Common Criteria

The Common Criteria (CC) is an international program in which accredited laboratories test IT products against cyber security specifications for technology classes. Under the Common Criteria Recognition Arrangement (CCRA), all member countries agree to recognize each other's Common Criteria certificates, which allows developers to access the global marketplace regardless of where their product is certified.

A technical assessment against this criteria is one piece of an overall security review of a product. It should not be used as the only element by which to determine risk. Other factors to be considered include, but are not limited to, vendor reputation, reliability, and country of origin.

Developers contract a testing laboratory to evaluate their product against a security specification, designed by a technical community, under a national certification body who performs technical oversight and publishes the result of the evaluation effort, which is internationally recognized.

The Cyber Centre operates the Canadian Common Criteria program to certify products against specific cyber security indicators. A certification is not an endorsement of the IT product by the Communications Security Establishment Canada (CSE) or by any other organization that recognizes or gives effect to this certificate. A certification does not express or imply any warranty of the IT product by CSE or by any other organization that recognizes or gives effect to it.

The Cyber Centre recommends purchasing and deploying CC certified products because of:

  1. Independently verified security claims by accredited cyber security labs
  2. Collaboratively developed methodology and specifications
  3. A wide variety of certified products are available
  4. Using certified products reduces risk of compromise

Products list:

  • For developers

    To get a product certified under Common Criteria, Developers should contact one of the testing labs operating under the Canadian Common Criteria Program to have their product evaluated.

  • For system architects

    The Cyber Centre recommends checking the list of Common Criteria certified products as a first step in selecting an IT product for a service or network design. Using certified products such as firewalls, intrusion detection/protection system (IDS/IPS), and operating systems mitigates risk within a network architecture. Details about what was evaluated are contained with the product's Security Target and the Certification Report.

    Common Criteria certified products are only one aspect of an overall risk assessment. Other factors to be considered include, but are not limited to, vendor reputation, reliability, and country of origin.

    The Cyber Centre recommends System Architects match their needs to existing Protection Profiles.

    A Protection Profile represents the baseline set of security requirements for a technology class.  A product evaluation against a Protection Profile covers the required security functionality, as well as addressing the known security threats.

    The Cyber Centre recognizes the Protection Profiles list and collaborative Protection Profiles list on the Common Criteria Portal.  For Protection Profiles listed elsewhere, please contact the Cyber Centre.

  • For purchasers

    Products certified by the Common Criteria provide an elevated level of assurance in the cyber security aspects evaluated under the program. The Cyber Centre recognizes Common Criteria certified products as products that offer valuable security functionality to an IT environment. Details about what was evaluated are contained with the product's Security Target and the Certification report.

    Prior to purchasing any IT product that claims to be Common Criteria certified, the Cyber Centre recommends that organizations obtain a copy of the vendor's Common Criteria certificate and validate these certificates against the International list of certified products.

    Purchasers should not limit their risk assessment to the Common Criteria and should follow the Cyber Centre’s advice and guidance for evaluating supply chain risk.

    If a particular product does not appear to be on the international list, please also see the Cyber Centre list of certified products, which includes all products certified by the Cyber Centre and products currently in evaluation.

  • Publications

  • Evaluation facilities

    Common Criteria evaluation facilities are IT security testing laboratories that are accredited to ISO 17025 and meet CCCS-specific requirements to conduct IT security evaluations for conformance to the Common Criteria for Information Technology Security Evaluation.

    The following are the organizations currently accredited to perform Common Criteria evaluations for the Canadian Common Criteria program:

    EWA-Canada
    1223 Michael Street North, Suite 200
    Ottawa, Ontario
    Canada K1J 7T2

    Simon Rix
     labdirector@ewa-canada.com
     613-230-6067

    Lightship Security

    1101-150 Isabella Street
    Ottawa, Ontario
    Canada K1S 1V7

    Jason Lawlor
     Jason.lawlor@lightshipsec.com
     613-512-1070 ext. 700

  • Important links

  • Common Criteria glossary

    Security Target
    A document that identifies how a specific product meets a set of defined security requirements.
    Certification Report
    A document produced by a certification body that details the results of a Common Criteria evaluation.
    Protection Profile
    A document that identifies security requirements for a specific class of cyber products. (For example: network firewalls).
  • News/bulletins

    • July 5, 2024 | New release of Canadian Common Criteria program instructions

      Canadian Common Criteria program instructions v2.2 has been released. This document supersedes any previous versions.


