Canadian Common Criteria program requirements and procedures for testing laboratories

Overview

The purpose of this document is to describe the requirements and process by which a commercial organization (hereafter referred to as the company) may become an approved Common Criteria testing lab operating within the Canadian Common Criteria (CC) Program.

The primary audience for this document is companies looking for information on becoming a testing lab within the Canadian CC Program. Evaluation sponsors (typically vendors), developers, and consumers may also find information in this document helpful to understand the requirements on testing labs operating within the Canadian CC Program.

1 Introduction

In the Canadian CC Program, commercial organizations operate Common Criteria testing labs to perform security evaluations of information technology (IT) products.

This document describes the requirements and procedures for testing labs operating within the Canadian CC Program. This includes the process that a commercial organization (hereafter referred to as the company) may follow to become an approved testing lab.

1.1 About the Canadian Common Criteria program

The Canadian Centre for Cyber Security (hereafter the Cyber Centre) operates the Canadian CC program and acts as its Certification Body. The Cyber Centre is the Canadian signatory to the Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security (CCRA) (PDF).

For more information about the operation of the Canadian CC program, please consult the Canadian Common Criteria program quality manual.

Note: A testing lab within the Canadian CC Program may also be called by the CCRA name (licensed laboratories) or the formal name of the Standards Council of Canada accreditation (an Information Technology Security Evaluation and Testing (ITSET) facility).

2 Requirements for testing labs

This section discusses requirements that the company must meet to be an approved testing lab.

2.1 ITSET facility accreditation

These requirements ensure that testing labs operate in conformance with ISO/IEC 17025 “General requirements for the competence of testing and calibration laboratories”.

1. 2.1.1. The company shall have a valid Information Technology Security Evaluation and Testing (ITSET) facility accreditation from the Standards Council of Canada.

The Standards Council of Canada and the Cyber Centre will conduct a detailed review of a company’s ability to meet all the requirements of ISO/IEC 17025 as part of this accreditation.

2.2 Conflict of interest requirements

These requirements ensure that the company will perform all evaluation work without undue influence from within or outside the company.

1. 2.2.1. The company shall have procedures in place to ensure that company management does not exert undue influence on the outcome of CC evaluation activities.
2. 2.2.2. If the company is controlled by a parent company, the company shall demonstrate that there is enough separation of control and influence so that the parent company cannot:
   • exert undue influence on the outcome of CC evaluation activities
   • inappropriately access proprietary evaluation information
3. 2.2.3. The company shall have appropriate procedures in place to ensure that there is no conflict of interest between personnel performing advice activities to assist an evaluation sponsor in preparing for a CC evaluation of their IT product and those performing CC evaluation activities for that product.
4. 2.2.4. The company shall inform the Cyber Centre within ten working days after any changes to the ownership or management of the company.

2.3 Security requirements

These requirements ensure that the company can safeguard sensitive information, in particular vendor-proprietary information that is shared with the company for the purposes of preparing for, and performing, a CC product evaluation.

1. 2.3.1. The company shall have a designated organization screening as defined in the Public Services and Procurement Canada (PSPC) Contract Security Manual. All company personnel granted access to sensitive information shall, as a minimum, receive a reliability status screening from PSPC.
2. 2.3.2. The company shall take appropriate measures to ensure that sensitive information may not be accessed by unauthorized individuals. This requirement may be satisfied either by a document safeguarding capability assessment performed by PSPC, or a separate determination by the Cyber Centre that the company’s measures are sufficient for safeguarding sensitive information during its CC evaluation activities.

2.4 Physical facility requirements

These requirements ensure that the company operates within the jurisdiction of the Canadian CC Program.

1. 2.4.1. The company shall keep a permanent physical facility in Canada with enough office space and equipment available for a staff member to perform evaluation activities and for a member of the Cyber Centre to perform evaluation technical oversight.
2. 2.4.2. The company shall have, or be able to provide with reasonable notice, an IT infrastructure that can support all evaluator functions.

2.5 Personnel requirements

These requirements ensure that the company has the qualified personnel to perform a CC evaluation.

1. 2.5.1. The company shall employ at least two staff members who are based in Canada and have evaluator certificates in good standing that have been issued by the Cyber Centre.
2. 2.5.2. The company shall inform the Cyber Centre within ten working days following the departure of any qualified CC evaluators from the testing lab.

