Common Criteria Certificate Validity and Expiry

A Common Criteria (ISO/IEC 15408) certificate is not valid forever. Each certificate is issued with a defined validity period after which the certificate transitions to a non-active state. Procurement teams, auditors, and compliance reviewers need to understand what those states mean and how to act on them.

Summary: Most Common Criteria certificates are issued for around five years. After expiry the certificate is moved to an archived or withdrawn state and can no longer be cited as active evidence, though maintenance updates can extend assurance for minor changes during the validity window.

Typical validity period

There is no single global rule. Validity periods are set by the issuing national scheme and can also be constrained by the underlying Protection Profile. Common patterns include:

• Five years is the most common nominal validity period across CCRA member schemes.
• Two years is used by some schemes for specific Protection Profile families that are revised on a faster cadence.
• Time-limited validity tied to a Protection Profile version: when the PP is superseded, certificates that conform to the old PP version may be moved to archive ahead of the nominal expiry.
• EUCC and other regulatory schemes inherit similar validity windows from the wider Common Criteria framework, with additional rules around scheme-specific maintenance procedures.

Lifecycle states

A typical Common Criteria certificate moves through the following states:

1. Active - the certificate is in force, the product can be cited as certified, and any vendor or procurement claim against the certificate is supported.
2. Maintenance - a Maintenance Report has been issued for a minor change to the product or its environment. The base certificate remains active; the maintenance report extends the assurance scope to the changed version.
3. Archived - the certificate has reached its nominal expiry date or has been superseded by a newer evaluation. The certificate remains in the public record but cannot be cited as active.
4. Withdrawn or suspended - the certificate has been removed from the active list at the request of the vendor or by action of the issuing scheme. Reasons can include discovery of a vulnerability that materially affects the assurance, end-of-life of the product, or vendor-side changes that move the product out of scope.

The exact terminology varies by scheme. Some schemes use “expired” rather than “archived”; others distinguish between archive and withdrawal more strictly than the table above implies. The Common Criteria Portal and each national scheme’s registry are the authoritative sources for the current state of any individual certificate.

Maintenance and assurance continuity

Common Criteria includes formal procedures for keeping a certificate current as the underlying product evolves. The relevant document family is assurance continuity, codified in the Common Evaluation Methodology (CEM, ISO/IEC 18045).

• Minor changes to a certified product can be handled through a Maintenance Report, sometimes called an Assurance Continuity Maintenance Report (ACMR). The vendor describes the change, the lab reviews the impact, and the scheme issues an updated report. The base certificate remains valid.
• Major changes require a re-evaluation that produces a new certificate with its own validity period.

The line between minor and major is a judgement call made by the lab and the scheme. Schemes publish their own assurance-continuity guidance with examples; vendors should consult the scheme early when planning a release that touches certified components.

What expiry means in practice

For procurement and compliance purposes the practical question is whether the cited certificate is still in an actionable state.

• An active certificate, with current maintenance reports if applicable, is normal evidence.
• An archived or expired certificate is generally not acceptable as active evidence. Some procurement frameworks accept archived certificates for a defined transition window, but this is the exception rather than the rule.
• A withdrawn or suspended certificate should be treated as evidence of a problem and investigated before the product is accepted.

When a certificate is approaching expiry, vendors are expected to either initiate a re-evaluation, issue a maintenance report covering the most recent product version, or notify their customer base that the product is moving to end-of-life under that certification.

How NenkinTracker exposes validity state

NenkinTracker records the issue date, expiry date, and current status of every certificate it indexes. Users can filter the catalog by status, follow products to receive notifications when a certificate moves between states, and surface aggregate validity statistics across schemes from the expired certificates statistics page.

See also

• What is Common Criteria? - the wider evaluation framework that defines these states.
• Evaluation Assurance Levels (EAL) - what the EAL on the certificate measures.
• Certification Schemes Overview - the scheme bodies that set the validity rules.
• Common Criteria Certification Process Explained - where validity decisions enter the broader process.

More in the wiki

• Common Criteria Overview - ISO/IEC 15408 ExplainedComplete overview of Common Criteria (ISO/IEC 15408): the international standard for IT security evaluation, EAL levels, Protection Profiles, and the CCRA mutual-recognition framework.
• Evaluation Assurance Levels (EAL)Reference guide to EAL1 through EAL7 - what each Evaluation Assurance Level requires, what it measures, and how it affects procurement decisions.
• Protection Profiles (PP)What Protection Profiles are, how they work in Common Criteria evaluations, and why they matter for procurement and compliance.
• Certification Schemes OverviewAn overview of the major Common Criteria certification schemes worldwide, including BSI, ANSSI, NIAP, and the emerging EUCC.