Quality manual v4.2

Foreword

This document is an unclassified publication. It supersedes Canadian Common Criteria Program: Quality Manual version 4.1, June 2022.

Effective date

This publication takes effect immediately.

Revision history

1. 1.0 Initial public release: August 2004
2. 2.0 Major update reflecting a revised structure for Common Criteria program Guides, Instructions and Functional Procedures: September 2010
3. 3.0 Modification of the processes for evaluation eligibility and evaluation acceptance: August 2016
4. 3.1 Merging of the sections describing the approaches for document management and records management. Updated the section on Periodic Review of Operations: October 2016
5. 4.0 Significant overhaul to better align the document with CCRA requirements and Cyber Centre publication practices: March 2020
6. 4.1 Several content edits: June 2022
7. 4.2 Updates to reflect current content of “authorized use letter” for product certificates and the CCRA Certification Mark, updated responsibilities associated with key roles within the CB: April 2023

Overview

This document is the quality manual for the Canadian Common Criteria program operated by the Canadian Centre for Cyber Security. This document describes the organization and policies of the program to meet the international obligations of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security.

Table of contents

• 1 Introduction
• 2 Certification body
• 3 Certification body personnel
• 4 Certification body activities
• 5 Complaints, disputes and appeals
• 6 Use of certificates, certification marks and logos
• 7 Supporting content

List of figures

Figure 1 - Certification body organization chart

1 Introduction

This document outlines the operation of the Canadian Common Criteria program, an information technology (IT) testing program based on the international standard Common Criteria for Information Technology Security Evaluation, also referred to as the Common Criteria or CC, where licensed testing laboratories can evaluate the cyber security of IT products. Consumers of IT products can increase their confidence in the security provided by these IT products via Common Criteria product evaluations.

The Canadian Centre for Cyber Security (hereafter the Cyber Centre), a branch of the Communications Security Establishment (CSE), operates the Canadian Common Criteria program and performs the role of certification body, overseeing evaluations performed by commercial IT security evaluation facilities (hereafter testing labs) to ensure quality.

The Communications Security Establishment (CSE), on behalf of the Government of Canada, is a signatory to the international Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (CCRA), which provides a framework for international mutual recognition of Common Criteria evaluation results among participating countries.

Other CCRA signatory countries recognize Canadian Common Criteria product certificates. This process of mutual recognition allows a vendor to evaluate their IT product with a testing lab in the country of their choice, rather than contracting multiple redundant evaluations in several countries.

1.1 Audience

The primary audience for this document is the staff of the certification body, as they have direct responsibility for ensuring quality within the Canadian program. Secondary audiences include testing labs and evaluation sponsors (product vendors), as they have a direct interest in the success of certifications and may benefit from an understanding of the certification body’s procedures to ensure quality. Other audiences of this document may include consumers of IT security products, as well as other international CCRA signatories.

1.2 Policy drivers

This document meets the requirements for Certification Bodies from the CCRA.

1.3 Outline of this document

This document continues as follows:

• section 2 describes the certification body
• section 3 describes the organization of the certification body and its personnel
• section 4 describes the activities of the certification body
• section 5 describes how the certification body resolves disputes with participants
• section 6 describes how the certification body protects the Common Criteria mark

2 Certification body

2.1 Overview

The Cyber Centre staffs the certification body. All certification body staff are employees of the Government of Canada and are subject to Government of Canada policies, rules, and regulations, including those that deal with the protection of sensitive information and conflict of interest situations. Per its role as the certification body, the Cyber Centre performs several functions, including:

• approving testing labs to operate under the Canadian Common Criteria program
• qualifying evaluators within the testing labs
• performing technical oversight of evaluations
• issuing and withdrawing Common Criteria certificates
• producing certification reports
• producing assurance maintenance reports
• maintaining a Certified products list for evaluations that have completed under the Canadian Common Criteria program
• representing Canada as a signatory to the CCRA.