2.6 Technical proficiency

These requirements ensure that the company has the technical competence to perform a CC evaluation.

1. 2.6.1. The company shall perform a successful trial evaluation for a Cyber Centre approved IT product. Evaluation activities should be done in compliance with the requirements of:
   • the Canadian Common Criteria program instructions
   • the Common Criteria for Information Technology Security Evaluation
   • the Common Methodology for Information Security Evaluation
   • one or more Protection Profiles or collaborative Protection Profiles.
2. 2.6.2. The company shall inform the Cyber Centre within ten working days following the departure of any qualified CC evaluators from the testing lab.

3 Procedures for testing labs

3.1 Becoming a testing lab

This section describes the steps that a company will follow to become an accredited testing lab.

1. Ensure that the company can meet the requirements for testing labs (section 2).
2. Contact the Cyber Centre via contact@cyber.gc.ca to communicate interest in becoming a testing lab providing the following information:
   1. Full legal name of the company
   2. Location of the testing lab
   3. Coordinates for a primary point of contact
   • The Cyber Centre will confirm whether it is currently accepting new applications for testing labs.
3. Demonstrate all requirements for testing labs (section 2), including:
   1. contact the Standards Council of Canada to obtain an ISO/IEC 17025 accreditation with an ITSET scope
   2. communicating with the Cyber Centre regarding the remainder of the requirements.
4. Enter into a formal agreement with the Cyber Centre to become an accredited testing lab.

3.2 Maintaining a testing lab

Companies must continue to meet all requirements to keep their status as approved testing labs. Testing labs that do not meet all requirements or to comply with shortcomings identified by the Cyber Centre may result in a company losing the approval to operate a testing lab.

The Cyber Centre may revoke a company’s approval to operate a testing lab under the following circumstances:

• The company does not meet the requirements for testing labs and does not correct any deficiencies identified by the Cyber Centre within a reasonable timeframe as specified by the Cyber Centre.
• The company brings disrepute to the Canadian CC program, namely through poor performance of evaluations or through non-compliance with the rules of the Canadian CC program, including, but not limited to, misuse of logos associated with the Canadian CC program or the CCRA.

3.3 Qualifying Common Criteria evaluators

The Cyber Centre is responsible for qualifying evaluators within the Canadian CC program. There are two basic requirements for testing lab staff members to become evaluators:

1. Developing the requisite evaluator skills through completion of a tailored learning and development plan
2. Successfully passing the evaluator exam administered by the Cyber Centre

For further information on qualifying evaluators, the company should contact the Cyber Centre via contact@cyber.gc.ca.

3.4 Performing trial evaluations

The purpose of a trial evaluation is to demonstrate that the company can meet requirement 2.6.1. In addition, the trial evaluation also completes the proficiency testing part of the ITSET accreditation (requirement 2.1.1).

For the trial evaluation, the company evaluates an IT product deemed suitable by the Cyber Centre. The IT product must meet the eligibility requirements of the Canadian Common Criteria program instructions and the Cyber Centre will verify that the IT product has a sufficient scope of security functionality to allow the company to demonstrate its evaluation capability. The company manages all commercial arrangements with the evaluation sponsor for this trial evaluation.

During the trial evaluation, the Cyber Centre will examine some evaluation activities in greater depth than for normal CC evaluations. The Cyber Centre will evaluate the company’s ability to:

• successfully perform all evaluation activities
• produce evaluation evidence (including observation reports) during the evaluation
• respond to observation reports raised by the Cyber Centre
• produce an evaluation technical report documenting the findings
• work as a coordinated team to successfully perform the evaluation

If the Cyber Centre assesses that the company has successfully completed the evaluation, then the Cyber Centre will post the trial evaluation to the Certified Products List on the international Common Criteria Portal. The Cyber Centre will balance the assessment of the company’s performance on the trial evaluation against the realization that the trial evaluation will likely be a learning experience for the company.

Should the trial evaluation not be completed due to issues with either the IT product’s ability to meet CC requirements or the evaluation sponsor, the Cyber Centre may require that the company perform another trial evaluation. This will depend on the extent that the Cyber Centre successfully observed and interacted with the company across a range of evaluation activities.

Unsatisfactory performance will result in the company not receiving Cyber Centre approval to become a testing lab.

4 Supporting content