In early 2011, the NSA/CSS published a paper by Chris Salter proposing a profile-based approach to evaluation. In this approach, interest groups are formed around types of technologies that, in turn, develop protection profiles that define the method of evaluating the type of technology. [12] The objective is a more robust assessment. There is a concern that this will have a negative impact on mutual recognition. [13] The United Kingdom has also developed a series of alternative systems where it appears that the delays, costs and overheads of mutual recognition hinder the functioning of the market: any certificate authorizing the CCRA participant ensures that evaluations are carried out to high and consistent standards. This system of recognition of IT security certification standards between Member States is called mutual recognition (MR) and makes it unnecessary to duplicate an evaluation. This agreement is currently limited to the first four levels of security of common Criteria: EAL1 to EAL4 without cryptographic functionality. Procedures with the terms “Several CBs in a country / commercial CBs” and “Time criteria required to transfer from a participant consuming a certificate to a certificate authorizing the participant” are to be consulted by nations considering applying for certificate status authorizing the participant. These procedures extend the management committee`s decisions regarding the implementation of the agreement. In September 2012, a majority of CCRA members issued a vision statement that lowers mutual recognition of CC-rated products at EAL 2 (including increase with troubleshooting). In addition, this vision indicates an outlier level of security and evaluations will be limited to compliance with protection profiles that do not have a specified level of security.

This will be done by technical working groups developing PPs on a global scale and a transition period is not yet fully defined. In addition to the Common Criteria standard, there is also a Common Criteria MRA (Mutual Recognition Arrangement) sub-contract in which each party recognizes evaluations according to the common Criteria standard of other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand joined in 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. Since then, the arrangement has been renamed the Common Criteria Recognition Arrangement (CCRA) and membership has expanded further.