product testing,

product certification, quality system registration, evaluation of testing laboratories, evaluation of certification bodies, management system registrar by an independent body, and recognition of accreditors.
In the context of inter-national mutual recognition agreements with foreign nations NIST is a designating authority for conformity assessment bodies. Relevant MRAs are the
US-European (EU-MRA), Asia Pacific Economic Cooperation (APEC-MRA), and the Inter-American Telecommunications Commission (CITEL-MRA).
American National Standards Institute The American National Standards Institute (ANSI) is recognized by NIST and its NVCASE program. ANSI performs the following activities related to the accreditation of conformity assessment bodies:
provision of accreditation services, particularly for the product and personnel partnership with the American Society for Quality (ASQ) and provision of an

areas,

accreditation program for quality and environmental management systems, and international and regional arrangements for multi-lateral recognition including the IAF, IAA, and the Pacific Accreditation Cooperation (PAC). 2.3.3 2.3.3.1 Europe European Promotion Strategy of Conformity Assessment The European promotion strategy of conformity assessment and its related activities and initiatives can be summarized and categorized as follows:
greater adoption of international standards, development of guidance and good practice on conformity assessment system, strengthen of global conformity assessment system, ensuring that the most appropriate level and type of conformity assessment is used, use of manufacturers declaration of conformity combined with effective product liability laws,
use of quality assurance techniques compliant with related international ISO international cooperation for example with WTO, ISO/IEC, IAF and ILAC, and legislation on procurement.
New Approach The European commission has developed a concept in May 1985 called the New Approach [NEW APP] in order to
promote the industrial competitiveness and product innovation, eliminate technical barriers to trade and to realize the key element of the internal market in the EU, namely the free
movement of people, goods, services and capital. In accordance with this new approach the EU has issued various directives (see section 4.2.2) that specify only fundamental requirements in terms of security, safety or functions. These framework regulations have been complemented by more detailed technical regulations in the form of harmonized standards produced by the European standardization organizations CEN CENELEC and ETSI (see sections 4.2.3.1 to 4.2.3.3), on behalf of the European commission. The new approach can be classified as a co-regulatory approach in which main stakeholders of more than twenty industrial sectors have been involved covering areas such as machinery, buildings and construction, information technology and telecommunications. The new approach was based on the following four principles:

