This document Canadian Common Criteria Program Quality Manual is an UNCLASSIFIED publication. It supersedes Canadian Common Criteria Program: Quality Manual version 4.0, March 2020.
This publication takes effect on June 15, 2022.
Revision history Revision Amendments Date
Initial public release
Major update reflecting a revised structure for Common Criteria program Guides, Instructions and Functional Procedures
Modification of the processes for evaluation eligibility and evaluation acceptance.
Merging of the sections describing the approaches for document management and records management. Updated the section on Periodic Review of Operations.
Significant overhaul to better align the document with CCRA requirements and Cyber Centre publication practices.
Several content edits
This document is the quality manual for the Canadian Common Criteria program run by the Canadian Centre for Cyber Security. This document describes the organization and policies of the program to meet the international obligations of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security.
Table of contents
List of figures
This document outlines the operation of the Canadian Common Criteria program, an information technology (IT) testing program based on the international standard Common Criteria for Information Technology Security Evaluation, also referred to as the Common Criteria or CC, where licensed testing laboratories can evaluate the cyber security of IT products. Consumers of IT products can increase their confidence in the security provided by these IT products via Common Criteria product evaluations.
The Canadian Centre for Cyber Security (hereafter the Cyber Centre), a branch of the Communications Security Establishment (CSE), runs the Canadian Common Criteria program and performs the role of certification body, overseeing evaluations performed by commercial IT security evaluation facilities (hereafter testing labs) to ensure quality.
The Communications Security Establishment (CSE), on behalf of the Government of Canada, is a signatory to the international Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (CCRA), which provides a framework for international mutual recognition of Common Criteria evaluation results among participating countries.
Other CCRA signatory countries recognize Canadian Common Criteria product certificates. This process of mutual recognition allows a vendor to evaluate their IT product with a testing lab in the country of their choice, rather than contracting multiple redundant evaluations in several countries.
The primary audience for this document is the staff of the certification body, as they have direct responsibility for ensuring quality within the Canadian program. Secondary audiences include testing labs and evaluation sponsors (vendors), as they have a direct interest in the success of certifications and may benefit from an understanding of the certification body’s procedures to ensure quality. Other audiences of this document may include consumers of IT security products, as well as other international CCRA signatories.
1.2 Policy drivers
This document meets the requirements for Certification Bodies from the CCRA.
1.3 Outline of this document
This document continues as follows:
- section 2 describes the certification body
- section 3 describes the organization of the certification body and its personnel
- section 4 describes the activities of the certification body
- section 5 describes how the certification body resolves disputes with participants
- section 6 describes how the certification body protects the Common Criteria mark
2 Certification body
The Cyber Centre staffs the certification body. All certification body staff are employees of the Government of Canada and are subject to Government of Canada policies, rules, and regulations, including those that deal with the protection of sensitive information and conflict of interest situations. Per its role as the certification body, the Cyber Centre performs several functions, including:
- approving testing labs to operate under the Canadian program
- qualifying evaluators within the testing labs
- performing technical oversight of evaluations
- issuing and withdrawing Common Criteria certificates
- producing certification reports
- producing assurance maintenance reports
- maintaining a Certified products list for evaluations that have completed under the Canadian program
- representing Canada as a signatory to the CCRA.
2.2 Legal status and authorities
The Cyber Centre is a branch of the Communications Security Establishment (CSE), a department of the Government of Canada authorized under the CSE Act as the national technical authority for cyber security and information assurance. The Canadian government provides the funding to operate the Common Criteria program as part of the Cyber Centre’s responsibility to provide services to help protect the electronic information and information infrastructures of Canadian federal institutions as well as those designated as being of importance by CSE’s minister.
2.3 Contacting the certification body
The Cyber Centre operates the Canadian Common Criteria program, and the principal point of contact for external inquiries is the supervisor of the Common Criteria program. Readers may contact the program as follows:
c/o Canadian Centre for Cyber Security
P.O. Box 9703,
Ottawa, Ontario K1G 3Z4
email [email protected]
2.4 Quality maintenance policy
The Cyber Centre is committed to ensuring that its staff conduct all the certification body activities to the standards required by the CCRA. The Cyber Centre expects all staff to perform their duties with integrity, impartiality, and objectivity by following the policies and procedures documented in the quality management system.
