CCS Overview

The CCS is a Canadian independent third party evaluation and certification service for measuring the trustworthiness of IT security products and systems.


What you need:

As an IT customer: you need reliable, tested IT products that are secure from a growing number of system and network threats - and you need them sooner, rather than later.

As an IT software manufacturer/vendor: you need a fast track for proving the security of your products, not just in Canada, but in other major markets as well.

As an IT security specialist: you need opportunities; niches where you can serve the market, helping it - and you - grow and prosper.

Fortunately, for all three sectors - IT customers, vendors/manufacturers, and IT security specialists, the Government of Canada, along with a number of countries, has initiated a program to meet your collective needs by establishing the Canadian Common Criteria Evaluation and Certification Scheme , or - to use its short name - the CCS.


The CCS: Fast-tracking security testing for the world's major markets:

Governments in Canada, the United States, United Kingdom, Netherlands, Germany, and France all came to the same conclusion: to speed the approval of much-needed IT security products - and to maximize opportunity for their vendors - the traditional "test it in each country" approach needed to be reformed. That's why, in October 1998, five of the countries signed a Mutual Recognition Arrangement (MRA) based on the Common Criteria (CC) and Common Methodology (CEM) for IT Security Evaluation. Under the MRA, the results of a product evaluation conducted in one of these countries is automatically recognized in the others.

To accommodate countries who do not wish to provide certificates for mutual recognition, but still wish to recognize CC Certified products, the MRA was replaced by the Arrangement on the Recognition of Common Criteria Certificates (CCRA). This new arrangement allows countries to participate in the CC project as certificate producers like Canada, or as certificate consumers.

For IT customers: the CCS means faster access to certified ITS products: something that matters in a world inhabited by hackers and other threat agents.

For vendors: the CCS means quicker time-to-market delivery for new ITS products, less money spent on expensive tests, and access to a wider marketplace.

For IT security specialists: the CCS offers business opportunities, namely to establish "Common Criteria Evaluation Facilities" (CCEF) accredited as an IT Security Evaluation and Testing (ITSET) Facility, under ISO/IEC 17025-2005, and approved to perform CC evaluations by CSEC.


How the CCS works - the short version:

Under the CCS, private sector CCEFs have been established in Canada.

Understandably, the integrity and competence of the CCEFs is paramount: users have to be able to trust that CCEF-evaluated products are as secure as they're certified to be, whether the products are made in Canada or elsewhere. Meanwhile, manufacturers/vendors need to be able to rely on the fairness of the testing procedure, as well to be assured that their trade secrets are protected. Finally, for the CCRA to function, CCEF evaluations, and the evaluation laboratories of the other CCRA partners must be unquestionably valid.

This is why all aspiring CCEFs must apply to and be accredited by the Standards Council of Canada (SCC), under the Canadian Information Technology Security Evaluation and Testing Facility (ITSET) Accreditation Program (ISO/IEC 17025-2005). Moreover, this is why the Communications Security Establishment Canada (CSEC) - the Government of Canada's cryptographic and security agency - has established a Certification Body (CB) to approve SCC-accredited laboratories to perform CC evaluations and to oversee the operation of the CCS and certify evaluation work. With over 50 years of expertise in ensuring the security of information, CSEC has the people and know-how to ensure that private sector CCEFs deliver their full promise.

Once accredited and approved, Canada's CCEFs are the catalyst that makes the CCS work. IT security testing is now being fast-tracked for manufacturers/vendors, and IT users are getting the products they need sooner, without sacrificing quality. For both government and private business users, the CCS is providing for the best, quickest, and most reliable IT security solutions.