The United Kingdom accreditation service UKAS is the sole national accreditation body recognized by the government to assess, against internationally agreed standards, organizations that provide certification, testing, inspection and calibration services. 2.3.10.1 BSI Standards Group The BSI Standards Group (British Standards Institute, old abbreviation) is organized in the following three subgroups:
BSI British Standards, BSI Management Systems, and BSI Product Services.
The BSI British Standards division is the national standards body of the UK cooperating with the government, businesses and consumers in order to facilitate the development of national, European and international standards. Its subdivision BSI Business Information supports the development of business standards, best practice and management systems. The BSI Management Systems division provides independent third-party certification of management systems for the following areas:
environmental management, occupational health and safety, information security, IT service management, and food safety management systems.
The BSI Product Services division supports the industry in order to develop new and better products compliant with laws and regulations. 2.3.10.2 Communications Electronics Security Group The UK government Communications Electronics Security Group (CESG) as the technical authority for HMG (Her Majestys Government) electronic security has established evaluation facilities for carrying out security evaluations of computer systems in 1985. 2.3.10.3 Department of Trade and Industry The Department of Trade and Industry (DTI) has established the Commercial Computer Security Centre to prove the application of formal security evaluation to commercially available IT products and systems in 1987. Its Standards and Technical Regulations Directorate (STDR) is in charge of related standardization
and regulation. These activities have resulted in the publication of a set of evaluation criteria and operational scheme that are also known as The Green Books. 2.3.10.4 UK IT Security Evaluation and Certification Scheme The UK Government has established a specific body in 1989 called UK IT Security Evaluation and Certification (UKITSEC) body that is responsible for the evaluation and certification of IT security products and systems. The UKITSEC scheme was established in 1991 by a joint effort of the DTI and the CESG, in which the UKITSEC body is located. CESG and DTI are responsible for the management of the UKITSEC scheme. The structure of this organization includes the following groups and their related tasks and services:
the Governments Communications Electronics Security Group (CESG)
responsible for the operation of the scheme as part of their Infosec Assurance and Certification Services (IACS), the CESG Assisted Product Scheme (CAPS) responsible for the assessment of cryptographic products for HMG and the Critical National Infrastructure (CNI), the Fast Track Assessment (FTA) responsible for the assessment of products that are used by HMG and the CNI, and the IT Security Health Check responsible for the identification of vulnerabilities in systems and networks of HMG and the commerce. The objectives of UKITSEC are to support the government and the industry for the purpose of cost effective and efficient security evaluation and certification of IT products and systems, and to provide a framework for the international mutual recognition agreements of certificates. UKITSEC is embedded in the broader management framework that also covers areas for physical, personnel and procedural security measures [BS 7799]. Under the UKITESC scheme the security features of IT products and systems are tested and evaluated independently of suppliers. These activities are carried out against standardized criteria to a formalized methodology. The criteria themselves define a set of degrees of rigor or assurance levels. Security certificates are issued by the UKITSEC scheme for IT products and systems that fulfill the requirements for a claimed level of assurance. 2.3.10.5 Commercial Evaluation Facilities Certification in the UK is based on evaluation reports produced by CommerciaL Evaluation Facilities (CLEFs, called information technology security evaluation facilities ITSEFs in other European countries) that are accredited by the UK Accreditation Service (UKAS) in accordance with the [ISO/IEC 17025] standard. With respect to the adequacy of testing accredited CLEFS can be considered as

2005 2005

Figure 3:
Standards for Conformity Assessment
EN ISO/IEC 17000 The standard Conformity Assessment Vocabulary and General Principles [ISO/IEC 17000] provides new terms and definitions related to conformity assessment based on a functional approach (selection, determination, review and attestation) that was taken by a joint ISO/CASCO - CEN/CENELEC project. It replaces part 2 of the present ISO/IEC Guide 2 (1996) or the EN 45020 (1998). ISO/IEC Guide 2 has defined accreditation as a procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks. It describes conformity assessment as any activity concerned with determining directly or indirectly that relevant requirements are fulfilled. Conformity assessment procedures (testing, inspection and certification) yield
assurance that product meet the requirements defined in standards and regulations. EN ISO/IEC 17011 The standard Conformity Assessment General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies [ISO/IEC 17011] replaces EN 45003 (identical with ISO Guide 58), EN 45010 (identical with ISO Guide 61), and ISO/IEC TR 17010. The purpose of these standards is to describe accreditation systems for laboratories, certification bodies and inspection bodies. EN ISO/IEC 17011 specifies requirements for accreditation bodies. It makes a clear distinction between accreditation and certification and does not allow the accreditation bodies to perform any conformity assessment activities among their accreditation activity. EN ISO/IEC 17020 The standard General Criteria for the Operation of Various Types of Bodies Performing Inspection [ISO/IEC 17020] (published by DIN in its German version in November 2004) is identical with the EN 45004. Requirements for inspection bodies as a worldwide standard were approved. EN ISO/IEC 17024 The standard Conformity Assessment General Requirements for Bodies Operating Certification of Persons [ISO/IEC 17024] was already published by the DIN in October 2003. It supersedes the previous EN 45013 (1990). EN ISO/IEC 17040 The standard Conformity Assessment General Requirements for Peer Assessment of Conformity Assessment Bodies and Accreditation Bodies [ISO/IEC 17040] specifies general requirements for the evaluation of accreditation bodies and the peer assessment of certification bodies and other conformity assessment bodies. In the field of mutual recognition it complements the ISO Guide 68 that only describes fundamental terms for mutual recognition EN ISO/IEC 17050 The two-part standard Conformity Assessment - Suppliers' Declaration of Conformity with its part 1 General Requirements and part 2 Supporting Documentation [ISO/IEC 17050] supersede the previous EN 45014 (1998) or the ISO Guide 22 respectively.

