The NCSC considers that effective cybersecurity requires a combination of appropriate product development, architectural design, situational awareness, and agility of response to threats.
Evaluation of individual products can play a part but, for the UK, its relevance, in the wider cybersecurity context, is diminishing and this has been reflected in the limited UK market and developer demand for certification.
Following a review of the range of NCSC assurance services we have concluded that the operation of a national common criteria certification scheme is no longer an appropriate use of our resources. On 1 October 2019 we ceased to be a certificate producer under the Common Criteria Recognition Agreement (CCRA).
As a Certificate Consuming Participant, the UK will continue to recognise CCRA compliant certificates as providing a level of confidence in their respective products. The UK also remains committed to working with the Common Criteria community on the development of relevant Collaborative Protection Profiles (cPPs and their supporting documents), for technologies of interest to the UK, by contributing to associated international technical communities, and to the development of underlying International standards in ISO etc.