Why in News
India has assumed the Chair of the Common Criteria Development Board (CCDB) — the technical arm of the international Common Criteria Recognition Arrangement (CCRA) — for a two-year term from April 2026 to April 2028. The decision was confirmed at the 1st Quarter Meeting of the CCRA held in Tokyo from April 14-16, 2026, with the chairmanship formally vesting in officials of India’s STQC Directorate under the Ministry of Electronics and Information Technology (MeitY). Press coverage through mid-to-late May 2026 has framed the elevation as India moving from a rule-taker to a rule-maker in the global cybersecurity standards architecture.
What is the CCRA and the CCDB?
The Common Criteria Recognition Arrangement (CCRA) is an international multilateral agreement under which signatory countries mutually recognise certifications of Information Technology (IT) security products evaluated against the Common Criteria standard. Once a product is certified by an authorised national scheme of any member country, it is treated as certified across the arrangement — eliminating duplicative evaluations and reducing time and cost of cross-border procurement.
| Body | Function |
|---|---|
| CCRA | Political-administrative arrangement; admits members; mediates the mutual-recognition framework |
| CCDB (Common Criteria Development Board) | Technical core; maintains the Common Criteria standard and the Common Evaluation Methodology; manages the work programme |
| CCMC (Common Criteria Management Committee) | Oversight body of authorising nations |
Underlying Standards
| Standard | Subject |
|---|---|
| ISO/IEC 15408 | Common Criteria for Information Technology Security Evaluation |
| ISO/IEC 18045 | Common Evaluation Methodology (CEM) — how an evaluator actually conducts the assessment |
Membership Structure
The CCRA presently comprises 38 member nations, divided into two tiers:
| Tier | Count | Right |
|---|---|---|
| Certificate Authorizing Nations | 20 | Issue CC certificates recognised across the CCRA |
| Certificate Consuming Nations | 18 | Accept (consume) certificates issued by Authorizing Nations |
Authorizing Nations include: USA, UK, Germany, France, Japan, Republic of Korea, Australia, Canada, Italy, Netherlands, Norway, Spain, Sweden, Türkiye, Malaysia, Singapore, and India.
India’s CCRA Journey
| Year | Milestone |
|---|---|
| September 16, 2013 | India joined CCRA as a Certificate Authorizing Nation |
| 2013 onward | STQC Directorate operates the Indian Common Criteria Certification Scheme (IC3S) |
| April 2026 | India assumes Chair of the CCDB for the 2026-2028 term |
STQC — India’s Nodal Body
The Standardisation Testing and Quality Certification (STQC) Directorate functions under MeitY as the National Certification Body for the CC scheme. STQC operates the Indian Common Criteria Certification Scheme (IC3S), conducts CC evaluations at its labs at Kolkata, Bengaluru, and Delhi, and certifies products against Protection Profiles and Security Targets.
Important distinction for UPSC — DRDO is not the certifying body for the Common Criteria scheme in India. The body is STQC under MeitY, not DRDO.
Common Criteria — Technical Architecture
The CC framework rests on three core artefacts and a graded assurance ladder.
Core Artefacts
| Artefact | Purpose |
|---|---|
| Protection Profile (PP) | An implementation-independent statement of security requirements for a class of products (e.g., firewalls, smartcards, mobile OS, network devices) |
| Security Target (ST) | A vendor’s claim of how a specific product meets a PP (or its own bespoke requirements) |
| Evaluation Technical Report (ETR) | The evaluator’s confidential report supporting the certificate |
Evaluation Assurance Levels (EALs)
The CC defines seven Evaluation Assurance Levels of increasing rigour.
| Level | Description | Typical Use |
|---|---|---|
| EAL1 | Functionally tested | Lowest assurance; consumer products |
| EAL2 | Structurally tested | Low-risk environments |
| EAL3 | Methodically tested and checked | Moderate-risk commercial |
| EAL4 | Methodically designed, tested, reviewed | Highest level cost-effective without speciality engineering — commercial workhorse |
| EAL5 | Semi-formally designed and tested | Specialised high-assurance |
| EAL6 | Semi-formally verified design | High-value government / military |
| EAL7 | Formally verified design and tested | Maximum assurance — used in nuclear command, classified comms |
Significance of India’s Chairmanship
Strategic Rationale
- Standards diplomacy: Chairing the CCDB places India in the same standards-leadership cohort as the USA, UK, Germany, and Japan — a meaningful elevation in the tech standards arena that includes ITU-T, IEEE, 3GPP, ISO/IEC JTC 1, and IETF.
- Domestic certification capacity: Chairmanship strengthens STQC’s voice in shaping Protection Profiles for product classes where India has emerging vendor depth — telecom equipment, digital identity, IoT, automotive electronics.
- Cybersecurity sovereignty: India will help author rules under which products entering its government, defence, and critical-infrastructure procurement chain are evaluated — narrowing supply-chain risk windows.