agreement of all involved parties to mutually recognize the outcome of the other partners testing, inspection, certification or accreditation. In 1998 the Senior Officials Group for Information Society (SOG-IS) of the European Commission approved the recognition agreement of information technology security evaluation certificates based on ITSEC which came into force in March 1998 as the so-called SOGIS-MRA. The SOGIS-MRA was originally signed by the national certification bodies of Finland, France, Germany, Greece, Italy, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom. This agreement applies up to the ITSEC E6 level enabling the recognition between the signatory states of certificates issued by their certification bodies. Security certificates that were recognized within the scope of this agreement can be used with the mark shown in Figure 6. The MRA on IT certificates based on CC was extended to cover CC evaluations up to EAL7.
Figure 6: Mark for European ITSEC-MRA
The government bodies from Canada, France, Figure 7: Label for International CCGermany, the United Kingdom, and the United States MRA have sponsored the related Common Criteria project (see section 3.8.4) that has let to the CC versions 1.0 in 1996, 2.0 in 1997, and finally to the international CC standard [ISO/IEC 15408]. The national certification bodies of these countries have signed a first MRA of IT security certificates based on CC up to the evaluation assurance level EAL4 in October 1998. The achieved CC arrangements can be visualized by the specific mark shown in Figure 7. The arrangement on the recognition of common criteria certificates in the field of information technology security [AR-CCC] also includes a plan for the cooperation between its members and the rules for new memberships. In the following years the following countries joint this MRA (see also Figure 8):
October 1999: Australia and New Zealand, May 2000: Finland, Greece, Italy, the Netherlands, Norway and Spain, November 2000: Israel, February 2002: Sweden, November 2002: Austria, September 2003: Hungary and Turkey, November 2003: Japan, September 2004: Czech Republic, March 2005: Republic of Singapore, and

April 2005: India.

Figure 8: International Agreements for Recognition of Common Criteria
Types of Certification The main types of certification are management system certification and product certification. Less well-known examples of certification are personal certification or certification of services. It shall be noted that in this context the terms certification and registration are sometimes used interchangeably. Management System Certification Main types of management system certification are certification of quality management systems and environmental management system conforming to ISO 9000, respectively to ISO 17000 standards. Product Certification Variants of product testing that exist are for example the initial testing of a product combined with an assessment of its manufacturers quality management system, and possibly followed up by surveillance testing. Surveillance testing is based on the manufacturers quality management system and the testing of samples taken from the factory and/or the market. Other kinds of product certification include initial testing and surveillance testing, or are simply based on the testing of a sample product (type testing). An issued certificate conforms, on the day of signature that the identified version of a product or system complies with the requirements stated in its security target.

