The Common Criteria (CC) is an international program in which accredited laboratories test IT products against cyber security specifications for technology classes. Under the Common Criteria Recognition Arrangement (CCRA), all member countries agree to recognize each other’s Common Criteria certificates, which allows developers to access the global marketplace regardless of where their product is certified.

Developers contract a testing laboratory to evaluate their product against a security specification, designed by a technical community, under a national certification body who performs technical oversight and publishes the result of the evaluation effort, which is internationally recognized.

The Cyber Centre operates the Canadian Common Criteria program to certify products.

The Cyber Centre recommends purchasing and deploying CC certified products because of:

  1. Independently verified security claims by accredited cyber security labs
  2. Collaboratively developed methodology and specifications
  3. A wide variety of certified products are available
  4. Using certified products reduces risk of compromise

Common Criteria news/bulletins

  • For developers

    To get a product certified under Common Criteria, Developers should contact one of the testing labs operating under the Canadian Common Criteria Program to have their product evaluated.

  • For system architects

    The Cyber Centre recommends using Common Criteria certified products when selecting an IT product for a service or network design. Using certified products such as firewalls, intrusion detection/protection system (IDS/IPS), and operating systems mitigates risk within a network architecture. Details about what was evaluated are contained with the product’s Security Target and the Certification Report.

    The Cyber Centre recommends System Architects match their needs to existing Protection Profiles.

    A Protection Profile represents the baseline set of security requirements for a technology class.  A product evaluation against a Protection Profile covers the required security functionality, as well as addressing the known security threats.

    The Cyber Centre recognizes the Protection Profiles list and collaborative Protection Profiles list on the Common Criteria Portal.  For Protection Profiles listed elsewhere, please contact the Cyber Centre.

  • For purchasers

    Products certified by the Common Criteria provide an elevated level of assurance in the cyber security of the product. The Cyber Centre recognizes Common Criteria certified products as products that offer valuable security functionality to an IT environment. Details about what was evaluated are contained with the product’s Security Target and the Certification report.

    Prior to purchasing any IT product that claims to be Common Criteria certified, the Cyber Centre recommends that organizations obtain a copy of the vendor’s Common Criteria certificate and validate these certificates against the International list of certified products.

    If a particular product does not appear to be on the international list, please also see the Cyber Centre list of certified products, which includes all products certified by the Cyber Centre and products currently in evaluation.

  • Program documentation

  • Evaluation facilities

    Common Criteria evaluation facilities are IT security testing laboratories that are accredited to ISO 17025 and meet CCCS-specific requirements to conduct IT security evaluations for conformance to the Common Criteria for Information Technology Security Evaluation.

    The following are the organizations currently accredited to perform Common Criteria evaluations for the Canadian Common Criteria program:

  • Important links

  • Common Criteria glossary

    Security Target
    A document that identifies how a specific product meets a set of defined security requirements.
    Certification Report
    A document produced by a certification body that details the results of a Common Criteria evaluation.
    Protection Profile
    A document that identifies security requirements for a specific class of cyber products. (For example: network firewalls).

Source link