The Cyber Centre conducts regular corporate reviews to assess the effectiveness of the quality management system and identify areas for improvement for the certification body’s operations and procedures.
2.5 Certification fees
The Cyber Centre ensures its services are available without undue financial conditions by not charging for its Common Criteria certification services.
2.6 Non-discrimination policy
The Cyber Centre provides non-discriminatory operation and administration of the certification body’s services and functions and will not impose undue financial or other conditions on any applicant.
2.7 Impartiality, values and ethics
All certification body staff shall perform their assigned duties in an impartial, objective, and fair manner. As CSE employees, all certification body staff are subject to the CSE Ethics charter, which includes conflict of interest guidelines that address CCRA requirement C.2.
2.8 Periodic review of operations
The Cyber Centre conducts periodic reviews of all certification body operations. These reviews assess the effectiveness and relevance of certification body policies and procedures, whether the certification body continues to meet the needs of the Government of Canada, and whether the certification body continues to share the objectives of the CCRA.
3 Certification body personnel
The Canadian Common Criteria program consists of the following roles:
Long description – Certification body organization
This image describe the Canadian Common Criteria program roles
- The Deputy Chief of the Canadian Centre for Cyber Security is the most senior executive responsible for the Canadian Common Criteria Program.
- The Associate Deputy Chief of the Cyber Centre reports to the Deputy Chief
- The Director General for Partnerships and Risk Mitigation reports to the Associate Deputy Chief
- The Director for Risk Mitigation Programs reports to the Director General
- The Manager for Product Assurance and Standards reports to the Director
- The Common Criteria Supervisor reports to the Manager for Product Assurance and Standards,
and oversees several Common Criteria Certifiers as well as a Senior Common Criteria Certifier
3.2 Roles and responsibilities
To ensure that staff perform their duties in an efficient and effective manner, this document defines the responsibilities and minimum education, experience, and relevant knowledge for all certification body staff.
3.2.1 All certification body staff
All certification body staff members must follow the directions provided in certification body documentation. Staff shall ensure that the supervisor of the Common Criteria is aware of any deficiencies or errors in any of the quality management system documentation.
3.2.2 Director risk migitation programs
The director of Risk Mitigation Programs is the head of the certification body and the executive responsible for Canada’s participation in the international CCRA program. The organization diagram in section 3.1 shows the reporting structure of the director of Risk Mitigations Programs to the senior executives of the Canadian Centre for Cyber Security. The director is responsible for:
- approving the strategic direction of the program
- approving program operations and activities
3.2.3 Manager product assurance and standards
The manager of Product Assurance and Standards is the certificate-issuing authority for the program and is responsible for effective and efficient operations. In particular:
- communicating strategic direction to the program’s supervisor
- overseeing the program management activities of the program supervisor
- ensuring the evolution of the quality management system
- representing Canada on occasion on the international CCRA Management Committee
- handling complaints, disputes, and appeals within the certification body
This role requires extensive IT and IT security knowledge gained through a combination of formal education and relevant experience.