National Voluntary Laboratory Accreditation Program The National Voluntary Laboratory Accreditation Program (NVLAP) has been launched by NIST in order to accredit independent laboratories that perform the testing of cryptographic modules against the requirements specified in FIPS 140-1 (for back-ward compatibility) and FIPS 140-2. These testing laboratories are called Cryptographic Modules Testing (CMT) Laboratories. CSE is currently also operating under NVLAP, but the development of a Canadian CMT laboratory accreditation process is envisaged under the framework of PALCAN. The specific document Derived Test Requirements for FIPS 140-2 [FIPS 140-2 DTR] specifies testing requirements for NCLAP CMT laboratories and vendors that have to be taken into account during the execution of a CMVP test campaign. Supplementing information on program policy, technology, cryptographic algorithms and module validation is given in the FIPS 140 implementation guidance [FIPS 140-1 IG] and [FIPS 140-2 IG]. A validation certificate is issued for each validated cryptographic module (see Table 46 for CSE and Table 66 for NIST). Cryptographic modules that haven been approved by NIST or CSE is issued a certificate including the FIPS mark as shown in Figure 11 that indicates its conformance with FIPS 140-1 or FIPS 140.2. The organizations responsible for CMVP certification are NIST and CSE that also maintain a list of FIPS 140-1 and FIPS 140-2 vendors whose modules have been validated against the requirements of FIPS 140-1 and FIPS 140-2. Contact information about the accredited NVLAP CMT laboratories in the USA is provided in Table 67. Links are provided in Table 66. Contact information about the accredited NVLAP CMT laboratories in Canada is provided in Table 47. Links are provided in Table 46. A list of validated products under NVLAP CMVP can be obtained from the CVMP web page (see Table 46). A further evaluation and certification service of NIST/CSE is an independent thirdparty evaluation and certification service for IT security products compliant with the Canadian Common Criteria Evaluation and Certification Scheme (CCS) or the US Common Criteria Evaluation and Validation Scheme (CCEVS).

Figure 11: FIPS Mark

IT testing laboratories under the CCEVS that are approved by NIAP and accredited by NIST are called Common Criteria Testing Laboratories (CCTL). Contact information about the accredited NVLAP CCTL laboratories in the USA is provided in Table 67. Links are listed in Table 66. A list of validated protection profiles and products compliant with CCEVS can be obtained from the CCEVS web page (link see Table 66). Contact information about the accredited NVLAP CCTL laboratories in Canada is provided in Table 47. Links are given in Table 46.
European Union This section provides an overview of European legislation, initiatives and organizations that refer to IT security and conformity assessment. For logical reasons aspects of European legislation and initiatives related to electronic procurement are described in section 9.2. 4.2.1 Dissemination of CMVP in the European Union Within the framework of the European EESSI initiative (see section 4.2.4.1) the two groups ETSI/ESI and CEN/ISSS have achieved harmonized results that are published as documents called ETSI Technical Specifications (ETSI TS) and CEN Workshop Agreements (CWAs). These documents are intended for the use by manufacturers, operators, independent bodies, certification service providers, assessors, evaluators and testing laboratories that are involved in conformity assessment. A selection of relevant technical specifications and workshop agreements is provided in Table 6. Among these documents especially the following documents

The UKITSEC policy is the outcome of intensive interaction with the government and stakeholders, as for example with:
Inter Departmental Infosec Committee, IT Security Officers Forum, Defense Infosec Product Cooperation Group, CLEF Progress Meetings, Common Criteria Executive Sub-committee, or UK CC Support Group.
The DTI is the responsible body for supervision compliant with the European electronic signature directive [EC DIR ES]. DTI is also a member of the Forum of European Supervisory Authorities FESA. 4.5.4.6 UK Certification Body The UK Certification Body (CB) is responsible for the evaluation and certification operations in all sectors of the industry and the government. The UK CB and its ITSEC scheme have been accredited to the European Standard for Certification Bodies [EN 45011]. The CB was granted a certificate by UKAS in March 2000.
Figure 15: Mark for UKITSEC In particular the CB is responsible for achieving a conscheme Certificate sistent use of the evaluation criteria and evaluation reports across all CLEFs and evaluations, and for the support of the evaluation process. CB performs its activities in accordance with [EN 45011] that is equivalent to [ISO/IEC G65]. Products for which a certificate has been awarded can use the certification mark shown in Figure 15. The UK certification body is also in charge of international mutual recognition agreements for certificates with foreign countries which is a strong aim of the UK government. The goal is that certificates issued under the UK scheme should also be recognized through the European Union and European Economic Area, and North America. A further goal is to extend this kind of recognition to the wider international context. UK is also a member of the SOG-IS of the European Commission for [ITSEC] and [CC], and the CC mutual recognition arrangement [CC MRA].
In particular the CB has to perform the following main tasks:
the appointment and review of CLEFs accredited by the UK accreditation
service, provision of advice, support and standards for the training of CLEF staff, registration of evaluation qualifications of CLEF staff, confirmation of the suitability of security targets, agreement of evaluation work plans for certification purposes, registration of evaluations, certification of the results of evaluations, provision of details of certified products or systems, provision of details of CMS approved products or systems, approval of press releases relating to the scheme, liaisons with appropriate national and international agencies responsible for mutual recognition of certificates, production of an annual operation report for the management board, and the development and maintenance of the UK methodology for achieving consistency with international criteria and methodologies.