2.2 Legal status and authorities

The Cyber Centre is a branch of the Communications Security Establishment (CSE), a department of the Government of Canada authorized under the CSE Act as the national technical authority for cyber security and information assurance. The Canadian government provides the funding to operate the Common Criteria program as part of the Cyber Centre’s responsibility to provide services to help protect the electronic information and information infrastructures of Canadian federal institutions as well as those designated as being of importance by CSE’s minister.

2.3 Contacting the certification body

The Cyber Centre operates the Canadian Common Criteria program, and the principal point of contact for external inquiries is the Common Criteria program Supervisor (hereafter "the Supervisor"). Readers may contact the program as follows:

Mail:
Common Criteria
c/o Canadian Centre for Cyber Security
P.O. Box 9703,
Terminal
Ottawa, Ontario K1G 3Z4
Canada
email contact@cyber.gc.ca

2.4 Quality maintenance policy

The Cyber Centre is committed to ensuring that its staff conduct all the certification body activities to the standards required by the CCRA. The Cyber Centre expects all staff to perform their duties with integrity, impartiality, and objectivity by following the policies and procedures documented in the quality management system.

2.5 Certification fees

The Cyber Centre ensures its services are available without undue financial conditions by not charging for its Common Criteria certification services.

2.6 Non-discrimination policy

The Cyber Centre provides non-discriminatory operation and administration of the certification body’s services and functions and will not impose undue conditions on any applicant.

2.7 Impartiality, values and ethics

All certification body staff shall perform their assigned duties in an impartial, objective, and fair manner. As CSE employees, all certification body staff are subject to the CSE Ethics charter, which includes conflict of interest guidelines that address CCRA requirement C.2.

2.8 Management review of operations

The Cyber Centre conducts periodic management reviews of all certification body operations. These reviews assess the effectiveness and relevance of certification body policies and procedures, whether the certification body continues to meet the needs of the Government of Canada, and whether the certification body continues to share the objectives of the CCRA.

3 Certification body personnel

3.1 Organization

The Canadian Common Criteria program consists of the following roles:

3.2 Roles and responsibilities

To ensure that staff perform their duties in an efficient and effective manner, this document defines the responsibilities and minimum education, experience, and relevant knowledge for all certification body staff.

3.2.1 All certification body staff

All certification body staff members must follow the directions provided in certification body documentation. Staff shall ensure that the supervisor is aware of any deficiencies or errors in any of the quality management system documentation.

3.2.2 Director Risk Migitation programs

Director Risk Mitigation Programs is the head of the certification body and the executive responsible for Canada’s participation in the international CCRA program. The organization diagram in section 3.1 shows the reporting structure of Director Risk Mitigation Programs to the senior executives of the Canadian Centre for Cyber Security. The director is responsible for:

• approving the strategic direction of the program
• approving program operations and activities

3.2.3 Manager Product Assurance and Standards

Manager Product Assurance and Standards (hereafter "the Manager") is the certificate-issuing authority for the program and is responsible for effective and efficient operations. In particular:

• communicating strategic direction to the Supervisor
• overseeing the program management activities of the Supervisor
• ensuring the evolution of the quality management system
• reviewing the output from periodic management reviews
• handling complaints, disputes, and appeals within the certification body

This role requires extensive IT and IT security knowledge gained through a combination of formal education and relevant experience.

3.2.4 Common Criteria Program Supervisor

The Supervisor is responsible for:

• fulfilling the role of operations manager and quality manager for the program
• acting as the primary liaison for both technical and non-technical issues
• providing both technical and administrative direction to staff
  • ensuring that certification body staff understand their roles and responsibilities
  • defining the requirements for technical oversight of evaluations
  • ensuring that the documented certification methods are correct and current
• managing the day-to-day certification operations of the program
  • accepting new evaluations into the program
  • assigning certifiers to evaluations and assurance continuity activities
  • approving certification reports and maintenance reports
• monitoring the performance and operation of the quality management system
  • reporting issues upward in the management chain
  • conducting periodic management reviews
  • implementing changes resulting from internal or external review
  • tracking and monitoring all reports of non-conformities
  • ensuring that corrective action and preventative measures occur as appropriate
• overseeing the testing lab
  • validating Apprentice Proposal Packages to quality testing lab staff to act as apprentice evaluators
  • confirming eligibility of testing lab staff to take the Evaluator Exam
  • grading the Evaluator Exam, and making recommendations to the Manager to issue an evaluator certificate to successful exam candidates
  • assigning qualified technical assessors to assist the Standards Council of Canada (SCC) in the accreditation or re-assessment of testing labs to ISO/IEC 17025
• reviewing, on a periodic basis, the effectiveness of existing policies, guidelines, and procedures, and developing new or revised approaches as required
• acting as first point of contact for complaints, disputes, and appeals, and tracking these until completion
• representing the program on international CCRA committees, such as the Development Board, Executive Subcommittee and Management Committee

