Common Criteria

To get a product certified under Common Criteria, Developers should contact one of the testing labs operating under the Canadian Common Criteria Program to have their product evaluated.

The Cyber Centre recommends using Common Criteria certified products when selecting an IT product for a service or network design. Using certified products such as firewalls, intrusion detection/protection system (IDS/IPS), and operating systems mitigates risk within a network architecture. Details about what was evaluated are contained with the product's Security Target and the Certification Report.

The Cyber Centre recommends System Architects match their needs to existing Protection Profiles.

A Protection Profile represents the baseline set of security requirements for a technology class.  A product evaluation against a Protection Profile covers the required security functionality, as well as addressing the known security threats.

The Cyber Centre recognizes the Protection Profiles list and collaborative Protection Profiles list on the Common Criteria Portal.  For Protection Profiles listed elsewhere, please contact the Cyber Centre.

Products certified by the Common Criteria provide an elevated level of assurance in the cyber security of the product. The Cyber Centre recognizes Common Criteria certified products as products that offer valuable security functionality to an IT environment. Details about what was evaluated are contained with the product's Security Target and the Certification report.

Prior to purchasing any IT product that claims to be Common Criteria certified, the Cyber Centre recommends that organizations obtain a copy of the vendor's Common Criteria certificate and validate these certificates against the International list of certified products.

If a particular product does not appear to be on the international list, please also see the Cyber Centre list of certified products, which includes all products certified by the Cyber Centre and products currently in evaluation.

• Canadian Common Criteria program requirements and procedures for testing laboratories.
• Canadian Common Criteria program instructions
• Quality Manual
• CC in the cloud Joint position statement (PDF)

Common Criteria evaluation facilities are IT security testing laboratories that are accredited to ISO 17025 and meet CCCS-specific requirements to conduct IT security evaluations for conformance to the Common Criteria for Information Technology Security Evaluation.

The following are the organizations currently accredited to perform Common Criteria evaluations for the Canadian Common Criteria program:

• Cyber Centre product list
• International certified product list
• Protection profile list
• Collaborative protection profile list

Security Target

A document that identifies how a specific product meets a set of defined security requirements.

Certification Report

A document produced by a certification body that details the results of a Common Criteria evaluation.

Protection Profile

A document that identifies security requirements for a specific class of cyber products. (For example: network firewalls).

• February 13, 2023 | New release of Canadian Common Criteria program instructions

  Canadian Common Criteria program instructions v2.0 has been released. This document supersedes any previous versions.

  ---

• February 7, 2023 | Endorsement statement for the collaborative Protection Profile for Hardcopy Devices

  The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Hardcopy Devices (HCDcPP) version 1.0. The HCDcPP Endorsement Statement.

  ---

• 2022

  • December 20, 2022 | New release of guidance for evaluators

    After extensive internal collaboration and consultations with testing labs and industry partners, Guidance for Evaluators v5.0 has been released to the testing labs. This version includes an updated vulnerability analysis process, clarifications on cryptographic equivalency, revised sampling and regression testing requirements, updates to align with the online evaluator training course, and guidance on linking multiple evaluations together. This document supersedes any previous versions.

    ---

  • November 21, 2022 |  New version of the Common Criteria is published

    CC:2022 Release 1 has now been published and is available for download from the Common Criteria Portal publications page Further details will be forthcoming regarding the transition policy from CC v3.1 Release 5.

    ---

  • April 27, 2022 | Position statement supporting the CC in the Cloud Working Group

    The Canadian Common Criteria Program, together with the US National Information Assurance Partnership (NIAP) and the Australian Certification Authority, has issued a CC in the cloud Joint position statement (PDF) in support of the CC in the Cloud Working Group, based on the CC in the Cloud Essential Security Requirements (PDF).

     

• 2021

  • October 21, 2021 | Endorsement statement for the collaborative Protection Profile for Network Devices

    The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Network Devices (NDcPP) version 2.2e. The NDcPP Endorsement Statement.

    ---

  • August 19, 2021 | FIPS 186-2 and ANSI X9.31/X9.62

    A number of archived cryptographic modules, notably OpenSSL FIPS Object Module CMVP 1747, have cryptographic functionality that has long since been deprecated and is problematic when present in evaluated products.

    Effective immediately, cryptographic algorithms claiming conformance to the following cannot be included in a Common Criteria evaluation:

    • FIPS 186-2 RSA Key Generation
    • FIPS 186-2 RSA Signature Generation with modulus size lower than 4096
    • ANSI X9.31 or ANSI X9.62 RNG

    Any security functions used (e.g., secure communication, trusted update, etc.) cannot be met using these algorithms/functions. Refer to Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111 for details on approved cryptography.

    ---