Foreword
The Canadian Common Criteria Program Instructions is an UNCLASSIFIED publication intended for testing labs operating in the Canadian program. This document supersedes all previous instructions for the Canadian Common Criteria Program, from either the Canadian Centre for Cyber Security or the Communications Security Establishment.
Effective date
This publication takes effect on May 8, 2025.
-
Revision history
- 2.0 - February 12, 2023
Several minor edits for added clarity and document consistency - 2.1 - November 29, 2023
Edits made as a result of an internal audit review - 2.2 - May 8, 2024
Editorial changes based on feedback from the testing labs - 2.2 - May 8, 2025
Updates from internal audit review
- 2.0 - February 12, 2023
Overview
This document contains all instructions related to evaluations within the Canadian Common Criteria Program.
1 Introduction
The Common Criteria for Information Technology Security Evaluation (also referred to as the Common Criteria, or CC) is an international standard for specifying security requirements for Information Technology (IT) products. The Canadian Centre for Cyber Security (hereafter the Cyber Centre) operates the national Certification Body (CB) for Common Criteria evaluations performed in Canada.
This document includes detailed topics for Common Criteria Testing Laboratories (hereafter testing labs) related to the evaluations performed within the Canadian program. For general information about the Canadian Common Criteria Program, please visit the Cyber Centre's Common Criteria website.
2 Evaluation Eligibility
The Cyber Centre accepts evaluations into the Common Criteria program in the following order of priority:
- Evaluations to Common Criteria Protection Profiles, including:
- International collaborative Protection Profiles developed by the international technical community; and
- Selected Protection Profiles and -Modules developed by one of the member countries to the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (CCRA).
- For technology types where there are no suitable Protection Profiles, other evaluations that fall within the scope of the PiE; at the time of writing this includes evaluations up to Evaluation Assurance Level (EAL) 2.
The Cyber Centre will also consider accepting evaluations beyond the scope of the CCRA on a case-by-case basis. This includes EAL 3 or EAL 4 evaluations.
3 Core and Essential Functionality
For Evaluation Assurance Level (EAL)-conformant evaluations, where the specification of Security Functional Requirements (SFRs) has not been pre-determined by a Protection Profile, it is important to ensure that the evaluation covers a meaningful set of security functionality. This includes both Core Functionality and Essential Functionality, as described below.
3.1 Core Functionality
Core functionality is defined as the primary purpose of a product based upon how it is marketed. This may require the creation of extended SFRs in cases where the core functionality of the product cannot be represented by existing SFRs. Any included functionality or claimed interfaces should be related to cybersecurity.
3.2 Essential Functionality
Essential functionality can be defined as functionality that has been deemed important to the cybersecurity of the product (based on the nature of the product) by the Cyber Centre.
3.3 Specification of Requirements
Evaluations are required to include the Core Functionality of the product and any Essential Functionality. The onus is on the testing lab to provide a rationale for any perceived deficiencies in the coverage of claimed functionality.
4 Timelines for Evaluations
The Cyber Centre recognizes that consumers require security assurance for current versions of IT products, so evaluations need to occur in a timely manner. Modern product lifecycles can be short and the amount of time that a product remains “in evaluation” needs to reflect this.
The Cyber Centre believes that advanced preparation for evaluations - such as a functional gap analysis prior to evaluation – are a necessary part of modern evaluations. As such, the Cyber Centre introduces evaluation gates and timelines that testing labs must meet for evaluations.
4.1 Evaluation Flow
The Cyber Centre recognizes the following gates within evaluations:
- Security Target;
- Design/Entropy;
- Testing; and
- Final Evaluation.
These gates determine the flow of an evaluation as each gate builds upon the previous one. For example, Design/Entropy needs to be passed prior to performing/submitting Testing.
4.1.1 Security Target
The Security Target gate requires that the testing lab complete all evaluation activities associated with the Security Target Evaluation assurance class.
Once this gate is passed, the Cyber Centre lists the product on the program’s Products in Evaluation list. The date that this happens is the Product in Evaluation (PiE) Date for the product.
4.1.2 Design/Entropy
The Design/Entropy gate requires that the testing lab complete all evaluation activities associated with the Development assurance class and where required to meet the claimed Protection Profile (PP), an entropy analysis.
4.1.3 Testing
The Testing gate requires that the testing lab complete all required functional and penetration testing.
4.1.4 Final Evaluation
The Testing gate requires that the testing lab complete all required functional and penetration testing.
4.2 Evaluation Duration
Given the need for evaluations to complete in a timely manner due to the rapidly changing cyber landscape, the Cyber Center expects an evaluation to complete within 6 months of the PiE date.
4.2.1 Requesting Extensions
The Cyber Center will consider requests from testing labs for an extension to the evaluation duration. The testing lab shall detail why they are unable to meet the deadline, propose a reasonable extension period, and describe the measures they will take to meet the new date.