This role requires:

• a university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
• comprehensive knowledge of theories and principles of IT security, computer security evaluation, and certification methods
• extensive experience with the Common Criteria and Common Methodology for Information Technology Security Evaluation (CEM), gained by direct involvement with its development and/or application
• experience dealing with vendors, consultants, and international organizations/partners

3.2.5 Certifier

The certifier is primarily responsible for:

• declaring any conflicts of interest related to their evaluations to the supervisor
• performing technical oversight of evaluations conducted by testing labs
  • ensuring the technical quality of the results and conformance to the Common Criteria, CEM, or Protection Profiles
  • assessing the quality of evaluation activities
  • observing evaluation activities performed by the testing lab
  • assessing documentation providing by the testing lab
  • providing technical direction to testing labs to resolve problems
• performing technical oversight of assurance maintenance requests
• producing certification reports and maintenance reports
• assisting senior certifiers with the tasks necessary to approve new testing labs
• providing technical oversight and assistance during the SCC re-assessment of testing labs

This role requires:

• a university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
• knowledge of the theories and principles of IT security, computer security evaluation, and certification methods

3.2.6 Senior certifier

The senior certifier is responsible for:

• all activities of a Certifier
• ensuring that the technical methods of the Canadian CC program are correct and consistent
• producing interpretations of the Common Criteria, CEM, and Protection Profiles
• advising the supervisor on all technical aspects of the program including the effectiveness of policies, guidelines, and procedures
• providing advice and guidance to certifiers about the management of certifications, and the application and interpretation of the Common Criteria, CEM, and Protection Profile
• developing and administering Evaluator Exams to candidate evaluators
• participating on international CCRA committees and meetings of the CC's User Forum

This role requires:

• a university degree or college diploma in either computer science, computer/electrical engineering, or mathematics, or equivalent knowledge gained through relevant work experience
• comprehensive knowledge of the theories and principles of IT security, computer security evaluation, and certification methods
• significant experience in the Common Criteria and CEM, gained by direct involvement with its development and/or application

3.3 Training requirements

The Cyber Centre follows Government of Canada recruitment and staffing procedures when filling vacant positions within the certification body to ensure the hiring of the most suitable staff members for the certification body. The Cyber Centre considers any certification body staff members who do not meet the minimum qualifications as detailed in the earlier sections as being trainees. The Supervisor closely supervises and monitors the performance of all trainees.

The Cyber Centre maintains information on the relevant qualifications, training, and experience of all certification body staff within its corporate enterprise resource planning and information management systems as per the Government of Canada’s processes for human resources management.

The Cyber Centre recognizes that certifiers can gain skills and knowledge through a combination of structured training courses, programs of self-study, and supervised on-the-job-training. Certification body staff shall have a personalized training plan to ensure their continued development and will go through annual performance evaluations.

3.4 Contractors

The certification body does not currently employ any contractors in the performance of tasks. If the Cyber Centre were to use contractors in the future, such contractors would abide by all Canadian program policies and procedures and would receive supervision to ensure adherence to these policies and procedures as well as the quality of their work.

4 Certification body activities

The following sections briefly describe the activities performed by the Cyber Centre and identify the measures in place to ensure quality.

4.1 Approving new testing labs

The Cyber Centre must formally approve a testing lab before it may conduct evaluations under the Canadian Common Criteria Program. Please refer to Canadian Common Criteria program: requirements and procedures for testing laboratories for more information on the approval of testing labs.