personal data protection act: coming into force in September 2001, and
specifying the requirements for recording and using of personal data, and implementing the EU data protection legislation, e-commerce law: coming into force in May 2004, implementing the European e-commerce directive, and providing a series of amendments to existing laws and regulations, new telecommunications act: coming into force in May 2004, adapting the new EU regulatory framework for electronic communications (framework directive, the access directive, the universal services directive, the authorization directive and the privacy directive), and supervised by the national regulatory authority OPTA (see section 4.6.2.5), and the electronic signature act: coming into force in May 2003, implementing the European electronic signature directive, providing a firm legal basis for the
deployment and use of electronic signatures in e-commerce and egovernment. 4.6.2.3 Government Programs and Initiatives E-Government Program The Netherlands government has initiated and supported several programs that have been realized in cooperation with the industry, comprising:
e-government, e-procurement, business support desk, ICT network infrastructure, government transaction portal, and the establishment of a standardization council and forum.
The e-government program of the Netherlands has been defined in a policy statement in September 2004, providing an agenda for the next few years for the following main areas:
electronic access to government, electronic authentication, unique identification numbers for citizens and businesses, key registers, electronic personal identification (smart cards), electronic information exchange, and fast connections between government organizations.
The implementation of an ICT network infrastructure has been a main activity that shall realize the communication between the main locations of the governmental departments (so-called Hague Ring). The Ring is expected to become operational in spring 2006. Currently efforts are being made in order to establish a standardization council (government officials) and a standardization forum (business and government experts) in order to promote the interoperability of electronic data exchange between government departments and services, and between these, citizens and companies. The organization Overheid (link see Table 58) is the central access point to get information about the Dutch governmental organizations. The non-profit organization ECP.NL, which was founded by the Dutch Ministry of Economic Affairs and the Dutch Employees Association in 1998, provides an independent and open forum for public and private organizations. Its main goal is

The second step of the certification scheme refers to contractual agreements that the applicant can make with the evaluation body based on the agreed security target. The third step includes the forwarding of the completed certification request by the applicant to the certification body, and the return of a formal confirmation from the BSI with a notification of the registered certification ID and the name of the certifier. If allowed in the certification request the product to be certified will be added to the published list of certificates. The pre-evaluation phase is finished after the product to be certified and the relevant documentation has been given to the selected evaluation facility and which in turn has appointed its evaluators. During the pre-evaluation phase the evaluation body will also produce the cost estimates for the whole evaluation phase. 5.2.4 Evaluation The BSI and the other private-sector evaluation facilities accredited and licensed by the BSI perform the testing of the IT products and systems under certification against the relevant security criteria. This service is provided for the German industry but also for companies world-wide. During the first step of the evaluation phase the evaluation body performs the technical evaluation of the IT system or product in different testing steps in accordance with the evaluation aspects of the related framework of criteria. During the second step the outcomes of testing will be documented and commented by the evaluation body in form of testing reports. The last step of an evaluation is concerned with the production of a final evaluation report created by the evaluation body which contains the results of the evaluation of all claimed evaluation aspects. 5.2.5 Certification The certification body (BSI or other accredited certification body) is responsible to ensure the equivalence of evaluation results received from different evaluation bodies. In order to achieve this goal the certification body is also involved in the previous phases concerning the approval of the security target, the creation and the approval of interpretations, as well as the acceptance of testing reports. The result of the certification procedure will be summarized by the certification body in a certification report that will also be published if the applicant accepts its
publication. The applicant will also be awarded a German IT Security Certificate (Deutsches IT-Sicherheitszertifikat). Depending on the type of evaluation, i.e. whether conforming to ITSEC, CC and/or conforming to a MRA the applicant may use the related certification marks (see Figure 6, Figure 9, Figure 7) together with the German certification mark (see Figure 13). The costs for certification (small fraction of the total costs) arise at the end of the certification phase as regulated by the official cost ordinance [BSI SoC]. 5.2.6 Certification of Technical SigG Components This specific service is related to the evaluation and certification of technical components that claim to conform to the German digital signature act SigG, or that are mandated by SigG (see also section 4.4.6.2). It distinguishes the following categories of SigG components:

components for CA services, secure signature creation devices, and signature application components.
The conformity assessment of this class of products also includes the assessment of cryptographic material and mechanisms. The evaluation and certification of cryptographic mechanisms in other non-SigG conformant components is also possible, if these are part of a security function within the IT product or system under assessment. 5.2.7 Certification of New Product Versions Normally the evaluation and certification procedures refer to an actual version of an IT product or system. This is achieved by a detailed specification that distinguishes those parts of the product that are relevant for its security aspects from those that are not. Every change of the certified product or system that leads to a new version has to be communicated to the certification body. A re-evaluation of a new version is not required, if the changes only affect those parts of the product or system that are not of relevance for the security aspects. On the other hand a re-evaluation of the new version is required and has to be performed, during which only the changed parts and their interfaces will be subject to evaluation. 5.2.8 Certification of Products Under Development BSI recommends to start as early as possible with the request for certification in order to achieve an early assessment of the security targets already during the development of a product. Such type of a progressive certification procedure
provides advantages compared with the certification of a completed product, since the financial and personnel efforts are lower. 5.2.9 Certification of Baseline Protection BSI has developed a specific certification scheme for IT baseline protection which is applicable for security concepts of IT systems with normal security requirements and for which security measures have been described in the BSI document IT Baseline Protection Manual [ITBPM] (see also 4.4.6.6). In this context BSI has developed the GrundSchutz-TOOL (GSTOOL, IT Baseline Protection Tool) that assists its users with the creation, administration and improvement of IT security concepts based on ITBPM. The GSTOOL also contains an embedded crypto module that can be used for data encryption and it provides support for the following activities:
gathering of information about IT systems, analysis of the structure of IT systems, gathering of information about applications, assessment of security requirements, modeling of IT baseline security, safeguard implementation, cost evaluation, report generation, audit, basic security checks, and certification of IT baseline protection.

quality and management, security and confidentiality, staff qualifications and training, observance of the rules of the UKITSEC scheme defined by the management board, accreditation as a testing laboratory by the UK accreditation service UKAS in conformance with [ISO/IEC 17025], observance of highest standards commercial confidentiality, recognition of the status of each evaluator by the certification body, and scrutiny by the certification body and UKAS.
Accredited Commercial Evaluation Facilities Information Technology Security Evaluation Facilities (ITSEFs) are called Commercial Evaluation Facilities (CLEFs) in the UK. The following CLEFs have been accredited by the certification body that are responsible for the testing and evaluation of IT products and systems (see also [UKSP 06]):
Admiral Management Services Ltd, BT, CMG, EDS Ltd, IBM Global Services, Logica UK Ltd, SiVentiure, and

Syntegra.

CMVP Testing and Certification Laboratories Contact information about the accredited independent laboratories that perform the NVLAP CMVP testing of cryptographic modules (BT Cryptographic Module Testing Laboratory, and Logica IT Security Laboratory) against the requirements specified in FIPS 140-1 (for back-ward compatibility) and FIPS 140-2 in the UK is provided in Table 65 (links see Table 64). A list of validated products under CMVP has not been published.
Certification of Protection Profiles UK protection profiles have to be certified according to the procedures providing compliance with the requirements specified in the Common Criteria [CC]. Protection profiles for IT products and systems that have been certified in the UK are listed in Table 34 (by LogicaCMG) and in Table 35 (by IBM Global Services).

