One of the ways that the Cyber Centre works to improve cyber security within Canada is by certifying information technology (IT) products against the public cyber security specifications and standards it recognizes, like Common Criteria. These certification programs are of particular relevance to those purchasing IT products in enterprises and government. Accredited commercial testing laboratories certify these products against internationally recognized standards.
The Cyber Centre believes a certified product is a better choice than an uncertified one that is otherwise equal.
The Cyber Centre recommends using Common Criteria certification for products that implement IT security functionality. Vendors should contact one of the commercial labs operating under the Canadian Common Criteria Program to obtain certification for their products. Vendors should plan to have a lab test their products against a Protection Profile.
For system architects
The Cyber Centre recommends using Common Criteria certified products when selecting an IT product for a service or network design. For example, consider using Common Criteria certified products to mitigate risk within designs for elements such as firewalls, intrusion detection/protection system (IDS/IPS), and operating systems. Details about what was evaluated are contained with the product's Security Target and the Certification Report.
The Cyber Centre recommends matching your needs to existing Protection Profiles - for example, the Stateful Traffic Filter Firewall Protection Profile profile for firewalls or the extended package for Intrusion Prevention Systems.
As a purchaser, products certified by the Common Criteria provide an elevated level of assurance in the cyber security of the product. The Cyber Centre recognizes Common Criteria certified products as products that offer valuable security functionality to an IT environment. Details about what was evaluated are contained with the product's Security Target and the Certification Report.
Prior to purchasing any IT equipment that performs cyber security functions, the Cyber Centre recommends that organizations obtain a copy of the vendor's Common Criteria certificate or the certificate number for the product, and validate these certificates against the Common Criteria's List of Certified Products.
If you can't find a particular product, please also see the Cyber Centre list of Certified Products. If a product is still in testing, you might find it listed in the list of products currently in evaluation.
Organizations interested in becoming a testing laboratory for the Canadian Common Criteria Program should visit the guide to becoming a testing laboratory.
About the Common Criteria
The Common Criteria is an international program in which accredited laboratories test IT products against standard cyber security specifications called Protection Profiles (PPs). These PPs represent the security assurance requirements for technology classes. Under the Common Criteria Recognition Arrangement (CCRA), all countries agree to recognize Common Criteria certificates produced by any certificate-authorizing participant.
Each participating country in the Common Criteria operates a certification body that oversees evaluations conducted by accredited commercial evaluation facilities. The Cyber Centre operates the Canadian Common Criteria program to certify products tested by Canadian Common Criteria testing laboratories.
Evaluation services are conducted by commercial facilities. To have a product evaluated, vendors contact an accredited commercial evaluation facility. The accredited commercial evaluation facility to have the product evaluated against an applicable Protection Profile.
Learn More About Common Criteria
Interested in learning more about Common Criteria? Please visit the main Common Criteria Portal.
Would you like learn more from the Cyber Centre about Common Criteria? Please contact us.