The Cyber Centre and each testing lab jointly sign a formal agreement covering all relevant procedures including arrangements for ensuring confidentiality of protected information and the evaluation and certification processes.

4.2 Accepting evaluations

The Cyber Centre considers products in accordance with Canadian Common Criteria program instructions. Note that upon acceptance of an evaluation the evaluation sponsor may request a non-disclosure agreement with the Cyber Centre.

4.3 Assigning certifiers

In assigning a certifier to an evaluation, the supervisor considers several factors, including:

• depth of knowledge in the Common Criteria, CEM, and applicable Protection Profiles
• technology-specific knowledge
• opportunities for certifier training
• conflict of interest considerations

In particular, certifiers must not have a vested interest in the success or failure of the certification, in order to comply with Government of Canada ethics guidelines. Accordingly, certifiers must declare any and all factors that might constitute a conflict of interest.

4.4 Tracking certification activities

The certifier shall maintain an accurate certifier log that clearly identifies progress against evaluation and certification activities, and references decisions made during the course of the certification. The log should contain a level of detail that allows for traceability after the fact for the purposes of quality improvement and consistency across certifications. The supervisor may review the certifier log to verify traceability and ensure consistency with other certifications.

4.5 Technical oversight of evaluations

The technical oversight of evaluations is a fundamental aspect of quality in the Canadian CC program. The certifier performs three types of oversight activities:

1. examining evaluation evidence produced by the evaluator, including the Evaluation Technical Report
2. independently performing a subset of the evaluation work
3. directly observing selected evaluation activities (test witnessing)

4.6 Assurance continuity

The Cyber Centre follows the defined Common Criteria approach to assurance continuity (Assurance Continuity: CCRA Requirements) with its evaluations, a process where the certification body assesses changes made to previously certified products to determine if the product can undergo a subset of testing rather than a full re-evaluation. The Cyber Centre assesses the nature of the changes to the IT product by reviewing the Impact Analysis Report from the developer and determines whether the changes are sufficiently minor that assurance maintenance is an appropriate option.

4.7 Issuing CC certificates, certification reports and maintenance reports

The Cyber Centre produces a certificate and associated certification report for each successful product evaluation and posts them to the international Common Criteria portal. In the case of assurance continuity, the Cyber Centre produces a maintenance report and posts it as an addendum to the corresponding certified product entry on the Common Criteria portal.

4.8 Resolving technical issues

The Cyber Centre commits to promptly resolving technical issues that may arise during an evaluation. The Cyber Centre will circulate a sanitized version of the issue and its resolution to all testing labs if the issue is of importance to all testing labs. This guidance will then apply to all subsequent evaluations.

4.9 Sharing information with stakeholders

The Cyber Centre communicates with stakeholders as issues require it. In particular, the Cyber Centre convenes face-to-face meetings with the testing labs to discuss issues of interest to the whole program, and upcoming changes that affect the operation of the program.

4.10 Records management

A record in the context of the Common Criteria program is a document that provides objective evidence of the activities or results of the program. Examples of records include:

• certification body administrative and quality records
• testing lab certification records
• product certification records
• protection Profile certification records
• assurance Continuity records

The Cyber Centre maintains Common Criteria records electronically in the CSE corporate information management system but does not maintain any Common Criteria records in paper form. If a record is received in paper form, then it is scanned, the electronic copy is stored in the information management system, and the paper copy is destroyed. In the event that a paper copy of a record is printed, this is only for temporary purposes and the paper copy is subsequently destroyed.

The Cyber Centre uses corporate IT and records management systems that follow Government of Canada policies for information handling, security, and human resources. These policies ensure that the Cyber Centre keeps records for the five-year minimum required by the CCRA.

4.11 Confidentiality and integrity of Common Criteria information

The Cyber Centre treats sensitive information obtained in the course of Common Criteria activities in accordance with Government of Canada’s standards for the handling of PROTECTED information.

The Cyber Centre stores all Common Criteria records and documentation in its corporate information management system. This system provides audit records on all access and modification of these records, as well as a version history that allows for the recovery of earlier versions of documents as required.

The Cyber Centre further limits access to sensitive program documents to staff members of the certification body.