- Indo-US iCET alignment: The initiative on Critical and Emerging Technologies (iCET, 2022) explicitly identifies cybersecurity standards harmonisation as a sub-track. CCDB chairmanship operationalises that intent.
Use-Case Footprint of CC-Certified Products in India
| Domain | Use of CC Certification |
|---|---|
| Defence procurement | Cryptographic modules, secure routers, COMSEC equipment |
| Critical Information Infrastructure (CII) | Notified by NCIIPC under Section 70A of the IT Act, 2000 |
| Telecom | TSDSI standards alignment; trusted source designations |
| Digital identity | Aadhaar authentication ecosystem; eSign and DigiLocker security modules |
| Banking & payments | UPI infrastructure security elements; HSMs and smartcards |
India’s Cybersecurity Institutional Framework
| Body | Acronym | Year | Parent | Statutory Basis |
|---|---|---|---|---|
| Computer Emergency Response Team — India | CERT-In | 2004 | MeitY | Section 70B, IT Act, 2000 |
| National Critical Information Infrastructure Protection Centre | NCIIPC | 2014 (operational) | NTRO | Section 70A, IT Act, 2000 |
| Indian Cybercrime Coordination Centre | I4C | 2018 | MHA | Administrative scheme |
| Standardisation Testing and Quality Certification | STQC | 1980 | MeitY | Administrative |
| National Cyber Security Coordinator | NCSC | 2014 | PMO / National Security Council Secretariat | Administrative |
| Data Protection Board of India | DPB | 2023-24 (post-DPDP Act) | MeitY | Digital Personal Data Protection Act, 2023 |
Why the Chair Matters Right Now
Three converging policy currents make 2026 a pointed moment for India to lead the CCDB.
1. Domestic Legislative Architecture
The Digital Personal Data Protection (DPDP) Act, 2023 introduced the concept of the Significant Data Fiduciary (SDF) — entities designated by the Board on the basis of data volume, sensitivity, and risk. SDFs face heightened audit and security obligations for which CC-evaluated products are a natural compliance vehicle.
2. Semiconductor and 5G/6G Push
The India Semiconductor Mission (ISM) under MeitY, with a corpus of approximately ₹76,000 crore, anticipates Indian-fabricated chips serving sensitive markets (defence, automotive, telecom). Those markets increasingly demand CC certification at EAL4 and above. The Bharat 6G Alliance, launched in 2023, similarly contemplates CC-aligned trust frameworks for next-generation telecom.
3. Post-Quantum Readiness
CCDB working groups are drafting Protection Profiles for post-quantum-cryptography (PQC) primitives following the NIST PQC standardisation announcements. India’s chair lets STQC shape PQC PPs that align with domestic cryptographic priorities (e.g., CCA-led indigenous algorithms for government use).
UPSC Relevance
- GS Paper 2 — International Relations: India and international institutions, agencies, and fora — their structure and mandate; bilateral, regional, and global groupings affecting India’s interests; effect of policies and politics of other countries on India.
- GS Paper 3 — Internal Security: Challenges to internal security through communication networks; basics of cyber security; role of standards and certifications in protecting critical information infrastructure.
- GS Paper 3 — Science & Technology: Awareness in the fields of IT, computers, and indigenisation of technology; standards and intellectual property in emerging technologies.
- Essay linkage: “Digital sovereignty” — the role of standards bodies in shaping the geopolitics of technology.
Facts Corner
- CCRA full form: Common Criteria Recognition Arrangement — international IT security product certification mutual-recognition framework.
- CCDB full form: Common Criteria Development Board — technical arm of the CCRA.
- India’s CCDB chairmanship tenure: April 2026 — April 2028.
- Confirmation venue: 1st Quarter CCRA Meeting, Tokyo, April 14-16, 2026.
- India joined CCRA: September 16, 2013 as a Certificate Authorizing Nation.
- Indian nodal body: STQC Directorate under MeitY (NOT DRDO).
- Indian scheme name: Indian Common Criteria Certification Scheme (IC3S).
- Underlying standard: ISO/IEC 15408 (Common Criteria).
- Evaluation methodology standard: ISO/IEC 18045 (Common Evaluation Methodology / CEM).
- CCRA membership: 38 nations — 20 Authorizing + 18 Consuming.
- Evaluation Assurance Levels: EAL1 (lowest) to EAL7 (highest); EAL4 is the commercial workhorse.
- CERT-In: established 2004; under MeitY; Section 70B, IT Act, 2000.
- NCIIPC: under NTRO; Section 70A, IT Act, 2000.
- I4C: under MHA; established 2018.
- DPDP Act: 2023 — created the Data Protection Board.
- Indo-US iCET: launched 2022 — has a cybersecurity sub-track.
- India Semiconductor Mission corpus: ~₹76,000 crore.
- Bharat 6G Alliance: launched 2023.
Sources: Press Information Bureau, MeitY, STQC