3.2.4 Supervisor Common Criteria
The supervisor of the Common Criteria (hereafter the supervisor) fulfils the role of operations manager and quality manager for the program. The supervisor is responsible for:
- fulfilling the role of operational manager and quality manager for the program
- acting as the primary liaison for both technical and non-technical issues
- providing both technical and administrative direction to staff
- ensuring that certification body staff understand their roles and responsibilities
- defining the requirements for technical oversight of evaluations
- ensuring that the document for evaluation and certification methods is correct and current
- managing the day-to-day certification operations of the program
- accepting new evaluations into the program
- assigning certification teams for evaluations
- approving certification reports
- monitoring the performance and operation of the quality management system
- reporting issues upward in the management chain
- conducting periodic reviews
- implementing changes resulting from internal or external review
- tracking and monitoring all reports of non-conformities
- ensuring that corrective action and preventative measures occur as appropriate
- overseeing testing lab
- validating the knowledge and experience credentials for evaluator candidates, to assess their eligibility to write the Evaluator Exam
- grading the Evaluator Exam
- assigning qualified technical assessors to assist the Standards Council of Canada (SCC) in the accreditation of testing labs
- reviewing, on a periodic basis, the effectiveness of existing policies, guidelines, and procedures, and developing new or revised approaches as required
- acting as first point of contact for complaints, disputes, and appeals, and tracking these until completion
- representing the program on international CCRA committees, such as the Development Board, Executive Subcommittee and Management Committee
This role requires:
- a university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
- comprehensive knowledge of theories and principles of IT security, computer security evaluation, and certification methods
- extensive experience with the Common Criteria and Common Methodology for Information Technology Security Evaluation (CEM), gained by direct involvement with its development and/or application
- experience dealing with vendors, consultants, and international organizations/partners
The certifier is primarily responsible for:
- declaring any conflicts of interest related to their evaluations to the supervisor
- performing technical oversight of evaluations conducted by testing labs
- ensuring the technical quality of the results and conformance to the Common Criteria, CEM, or Protection Profiles
- assessing the quality of evaluation activities
- observing evaluation activities performed by the testing lab
- assessing documentation providing by the testing lab
- providing technical direction to testing labs to resolve problems
- performing technical oversight of assurance maintenance requests
- producing certification reports and maintenance reports
- assisting senior certifiers with the tasks necessary to approve new testing labs
- providing technical oversight and assistance during the SCC re-assessment of testing labs
This role requires:
- university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
- knowledge of the theories and principles of IT security, computer security evaluation, and certification methods
3.2.6 Senior certifier
The senior certifier is responsible for:
- all activities of a Certifier
- ensuring that the technical methods of the program are correct and consistent
- producing interpretations of the Common Criteria, CEM, and Protection Profiles
- advising the supervisor on all technical aspects of the program including the effectiveness of policies, guidelines, and procedures
- providing advice and guidance to certifiers about the management of certifications, and the application and interpretation of the Common Criteria, CEM, and Protection Profile
- performing the tasks necessary for approval of new testing labs
- providing training sessions for candidate evaluators
- developing and administering Common Criteria Evaluator Exams to candidate evaluators
- participating in international CCRA committees
This role requires:
- university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
- comprehensive knowledge of the theories and principles of IT security, computer security evaluation, and certification methods
- significant experience in the Common Criteria and CEM, gained by direct involvement with its development and/or application
3.3 Training requirements
The Cyber Centre follows Government of Canada recruitment and staffing procedures when filling vacant positions within the certification body to ensure the hiring of the most suitable staff members for the certification body. The Cyber Centre considers any certification body staff members who do not meet the minimum qualifications as detailed in the earlier sections as in training. The supervisor closely supervises and monitors the performance of all trainees.
The Cyber Centre maintains information on the relevant qualifications, training, and experience of all certification body staff within its corporate enterprise resource planning and information management systems as per the Government of Canada’s processes for human resources management.
The Cyber Centre recognizes that certifiers can gain skills and knowledge through a combination of structured training courses, programs of self-study, and supervised on-the-job-training. Certification body staff shall have a personalized training plan to ensure their continued development and will go through annual performance evaluations.
The certification body does not currently employ any contractors in the performance of tasks. If the Cyber Centre were to use contractors in the future, such contractors would abide by all Canadian program policies and procedures and would receive supervision to ensure adherence to these policies and procedures as well as the quality of their work.
4 Certification body activities
The following sections briefly describe the activities performed by the Cyber Centre and identify the measures in place to ensure quality.
4.1 Approving new testing labs
The Cyber Centre must formally approve a testing lab before it may conduct evaluations under the Canadian Common Criteria Program. Please see Canadian Common Criteria Program: Requirements and Procedures for Testing Laboratories for more information on the approval of testing labs.
The Cyber Centre and each testing lab jointly sign a formal agreement covering all relevant procedures including arrangements for ensuring confidentiality of protected information and the evaluation and certification processes.
4.2 Accepting evaluations
The Cyber Centre considers products in accordance with Canadian Common Criteria Program Instructions. Note that upon acceptance of an evaluation the evaluation sponsor may request a non-disclosure agreement with the Cyber Centre.