4.12 Program documentation

The Cyber Centre maintains the official versions of program documentation within its corporate information management systems. The Cyber Centre maintains copies of the current versions of the certification body’s public documentation on the Cyber Centre website, including:

• Canadian Common Criteria program instructions that provides information about the Cyber Centre’s policies on a variety of topics
• Canadian Common Criteria program: requirements and procedures for testing laboratories that provides guidance on how to become a testing laboratory under the Canadian CC program, as well as details on the responsibilities of a testing lab to remain in good standing
• Canadian Common Criteria program quality manual (this document)

The Cyber Centre also uses internal guidance documents and document templates to provide certification body staff with detailed descriptions for a wide range of duties and responsibilities.

The Cyber Centre uses the officially endorsed versions of the Common Criteria for Information Technology Security Evaluation and the Common Methodology for Information Technology Security Evaluation (CEM). The Cyber Centre ensures that all program stakeholders have access to these documents.

4.12.1 Approvals for documentation updates

All updates to Common Criteria program documentation requires Cyber Centre management approval prior to release;the approval authority for each document produced by the certification body is identified in the internal CB Management Guide. Records of these document approvals shall be stored in an appropriate location within the Cyber Centre’s corporate information management system.

Cyber Centre management may choose at its discretion to require higher levels of authority for approvals and may also sub-delegate their authorities so long as this delegation occurs in writing and that the Cyber Centre stores a copy of the delegation within the Cyber Centre corporate information management system.

4.12.2 Change management

The Cyber Centre reviews the entire quality management system on an annual basis. The Cyber Centre provides, where applicable, draft versions of updated documentation to testing labs for private review and feedback prior to finalization. The Cyber Centre informs direct program stakeholders of all program changes via email and posts updates in the News/bulletins section of the Canadian CC program website for all interested parties.

To avoid confusion between document versions, the Cyber Centre removes all superseded documentation from its website so that only the versions currently in effect, or those about to come into effect, are publicly available.

5 Complaints, disputes and appeals

Cyber Centre staff have an obligation to make every reasonable effort to resolve disagreements with outside parties in such a manner that the parties do not require a formal complaint or appeal. However, when parties cannot resolve a disagreement informally then the Cyber Centre will inform the outside party of their right to submit a formal complaint or dispute in writing. Complainants must submit a complaint or dispute in writing with sufficient detail to permit a proper assessment. If the originator is not satisfied with the resolution of their complaint or dispute, then they may initiate an appeal.

The Cyber Centre commits to dealing with all internal and external complaints and disputes promptly and effectively - and will provide an estimate to the originator for how long it will take to provide a resolution. Attempts to resolve complaints and disputes should start with the Supervisor; however, appellants may submit the complaint to any of the officials listed in section 3.1.

Complainants should send complaints and disputes via email to the Cyber Centre’s Contact Centre at contact@cyber.gc.ca. The Cyber Centre will provide complainants with contact information if there is a need for a subsequent appeal.

The Cyber Centre uses the following definitions for written statements:

• complaint: A dissatisfaction with a service provided by the Cyber Centre or one of the testing labs
• dispute: A disagreement with a decision made by the Cyber Centre
• appeal: A dissatisfaction with the resolution of a complaint or dispute

5.1 Roles and responsibilities

The Manager is responsible for:

• responding to appeals arising from previously submitted complaints or disputes
• ensuring that Cyber Centre senior management is aware of any appeals that may escalate to them.

The Supervisor is responsible for:

• entering the complaint, dispute, or appeal as a record in the Quality Management System
• resolving the complaint or arbitrating the dispute on behalf of the Cyber Centre
• providing details of the resolution to all affected parties.
• ensuring that the Manager is aware of any complaints or disputes received by the Cyber Centre.

Senior certifiers and certifiers are responsible for:

• informing the supervisor informed of any disagreements with the testing labs that have the potential to result in a formal complaint or dispute.

5.2 Source of complaints, disputes and appeals

Complaints, disputes, and appeals from testing labs must come from Lab directors. Likewise, those coming from evaluation sponsors must come from a senior manager. The Cyber Centre will handle complaints, disputes, and appeals from other parties on a case-by-case basis.