Table 34:

Protection Profiles Certified by LogicaCMG in the UK
National Institute of Standards and Technology NIST Oracle Corporation Oracle Corporation National Security Agency NSA National Security Agency NSA Associates for Payment Clearing Oracle Corporation Safelayer Communications S.A
Role-Based Access Control Protection Profile Oracle Commercial DBMS Protection Profile Oracle Government DBMS Protection Profile Controlled Access Protection Profile Version 1.d Labeled Security Protection Profile Version 1.b APACS PIN Entry Device for Protection Profile Oracle DBMS Protection Profile PKI Secure Kernel Protection Profile 1.1

Evaluation and Certification of Protection Profiles and IT Products in Other European Countries
Italy 8.1.1 Evaluation and Certification Bodies OCSI (see section 4.6.1.4) is the institution that is responsible for the evaluation and certification of IT products and systems in Italy. 8.1.2 Information Technology Security Evaluation Facilities ITSEFs are called Laboratori per la Valutazione della Sicurezza (LVS) in Italy. Up to now the following LVSs, that are responsible for the testing and evaluation of IT products and systems, have been accredited by OSCI:
Consorzio R.E.S.: IMQ/LPS: Proge-Sec:
via dellIndiustria 4, 00040 Pomezia, via Quintiliano 43, 20138 Milano, and via Mentore Maggini 50, 00143 Roma
Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the evaluation and certification of smartcard protection profiles, IT products and system in Italy is not available.
Netherlands 8.2.1 Evaluation and Certification Bodies TNO, OPTA and ECP.NL (see section 4.6.2.5) are the organizations that are responsible for the evaluation and certification of IT products and systems in the Netherlands.
Information Technology Security Evaluation Facilities Currently accredited testing and evaluation facilities do not exist in the Netherlands. One exception is TNO which has been accredited by the German accreditation body BSI).
Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the certification of smartcard protection profiles, IT products and system is not available for the Netherlands.
Spain 8.3.1 Evaluation and Certification Bodies CCN (see section 4.6.3.4) is the institution that is responsible for the evaluation and certification of IT products and systems in Spain. 8.3.2 Information Technology Security Evaluation Facilities The following laboratories that have been accredited by CCN are responsible for the testing and evaluation of IT products and systems:
CESTI-INTA (ITSEC-E3,CC-EAL4), and LGAI (under accreditation, CC-EAL4)
Certification of Smartcard Protection Profiles, IT Systems and Products Currently information on the certification of smartcard protection profiles and IT systems is not available for Spain. IT security products that have been certified by CEST-INTA are shown in Table 43.

Table 43:

Certified IT Products that have been Evaluated by the Spanish Evaluation Facility CEST-INTA
Safelayer Secure Communications S.A. Safelayer Secure Communications S.A. Microelectrnica Espaola S.A:
KEY ONE 2.1, Public Key Infrastructure Software Solution KEY ONE 3.0, Public Key Infrastructure Software Solution Tarjeta Electrnica del Ministerio de Defensa TEMD 1.0 (secure signature creation device)

1992-02-25

93/38/EEC 98/4/EC

1993-06-14 1998-02-16

2001/78/EC EC No. 2151/2003

2001-09-13 2003-12-16

2004-02-03
2004/17/EC 2004/18/EC COMM(2004) 327
Directive coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors Directive on the coordination of procedures for the award of public work contracts, public supply contracts and public service contracts Commission of the European Communities, Green Paper on Public-Private Partnerships and Community Law on Public Contracts and Concessions State of the Art Report Case Studies on European Electronic Public Procurement Projects
2004-04-30 2004-04-30 2004-04-30 2004-07 2004-10-28

