Certification Lifecycle

The certifying organization submits a formal intake request to an Authorized Validation Body (AVB). The AVB reviews the system description, determines the applicable system profile (F/S/A/C), and establishes whether the certification will be a Deployment Certification or Platform Certification.

The AVB conducts a mandatory 7-factor risk assessment to determine the appropriate Assurance Class (A, B, or C). The seven factors are: autonomy level, decision impact, data sensitivity, operational environment, human oversight capacity, reversibility, and scale. The determined class sets the ongoing monitoring intensity for the certified system.

The organization prepares evidence across four categories: Lifecycle Process (LP), Technical Implementation (TI), Operational Performance (OP), and Third-Party (TP). For systems built on certified platforms, ACR inheritance claims are documented and validated against the platform certification.

The AVB evaluates each applicable ACR using its designated evaluation method: Automated Testing (AT), Human Simulation (HS), Evidence Inspection (EI), Continuous Monitoring (CM), Third-Party Attestation (TP), or Operational Proof (OP). Domain scores are calculated based on risk-weighted ACR results.

For L2 Operational and L3 Comprehensive certifications, structured adversarial evaluation validates system resilience. L2 requires structured red team exercises. L3 requires independent red team assessment by ARAF-approved evaluators with minimum 80 hours of testing.

Final certification scores are calculated across all applicable domains. The risk-weighted composite score is compared against level thresholds to determine pass/fail. Blocking ACR failures result in automatic denial. Conditional certification is available for minor non-conformances on conditional ACRs.

The certification designation is issued (e.g., "L2-B Deployment"). A living badge is generated with operational state tracking. The system is registered in the ARA public registry. For Assurance Class B and C, CAPO engagement is initiated.

Post-certification monitoring intensity is determined by the Assurance Class. Class A: periodic self-assessment with annual review. Class B: monthly CAPO check-ins with telemetry integration. Class C: 24/7 CAPO oversight with real-time alerting and immediate escalation pathways.

Certification validity varies by level: L1 Foundation (24 months), L2 Operational (18 months), L3 Comprehensive (12 months). Revalidation is triggered by material changes, assurance class lapse, or version updates. The Express Pathway is available for L1 renewals meeting eligibility criteria.

Certified organizations participate in the broader ARA ecosystem including insurance partnerships through Recognized Insurer Partners (RIPs), consortium membership, regulatory equivalence claims via framework crosswalk mappings, and marketplace listings.