4.3 Assigning certifiers
In assigning a certifier to an evaluation, the supervisor considers several factors, including:
- depth of knowledge in the Common Criteria, CEM, and applicable Protection Profiles
- technology-specific knowledge
- opportunities for certifier training
- conflict of interest considerations
In particular, certifiers must not have a vested interest in the success or failure of the certification, in order to comply with Government of Canada ethics guidelines. Accordingly, certifiers must declare any and all factors that might constitute a conflict of interest.
4.4 Tracking certification activities
The certifier shall maintain an accurate certifier tracking log that clearly identifies progress against evaluation and certification activities, and references decisions made during the course of the certification. The log should contain a level of detail that allows for traceability after the fact for the purposes of quality improvement and consistency across certifications. The supervisor may review the certifier log to verify traceability and ensure consistency with other certifications.
4.5 Technical oversight of evaluations
The technical oversight of evaluations is a fundamental aspect of quality in the Canadian program. The certifier performs three types of oversight activities:
- examining evaluation evidence produced by the evaluator, including the Evaluation Technical Report
- independently performing a subset of the evaluation work
- directly observing selected evaluation activities (test witnessing)
4.6 Assurance continuity
The Cyber Centre follows the defined Common Criteria approach to assurance continuity (Assurance Continuity: CCRA Requirements) with its evaluations, a process where the certification body assesses changes made to previously certified products to determine if the product can undergo a subset of testing rather than a full re-evaluation. The Cyber Centre assesses the nature of the changes to the IT product by reviewing the Impact Analysis Report from the developer and determines whether the changes are sufficiently minor that assurance maintenance is an appropriate option.
4.7 Issuing CC certificates, certification reports and maintenance reports
The Cyber Centre produces a certificate and associated certification report for each successful product evaluation and posts them to the international Common Criteria portal. In the case of assurance continuity, the Cyber Centre produces a maintenance report and posts it as an addendum to the corresponding certified product entry on the Common Criteria portal.
4.8 Resolving technical issues
The Cyber Centre commits to promptly resolving technical issues that may arise during an evaluation. The Cyber Centre will circulate a sanitized version of the issue and its resolution to all testing labs if the issue is of importance to all testing labs. This guidance will then apply to all subsequent evaluations.
4.9 Sharing information with stakeholders
The Cyber Centre communicates with stakeholders as issues require it. In particular, the Cyber Centre convenes face-to-face meetings with the testing labs to discuss issues of interest to the whole program, and upcoming changes that affect the operation of the program.
4.10 Information sharing
The Cyber Centre uses the Traffic Light Protocol for the sharing of information with parties external to the government of Canada. Specifically, the Cyber Centre marks:
- public program information with TLP:WHITE
- non-public program information with TLP:GREEN
- proprietary or commercial-in-confidence information with TLP:AMBER
4.11 Records management
A record in the context of the Common Criteria program is a document that provides objective evidence of the activities or results of the program and includes hard copy and electronic documents (including email). Examples of records include:
- certification body administrative and quality records
- testing lab certification records
- product certification records
- protection Profile certification records
- assurance Continuity records
The Cyber Centre maintains Common Criteria records electronically in the CSE corporate information management system.
The Cyber Centre uses corporate IT and records management systems that follow Government of Canada policies for information handling, security, and human resources. These policies ensure that the Cyber Centre keeps records for the five-year minimum required by the CCRA.
4.12 Confidentiality and integrity of Common Criteria information
The Cyber Centre treats sensitive information obtained in the course of Common Criteria activities using the Government of Canada’s standards for the handling of PROTECTED information.
The Cyber Centre stores all Common Criteria records and documentation in its corporate information management system. This system provides audit records on all access and modification of these records, as well as a version history that allows for the recovery of earlier versions of documents as required.
The Cyber Centre further limits access to sensitive program documents to staff members of the certification body.
4.13 Program documentation
The Cyber Centre maintains the official versions of program documentation within its corporate information management systems. The Cyber Centre maintains copies of the current versions of the certification body’s public documentation on the Cyber Centre website, including:
- guides (such as this document) that provide information related to the services offered by the certification body
- the Canadian Common Criteria Program Instructions that provide information about the Cyber Centre’s policies on a variety of topics.