5.3 Complaint or dispute process

Upon receipt of the complaint or dispute, the supervisor reviews the relevant records for the complaint or disputed decision and discusses the issue with the certifiers involved as well as the senior certifier(s). In the case of a complaint, the supervisor investigates the circumstances that led to the complaint and may discuss. For disputes, the supervisor reviews the basis for the contested decision. In both circumstances, the supervisor takes a decision, documents the details of the resolution (including associated rationale), enters it as a record in the quality management system, notifies the complainant in writing of the resolution (informing them of their right to appeal as appropriate), and specifies a timeframe within which they may appeal the decision.

Upon resolution of the complaint or dispute, the supervisor will review the resolution for any impact on certification body policies or procedures and update them as appropriate.

5.4 Appeal process

Parties may submit written appeals of decisions made with respect to disputes or complaints as described above to the supervisor or to any of the officials listed in section 3.1, copying the supervisor. Parties must submit appeals within 5 working days of the Cyber Centre’s notification of the decision.

Upon receiving the appeal, the supervisor acknowledges receipt, enters it as a record in the quality management system, and forwards it to the Manager for action.

The Manager reviews the appeal, the contested decision, and the rationale for the contested decision with the supervisor. The Manager then decides whether to accept the appeal and revise the contested decision or decline the appeal. The Manager then informs the originator of the outcome. If the Manager declined the appeal, then the Manager will inform the complainant of their right to appeal to Cyber Centre senior management, providing appropriate contact information for that course of action. The manager will inform Cyber Centre senior management of the results of the appeal and of the possibility for an escalation.

In cases where the Manager overturns a contested decision, the Supervisor will assess the impact on other decisions, on all Canadian CC Program policies and procedures, and on any business activities at the international CCRA level. The supervisor will inform any other involved parties in the appeal (e.g., testing labs, evaluation sponsors) of the appeal decision and its impact and will update any related documentation.

6 Use of certificates, certification marks and logos

The Cyber Centre provides Common Criteria certificates, related trademarks, and logos to officially indicate that a testing lab evaluated a particular version of an IT product to the requirements of the Canadian Common Criteria Program.

6.1 Misuse of certificates

The Cyber Centre will promptly investigate any reported misuse of a Common Criteria certificate, trademark or logo originating from the Canadian program and will seek prompt corrective action from a certificate holder as it considers necessary. If a certification holder does not comply promptly, the Cyber Centre may withdraw the certificate or pursue further corrective action.

When a testing lab successfully completes an evaluation, in addition to the product certificate the supervisor also issues a letter to the evaluation sponsor that specifies the following conditions:

• certificate holders may associate the Common Criteria certificate and the Common Criteria certification mark only with the exact version of the evaluated product. Certificate holders may not associate either the Common Criteria certificate or the Common Criteria certification mark with any unevaluated product versions
• certificate holders shall not use either the Common Criteria certificate or the Common Criteria certification mark in a manner that might discredit the Cyber Centre, the Canadian Common Criteria program, or the Common Criteria Recognition Arrangement
• the Common Criteria certificate and Common Criteria certification mark remain the property of the Communications Security Establishment and the Cyber Centre may revoke permission to use them at its sole discretion. The Communications Security Establishment will take appropriate action against misuse of the Common Criteria certificate and/or the Common Criteria certification mark
• permission to use the Common Criteria certificate and the Common Criteria certification mark does not constitute or imply, directly or indirectly, product endorsement by the Communications Security Establishment

The Cyber Centre will investigate any situations where a certified product may no longer meet the certification criteria or a vendor violates certification conditions. The Cyber Centre may withdraw a certificate as it deems necessary under such circumstances and will notify the certificate holder in writing before updating the Canadian CC program website and the Common Criteria portal.

7 Supporting content

7.1 List of abbreviations

CCRA

Common Criteria Recognition Arrangement

CEM

Common Evaluation Methodology

CSE

Communications Security Establishment

IT

Information Technology

SCC

Standards Council of Canada

TLP

Traffic Light Protocol