    • May 15, 2024 | Transition statement for CC:2022 and CEM:2022

      Effective July 1, 2024 any new Security Target submission packages that do not claim conformance to an exact-conformance Protection Profile will be required to conform to CC:2022 and CEM:2022. Submissions with a conformance claim to an exact-conformance Protection Profile may continue to conform to CC v3.1R5 and CEM v3.1R5 until the Protection Profile has been updated to the revised standard.


    • April 24, 2024 | Endorsement statement for the collaborative Protection Profile for Hardcopy Devices

      The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Hardcopy Devices (HCDcPP) version 1.0e. The HCDcPP Endorsement Statement.


    • April 21, 2024 | New release of guidance for evaluators

      After extensive internal collaboration and consultations with testing labs, Guidance for Evaluators v5.2 has been released to the testing labs. This version includes content requirements for eligibility submissions, clarifications to cryptographic evaluation requirements and the scope of vulnerability assessment and vulnerability mitigation methods.


    • January 23, 2024 | Endorsement statement for the collaborative Protection Profile for Network Devices

      The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Network Devices (NDcPP) version 3.0e. The NDcPP Endorsement Statement.


    • 2023
      • September 8, 2023 | Withdrawal of Common Criteria certificate for IHSE Isolator Devices

        The Canadian Common Criteria program announces the withdrawal of the certificate awarded for IHSE K487-1PHCA-N, K487-1PHSA-N, K487-1PHCRA-N, K487-1PHSRA-N, K497-1PHCA-N, K497-1PHSA-N, K497-1PHCRA-N, K497-1PHSRA-N Firmware Version 44404-E7E7 Isolator Devices, dated November 3, 2022. The Common Criteria certificate included a conformance claim to the Protection Profile for Peripheral Sharing Device Version 4.0, and the decision to withdraw the certificate was based on a technical decision regarding applicability of the Use Cases defined in the Protection Profile.


      • February 13, 2023 | New release of Canadian Common Criteria program instructions

        Canadian Common Criteria program instructions v2.0 has been released. This document supersedes any previous versions.


      • February 7, 2023 | Endorsement statement for the collaborative Protection Profile for Hardcopy Devices

        The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Hardcopy Devices (HCDcPP) version 1.0. The HCDcPP Endorsement Statement.

    • 2022
      • December 20, 2022 | New release of guidance for evaluators

        After extensive internal collaboration and consultations with testing labs and industry partners, Guidance for Evaluators v5.0 has been released to the testing labs. This version includes an updated vulnerability analysis process, clarifications on cryptographic equivalency, revised sampling and regression testing requirements, updates to align with the online evaluator training course, and guidance on linking multiple evaluations together. This document supersedes any previous versions.


      • November 21, 2022 |  New version of the Common Criteria is published

        CC:2022 Release 1 has now been published and is available for download from the Common Criteria Portal publications page Further details will be forthcoming regarding the transition policy from CC v3.1 Release 5.


      • April 27, 2022 | Position statement supporting the CC in the Cloud Working Group

        The Canadian Common Criteria Program, together with the US National Information Assurance Partnership (NIAP) and the Australian Certification Authority, has issued a CC in the cloud Joint position statement (PDF) in support of the CC in the Cloud Working Group, based on the CC in the Cloud Essential Security Requirements (PDF).

    • 2021
      • October 21, 2021 | Endorsement statement for the collaborative Protection Profile for Network Devices

        The Canadian Common Criteria Program formally endorses the collaborative Protection Profile for Network Devices (NDcPP) version 2.2e. The NDcPP Endorsement Statement.


      • August 19, 2021 | FIPS 186-2 and ANSI X9.31/X9.62

        A number of archived cryptographic modules, notably OpenSSL FIPS Object Module CMVP 1747, have cryptographic functionality that has long since been deprecated and is problematic when present in evaluated products.

        Effective immediately, cryptographic algorithms claiming conformance to the following cannot be included in a Common Criteria evaluation:

        • FIPS 186-2 RSA Key Generation
        • FIPS 186-2 RSA Signature Generation with modulus size lower than 4096
        • ANSI X9.31 or ANSI X9.62 RNG

        Any security functions used (e.g., secure communication, trusted update, etc.) cannot be met using these algorithms/functions. Refer to Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111 for details on approved cryptography.

Learn more about Common Criteria

Interested in learning more about Common Criteria? Please visit the International Common Criteria Website.

Would you like learn more from the Cyber Centre about Common Criteria? Please contact us.

Date modified: