The Common Criteria (CC) is an international program in which accredited laboratories test IT products against cyber security specifications for technology classes. Under the Common Criteria Recognition Arrangement (CCRA), all member countries agree to recognize each other's Common Criteria certificates, which allows developers to access the global marketplace regardless of where their product is certified.
Developers contract a testing laboratory to evaluate their product against a security specification, designed by a technical community, under a national certification body who performs technical oversight and publishes the result of the evaluation effort, which is internationally recognized.
The Cyber Centre operates the Canadian Common Criteria program to certify products.
The Cyber Centre recommends purchasing and deploying CC certified products because of:
- Independently verified security claims by accredited cyber security labs
- Collaboratively developed methodology and specifications
- A wide variety of certified products are available
- Using certified products reduces risk of compromise
To get a product certified under Common Criteria, Developers should contact one of the testing labs operating under the Canadian Common Criteria Program to have their product evaluated.
For system architects
The Cyber Centre recommends using Common Criteria certified products when selecting an IT product for a service or network design. Using certified products such as firewalls, intrusion detection/protection system (IDS/IPS), and operating systems mitigates risk within a network architecture. Details about what was evaluated are contained with the product's Security Target and the Certification Report.
The Cyber Centre recommends System Architects match their needs to existing Protection Profiles.
A Protection Profile represents the baseline set of security requirements for a technology class. A product evaluation against a Protection Profile covers the required security functionality, as well as addressing the known security threats.
The Cyber Centre recognizes the Protection Profiles list and collaborative Protection Profiles list on the Common Criteria Portal. For Protection Profiles listed elsewhere, please contact the Cyber Centre.
Products certified by the Common Criteria provide an elevated level of assurance in the cyber security of the product. The Cyber Centre recognizes Common Criteria certified products as products that offer valuable security functionality to an IT environment. Details about what was evaluated are contained with the product's Security Target and the Certification report.
Prior to purchasing any IT product that claims to be Common Criteria certified, the Cyber Centre recommends that organizations obtain a copy of the vendor's Common Criteria certificate and validate these certificates against the International list of certified products.
If a particular product does not appear to be on the international list, please also see the Cyber Centre list of certified products, which includes all products certified by the Cyber Centre and products currently in evaluation.
Common Criteria evaluation facilities are IT security testing laboratories that are accredited to ISO 17025 and meet CCCS-specific requirements to conduct IT security evaluations for conformance to the Common Criteria for Information Technology Security Evaluation.
The following are the organizations currently accredited to perform Common Criteria evaluations for the Canadian Common Criteria program:
Common Criteria glossary
- Security Target
- A document that identifies how a specific product meets a set of defined security requirements.
- Certification Report
- A document produced by a certification body that details the results of a Common Criteria evaluation.
- Protection Profile
- A document that identifies security requirements for a specific class of cyber products. (For example: network firewalls).
September 8, 2023 | Withdrawal of Common Criteria certificate for IHSE Isolator Devices
The Canadian Common Criteria program announces the withdrawal of the certificate awarded for IHSE K487-1PHCA-N, K487-1PHSA-N, K487-1PHCRA-N, K487-1PHSRA-N, K497-1PHCA-N, K497-1PHSA-N, K497-1PHCRA-N, K497-1PHSRA-N Firmware Version 44404-E7E7 Isolator Devices, dated November 3, 2022. The Common Criteria certificate included a conformance claim to the Protection Profile for Peripheral Sharing Device Version 4.0, and the decision to withdraw the certificate was based on a technical decision regarding applicability of the Use Cases defined in the Protection Profile.
February 13, 2023 | New release of Canadian Common Criteria program instructions
Canadian Common Criteria program instructions v2.0 has been released. This document supersedes any previous versions.
February 7, 2023 | Endorsement statement for the collaborative Protection Profile for Hardcopy Devices
The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Hardcopy Devices (HCDcPP) version 1.0. The HCDcPP Endorsement Statement.
December 20, 2022 | New release of guidance for evaluators
After extensive internal collaboration and consultations with testing labs and industry partners, Guidance for Evaluators v5.0 has been released to the testing labs. This version includes an updated vulnerability analysis process, clarifications on cryptographic equivalency, revised sampling and regression testing requirements, updates to align with the online evaluator training course, and guidance on linking multiple evaluations together. This document supersedes any previous versions.
November 21, 2022 | New version of the Common Criteria is published
CC:2022 Release 1 has now been published and is available for download from the Common Criteria Portal publications page Further details will be forthcoming regarding the transition policy from CC v3.1 Release 5.
April 27, 2022 | Position statement supporting the CC in the Cloud Working Group
The Canadian Common Criteria Program, together with the US National Information Assurance Partnership (NIAP) and the Australian Certification Authority, has issued a CC in the cloud Joint position statement (PDF) in support of the CC in the Cloud Working Group, based on the CC in the Cloud Essential Security Requirements (PDF).
October 21, 2021 | Endorsement statement for the collaborative Protection Profile for Network Devices
The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Network Devices (NDcPP) version 2.2e. The NDcPP Endorsement Statement.
August 19, 2021 | FIPS 186-2 and ANSI X9.31/X9.62
A number of archived cryptographic modules, notably OpenSSL FIPS Object Module CMVP 1747, have cryptographic functionality that has long since been deprecated and is problematic when present in evaluated products.
Effective immediately, cryptographic algorithms claiming conformance to the following cannot be included in a Common Criteria evaluation:
- FIPS 186-2 RSA Key Generation
- FIPS 186-2 RSA Signature Generation with modulus size lower than 4096
- ANSI X9.31 or ANSI X9.62 RNG
Any security functions used (e.g., secure communication, trusted update, etc.) cannot be met using these algorithms/functions. Refer to Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111 for details on approved cryptography.