The Cyber Centre also uses internal private functional procedures and document templates to provide certification body staff with detailed descriptions for a wide range of duties and responsibilities.
The Cyber Centre uses the officially endorsed versions of the Common Criteria for Information Technology Security Evaluation and the Common Methodology for Information Technology Security Evaluation (CEM). The Cyber Centre ensures that all program stakeholders have access to these documents.
4.13.1 Approvals for documentation updates
All updates to Common Criteria program documentation requires internal Cyber Centre management approvals prior to release. These approvals shall be stored in an appropriate location within the Cyber Centre’s corporate information management system. The following lists the approval authority for documentation based on the most senior role that has authorities discussed within the documentation:
|Most senior role in documentation||Approval authority|
Certifier or Senior Certifier
Supervisor of the Common Criteria
Supervisor of the Common Criteria
Manager of Product Assurance and Standards
Manager of Product Assurance and Standards
Director Risk Mitigation Programs
Director or Risk Mitigation Programs
Director General, Partnerships and Risk Mitigation
Cyber Centre senior management may choose at its discretion to require higher levels of authority for approvals than listed in this table. Approval authorities may also sub-delegate their authorities so long as this delegation occurs in writing and that the Cyber Centre store a copy of the delegation within the Cyber Centre corporate information management system.
4.13.2 Change management
The Cyber Centre reviews the entire quality management system on an annual basis. The Cyber Centre provides, where applicable, draft versions of updated documentation to testing labs for private review and feedback prior to finalization. The Cyber Centre informs direct program stakeholders of all program changes via email and posts updates in the news section of the program’s website for all interested parties.
To avoid confusion between document versions, the Cyber Centre removes all superseded documentation from its website so that only the versions currently in effect, or those about to come into effect, are publicly available.
5 Complaints, disputes and appeals
Cyber Centre staff have an obligation to make every reasonable effort to resolve disagreements with outside parties in such a manner that the parties do not require a formal complaint or appeal. However, when parties cannot resolve a disagreement informally then the Cyber Centre will inform the outside party of their right to submit a formal complaint or dispute in writing. Complainants must submit a complaint or dispute in writing with sufficient detail to permit a proper assessment. If the originator is not satisfied with the resolution of their complaint or dispute, then they may initiate an appeal.
The Cyber Centre commits to dealing with all internal and external complaints and disputes promptly and effectively – and will provide an estimate to the originator for how long it will take to provide a resolution. Attempts to resolve complaints and disputes should start with the supervisor of the Common Criteria program; however, appellants may submit the complaint to any of the officials listed in section 3.1.
Complainants should send complaints and disputes via email to the Cyber Centre’s Contact Centre at [email protected]. The Cyber Centre will provide complainants with contact information if there is a need for a subsequent appeal.
The Cyber Centre uses the following definitions for written statements:
- complaint: A dissatisfaction with a service provided by the Cyber Centre or one of the testing labs.
- dispute: A disagreement with a decision made by the Cyber Centre.
- appeal: A dissatisfaction with the resolution of a complaint or dispute.
5.1 Roles and responsibilities
The manager of Product Assurance and Standards is responsible for:
- responding to appeals arising from previously submitted complaints or disputes
- ensuring that Cyber Centre senior management is aware of any appeals that may escalate to them.
The supervisor of the Common Criteria program is responsible for:
- entering the complaint, dispute, or appeal as a record in the Quality Management System
- resolving the complaint or arbitrating the dispute on behalf of the Cyber Centre
- providing details of the resolution to all affected parties.
- ensuring that the manager of Product Assurance and Standards is aware of any complaints or disputes received by the Cyber Centre.
Senior certifiers and certifiers are responsible for:
- informing the supervisor informed of any disagreements with the testing labs that have the potential to result in a formal complaint or dispute.
Complaints, disputes, and appears from testing labs must come from Lab directors. Likewise, those coming from evaluation sponsors must come from a senior manager. The Cyber Centre will handle complaints, disputes, and appeals from other parties on a case-by-case basis.
