Introduction
The SOG-IS agreement was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria.
The agreement was updated in January 2010 and the full text can be downloaded in the section "Agreement" of the Web site. Participants in this Agreement are government organisations or government agencies from countries of the European Union or EFTA (European Free Trade Association), representing their country or countries. As of June 2017, the national bodies participating in the agreement are:
Austria, Bundeskanzleramt | |
Belgium, Centre for Cyber Security Belgium | |
Croatia, Information Systems Security Bureau | |
Denmark, CFCS - Center for Cyber Security | |
Estonia, RIA - Riigi Infosüsteemi Amet | |
Finland, FICORA - Finnish Communications Regulatory Authority | |
France, ANSSI - Agence Nationale de la Sécurité des Systèmes d'Information | |
Germany, BSI - Bundesamt für Sicherheit in der Informationstechnik | |
Italy, OCSI - Organismo di Certificazione della Sicurezza Informatica | |
Luxembourg, ANSSI.lu - Agence Nationale de la Sécurite des Systèmes d'Information Luxembourg | |
The Netherlands , NLNCSA - Netherlands National Communications Security Agency, Ministry of the Interior and Kingdom Relations | |
Norway, SERTIT - Norwegian National Security Authority operates the Norwegian Certification Authority for IT Security | |
Poland, NASK - National Research Institute | |
Slovakia, NBÚ - Národný bezpečnostný úrad | |
Spain, CCN - Centro Criptológico Nacional, Organismo de Certificación de la Seguridad de las Tecnologías de la Información | |
Sweden, FMV - Försvarets Materielverk | |
United Kingdom, NCSC - National Cyber Security Centre |
The participants work together to:
- Coordinate the standardisation of Common Criteria protection profiles and certification policies between European Certification Bodies in order to have a common position in the fast growing international CCRA group
- Coordinate the development of protection profiles whenever the European commission launches a directive that should be implemented in national laws as far as IT-security is involved
The agreement provides for member nations to participate in two fundamental ways:
- As certificate consuming participants and
- As certificate producers
For certificate producing nations there are also two levels of recognition within the agreement:
- Certificate recognition up to EAL4 (as in CCRA)
- Certificate recognition at higher levels for defined technical areas when schemes have been approved by the management committee for this level.
Rationale for the updated SOG-IS Agreement
The original agreement signed in 1997 (updated to incorporate the use of Common Criteria in 1999) was updated in 2010 for two reasons; firstly to provide a robust mechanism allowing new schemes to take part as certificate producers and, secondly, to limit the higher levels of recognition to agreed technical domains where adequate agreement around evaluation methodology, laboratory requirements, attack methods etc. are in place.
Further Information
The following pages provide more detail. Contact with the group can also be made through any of the participating schemes.
- Status of SOG-IS participants
- Details of Operation
- Supporting documents
- Protection Profiles
- SOG-IS Technical Domains
- Documents of the agreement
Announcements
February 2018:
June 2023:
The SOG-IS MRA Management Committee has decided to accept the usage of the CC:2022 version of Common Criteria and CEM:2022 for issuing CC certificates by SOG-IS Schemes according to their authorizing status. Both, the CCRA version as well as the ISO version (ISO/IEC 15408:2022 and ISO/IEC 18045:2022) are accepted to be used.
Further, the transition policy and rules to migrate from CC V3.1 / CEM V3.1 to CC:2022 / CEM:2022 as defined by the Common Criteria Recognition Arrangement (CCRA) are fully accepted by SOG-IS MRA.
CCRA CC:2022 and CEM:2022 as well as the transition policy document are available at: https://www.commoncriteriaportal.org/cc/
Contact
If you have questions regarding the SOG-IS MRA or its website, please contact one of the participants (see participants point of contact list).