EC No. 1874/2004

Commission regulation amending Directives 2004/17/EC and 2004/18/EC of the European Parliament and of the Council in respect of their application thresholds for the procedures for the award of contracts Decision on the detailed rules for the application of the procedures provided for in article 30 of directive 2004/17/EC coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors Directive amending annex XX to directive 2004/17/EC and annex VIII to 2004/18/EC on public procurement Regulation establishing standard forms for the publication of notices in the frame work of public procurement procedures pursuant to directives 2004/17/EC and 2004/18/EC Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Public-Private Partnerships and Community Law on Public Procurement and Concessions

2004/51/EC

2005-01-07
2004/51/EC EC No. 1564/2005

2005-09-07 2005-09-07

COMM(2005) 569

2005-11-15

International Activities The WTO committee on government procurement has approved the required modifications of its Government Procurement Agreement (GPA) in May 2004 which since then extends the GPA to the new EU member states.
Public Procurement Initiatives In December 2003 the Council and the European Parliament have reached an agreement on proposed directives on the coordination of
procedures for the award of public supply contracts, public service contracts, procurement procedures of entities operating in the water, energy, transport
and public works contracts [EC DIR PCO],
and postal services sectors [EC DIR PPO], and on amending regulation on the Common Procurement Vocabulary (CPV). In January 2005 the Council and the European Parliament have made a decision on the detailed rules for the application of the procedures provided for in article 30 of the EU Directive 2004/17/EC coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors. The member states are required to implement the European directives into their national laws until January 2006. The new European procurement regulations contain the following three new optional procurement procedures:

Standarization Body CVMP Testing Laboratory Testing Laboratory Certification Body Testing Laboratory Government Procurement Procurement Portal
Government Body Government Initiative

DTI DTI

http://www.dti.gov.uk http://www.dti.gov.uk/strd/nssf.html http://www.dti.gov.uk/innovation-group/pressrel271102.htm http://www.eds.com http://www.foa.co.uk http://www.fsa.gov.uk http://www.ibm.com http://www.icma-group.org http://www.itso.org.uk http://www.logicacmg.com http://www.logicacmg.com http://www.uniras.gov.uk/niscc/index-en.html http://www.nssf.info http://www.nssf.info/index.xalter http://www.ofcom.org.uk http://www.ofgem.gov.uk http://www.ogcbuyinsolutions.gov.uk http://www.postcomm.gov.uk http://www.open.gov.uk/radiocom http://www.siventure.co.uk http://www.dti.gov.uk/strd/certify.html http://www.tscheme.org http://www.itsec.gov.uk http://www.uniras.gov.uk/niscc/index_en.html
Testing Laboratory Banking Association Financial Services Authority Testing Laboratory Banking Association Smartcard Organization CVMP Testing Laboratory Testing Laboratory Government body Standarization Body Regulatory Authority Regulatory Authority Government Procurement Regulatory Authority Regulatory Authority Testing Laboratory Standards and Technical Regulations Supervision Body Certification Body CERT Body
EDS Ltd FOA FSA IBM Global Services ICMA ITSO Logica IT Security Laboratory Logica UK Ltd NISCC NSSF OFCOM OFGEM OGC POSTCOMM RADIOCOM SiVenture STRD of DTI tScheme Limited UKITSEC UNIRAS

Table 65:

Contact Information about Organizations in the United Kingdom
Admiral Management Services Ltd CLEF APCIMS Association of Private Client Investment Managers and Stockbrokers BBA British Bankers Association BSI British Standards

++7247 7080

++7377 0939
Kings Court 91-93 High Street, Camberley Surrey GU15 3RN, UK / worsw_r@admiral.co.uk 114 Middlesex Street, London E1 7JH, UK
inners Hall, 105-108 Old Broad Street, London EC2N 1EX, UK +996 +389 Chiswick High Road, GB London W4 4Al, UK
Institution BT Cryptographic Module Testing Laboratory NVLAP (CMVP) CESG Communications Electronics Security Group