5.3 Complaint or dispute process
Upon receipt of the complaint or dispute, the supervisor reviews the relevant records for the complaint or disputed decision and discusses the issue with the certifiers involved as well as the senior certifier(s). In the case of a complaint, the supervisor investigates the circumstances that led to the complaint and may discuss. For disputes, the supervisor reviews the basis for the contested decision. In both circumstances, the supervisor takes a decision, documents the details of the resolution (including associated rationale), enters it as a record in the quality management system, notifies the complainant in writing of the resolution (informing them of their right to appeal as appropriate), and specifies a timeframe within which they may appeal the decision.
Upon resolution of the complaint or dispute, the supervisor will review the resolution for any impact on certification body policies or procedures and update them as appropriate.
5.4 Appeal process
Parties may submit written appeals of decisions made with respect to disputes or complaints as described above to the supervisor or to any of the officials listed in section 3.1, copying the supervisor. Parties must submit appeals within 5 working days of the Cyber Centre’s notification of the decision.
Upon receiving the appeal, the supervisor acknowledges receipt, enters it as a record in the quality management system, and forwards it to the manager of Product Assurance and Standards for action.
The manager of Product Assurance and Standards reviews the appeal, the contested decision, and the rationale for the contested decision with the supervisor. The manager then decides whether to accept the appeal and revise the contested decision or decline the appeal. The manager then informs the originator of the outcome. If the manager declined the appeal, the manager will inform the complainant of their right to appeal to Cyber Centre senior management, providing appropriate contact information for that course of action. The manager will inform Cyber Centre senior management of the results of the appeal and of the possibility for an escalation.
In cases where the manager overturns a contested decision, the supervisor will assess the impact on other decisions, on all Canadian CC Program policies and procedures, and on any business activities at the international CCRA level. The supervisor will inform any other involved parties in the appeal (e.g., testing labs, evaluation sponsors) of the appeal decision and its impact, and will update any related documentation.
6 Use of certificates, certification marks and logos
The Cyber Centre provides Common Criteria certificates, related trademarks, and logos to officially indicate that a testing lab evaluated a particular version of an IT product to the requirements of the Canadian Common Criteria Program.
6.1 Misuse of certificates
The Cyber Centre will promptly investigate any reported misuse of a Common Criteria certificate, trademark or logo originating from the Canadian program and will seek prompt corrective action from a certificate holder as it considers necessary. If a certification holder does not comply promptly, the Cyber Centre may withdraw the certificate or pursue further corrective action.
When a testing lab successfully completes an evaluation, in addition to the product certificate the supervisor also issues a letter to the evaluation sponsor that specifies the following conditions:
- certificate holders may associate the Common Criteria certificate and the Common Criteria certification mark only with the exact version of the evaluated product. Certificate holder are forbidden from associating either the Common Criteria certificate or the Common Criteria certification mark with any unevaluated product versions
- certificate holders shall not use either the Common Criteria certificate or the Common Criteria certification mark in a manner that might discredit the Cyber Centre, the Canadian Common Criteria program, or the CCRA
- certificate holders must advise Cyber Centre of any changes made to the certified product, and all complaints received relating to the product’s compliance with the Common Criteria
- the Common Criteria certificate and Common Criteria certification mark remain the property of the Communications Security Establishment and the Cyber Centre may revoke permission to use them at its sole discretion. The Communications Security Establishment will take appropriate action against misuse of the Common Criteria certificate and/or the Common Criteria certification mark
- permission to use the Common Criteria certificate and the Common Criteria certification mark does not constitute or imply, directly or indirectly, product endorsement by the Communications Security Establishment
The Cyber Centre will investigate any situations where (1) a certified product may no longer meet the certification criteria or (2) a vendor violates certification conditions. The Cyber Centre may withdraw a certificate as it deems necessary under such circumstances and will notify the certificate holder in writing before updating the Certified products list and the Common Criteria portal.
7 Supporting content
7.1 List of abbreviations
- Common Criteria Recognition Arrangement
- Common Evaluation Methodology
- Communications Security Establishment
- Information Technology
- Standards Council of Canada
- Traffic Light Protocol