): The vendor-specific document mapping the product’s actual security features to the PP requirements.
• Target of Evaluation (TOE): The actual IT product or system being assessed.

Evaluations are conducted at graduated Evaluation Assurance Levels (EALs), from EAL 1 (functionally tested) to EAL 7 (formally verified design and testing). The CCRA mutually recognises evaluations up to EAL 2 plus flaw remediation augmentation across member states.

The Common Criteria Recognition Arrangement (CCRA) is the treaty-level agreement that operationalises the CC standard internationally. Originally signed in 1998 by Canada, France, Germany, the United Kingdom, and the United States, it expanded rapidly — Australia and New Zealand joined in 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway, and Spain in 2000.

As of 2026, the CCRA comprises 38 member nations in two tiers:

• 20 Certificate Authorising Nations: Countries that run nationally accredited schemes capable of issuing CC certificates.
• 18 Certificate Consuming Nations: Countries that accept CC certificates issued by authorising members but do not run their own evaluation schemes.

The practical outcome: a vendor whose product is CC-certified in one member country can sell and deploy that product across all 38 member countries without undergoing separate national security evaluations — a significant reduction in time, cost, and regulatory friction. The CCRA also maintains the Common Criteria Portal, the authoritative global repository for all certified secure IT products worldwide.

The Common Criteria Development Board (CCDB) is the technical core of the CCRA. While other CCRA governance groups handle policy-level decisions, the CCDB is responsible for the technical substance. Its key responsibilities include:

• Managing and updating the CC standard (ISO/IEC 15408): When new threat models, product categories, or cryptographic challenges emerge, the CCDB revises the evaluation criteria to remain relevant and rigorous.
• Maintaining the CEM: The Common Methodology for IT Security Evaluation provides detailed procedural guidance for how licensed evaluation laboratories must conduct assessments. Without a harmonised methodology, mutual recognition would be undermined by divergent evaluation practices across countries.
• Driving the ICCC: The annual International Common Criteria Conference (ICCC) is the primary professional forum for governments, evaluation labs, vendors, and standard-setters across the entire CC ecosystem.

As Chair, India will lead and coordinate this technical agenda for two years — directly influencing how Protection Profiles are developed for critical product categories, and how the methodology evolves to address emerging cybersecurity challenges including AI-embedded devices and quantum computing.

India’s participation in the international IT security certification ecosystem has followed a deliberate institutional trajectory. The country joined the CCRA as a Certificate Authorising Nation on 16 September 2013 — a status requiring a functional, internationally accredited national evaluation scheme.

India’s national scheme operates through two institutions:

• MeitY — provides policy and governmental authority.
• STQC Directorate (Standardisation Testing and Quality Certification) — functions as the official Certification Body. Established in 1980 as an attached office under MeitY (then the Department of Electronics), STQC operates a nationwide network of laboratories including four regional Electronics Regional Test Laboratories (ERTLs) in Delhi, Kolkata, Mumbai, and Thiruvananthapuram, and ten state-level labs.

STQC holds accreditations from NABL (National Accreditation Board for Testing and Calibration Laboratories) and the American Association for Laboratory Accreditation (A2LA). In February 2026, MeitY launched the SATYA Portal (STQC Lab Automation Portal) — a digital platform to modernise STQC’s testing and certification operations.

The CCDB chairmanship places India at the agenda-setting level of global IT security governance — a tier previously occupied almost exclusively by Western nations and a small cluster of technologically advanced economies. The practical implications are multi-dimensional:

• Standards influence: The CCDB Chair directs the international work programme for CC and CEM. India gains substantive influence over which product categories receive updated Protection Profiles and how the evaluation methodology evolves.
• Trade and procurement leverage: CC certification under CCRA is often a prerequisite for government procurement of IT security products in member states. Leading the CCDB allows India to shape standards that create structural advantages for compliant domestic producers.
• Technological sovereignty: A leadership role in CC allows India to ensure international frameworks are compatible with domestic priorities, including the evaluation of indigenously developed products under Atmanirbhar Bharat.
• Diplomatic soft power: Standards bodies have historically been a domain of influence for technologically advanced nations. India’s elevation to the CCDB chairmanship signals the maturing of India’s stature in multilateral technology governance.