In certain circumstances, the Cyber Centre may remove the IT product from the Products in Evaluation list when granting an extension. However, the testing lab may continue with the evaluation, and the evaluation will remain eligible for certification.
The Cyber Centre may terminate an evaluation due to the length of evaluation delays or changes to the evaluation parameters that the Cyber Centre deems unacceptable.
5 Evaluation of Cryptographic Functionality
The Cyber Centre leverages the results of the Cryptographic Module Validation Program (CMVP) and the Cryptographic Algorithm Validation Program (CAVP) to ensure that evaluators adequately evaluate cryptographic modules and algorithms within the scope of an evaluation.
Note: The Cyber Centre jointly manages the CMVP and CAVP in partnership with the United States National Institute of Standards and Technology (NIST).
5.1 Cryptographic Functionality
- For PP-conformant evaluations, a CAVP certificate is required for the cryptography claimed.
- For EAL-conformant evaluations where the core functionality of the product relies on cryptography, a CAVP certificate(s) is required that covers the cryptography and the relevant cryptographic functionality shall be instantiated within the Security Target.
- For EAL-conformant evaluations where the environment provides cryptography in support of product functionality, a CAVP certificate is required.
- For EAL-conformant evaluations where the product provides cryptography used for supporting functionality, a CAVP certificate can be used for the cryptography claimed. Under certain conditions, testing using a Known-Good implementation may be acceptable in lieu of CAVP.
In all cases, only Cyber Centre approved cryptography is to be used. ITSP.40.111 – Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information identifies and describes approved cryptographic algorithms and appropriate methods of use.
5.2 Verification of Cryptographic Implementations
The Cyber Centre requires that evaluators verify the presence of all cryptographic implementations claimed by the vendor. It is not sufficient for testing labs to merely point to a CAVP certificate. This verification can take various forms depending on the type of implementation and the level of access the evaluator has to the underlying functions of the product.
5.3 Entropy Assessment
The Cyber Centre requires an entropy assessment whenever there is a conformance claim to a protection profile that includes random number generation (RNG) requirements performed by the product. These protection profiles clearly state the cases where the Security Target must claim the RNG functions.
6 Remote Testing
Testing labs are expected to perform testing of products at their facility. In exceptional circumstances, this might not be feasible. What follows are the conditions and requirements of when testing labs may conduct remote testing of products.
6.1 Conditions
Under exceptional circumstances, testing labs may request to test remotely under the following situations:
- If the costs involved in testing/shipping/setup the product are prohibitive;
- If the product setup/environment is overly complex and requires significant support from the developer;
- If the testing requires specialized tools/equipment that the vendor possesses but cannot provide to the testing lab; or
- Other conditions subject to Cyber Centre approval.
6.2 Requirements
In order to gain approval from the Cyber Centre for remote testing, the testing lab must provide the following details:
- A detailed justification:
- If claiming cost, provide a high-level breakdown of the costs involved.
- If claiming complexity, provide a rationale as to why the product setup/environment is overly complex.
- If claiming specialized tools, provide details about the tools and why the testing lab cannot procure them.
- An explanation as to how the evaluator will meet the requirements for AGD_PRE.
- How testing will be performed by the evaluator.
- How control of the test environment will be maintained by the evaluator.
- How witnessing will be accommodated.
Remote testing requests should be submitted as early as possible, preferably during the eligibility stage. The Cyber Centre has final approval of any remote testing requests.
7 Assessing and Addressing Vulnerabilities
IT products receiving a Common Criteria certificate shall not contain known unmitigated security-relevant vulnerabilities.
7.1 Assessment
All potential vulnerabilities discovered during the public domain search or automated tool-based discovery process shall be assessed by the testing lab using criteria provided by the Cyber Centre. The assessment process shall be sufficiently detailed to determine whether the product and its components are free of security-relevant vulnerabilities.
7.2 Addressing
Any actual vulnerabilities identified in the evaluated product shall be addressed. If a vendor patch addressing the vulnerability exists, it needs to be applied. If a vendor patch does not exist, vulnerabilities may be handled by:
- Removing the affected functionality (Preferred); or
- Disabling the affected functionality.
The Cyber Centre has final approval on any approaches taken to address vulnerabilities.
8 Supporting Content
8.1 List of Abbreviations
- Term
- Definition
- CAVP
- Cryptographic Algorithm Validation Program
- CC
- Common Criteria
- CCRA
- Common Criteria Recognition Arrangement
- CMVP
- Cryptographic Module Validation Program
- CSE
- Communications Security Establishment
- EAL
- Evaluation Assurance Level
- GC
- Government of Canada
- IT
- Information Technology
- NIST
- National Institute of Standards and Technology
- PiE
- Product in Evaluation
- PP
- Protection Profile
- RNG
- Random Number Generation
- SFR
- Security Functional Requirement
- ST
- Security Target