1. With the new Protection Profiles, do I need to be concerned about the legacy Evaluation Assurance LeveL (EAL) number?
    1. No, the new Protection Profiles represent the baseline security requirements to mitigate the threat agent capabilities typically associated with GC Protected B systems exposed to the internet.  Refer to  ITSG-33 Profile 1 PB/M/M.  The new Protection Profiles include components from EALs 1-4 as deemed applicable for the technology class.
  2. Why should I use a Common Criteria certified product?
    1. A Common Criteria (CC) certified product is recognized by CSE as a product that offers valuable security functionality to an IT environment. These products are certified by a CC accredited commercial lab against an internationally recognized standard, in a structured manner in order to be available for timely procurement.

  3. What is being done to keep the Common Criteria up-to-date with technology advancement?

    1. International technical communities are formed to develop new Protection Profiles for key technology types, and to maintain existing Protection Profiles. These technical communities include vendors, evaluation labs, and national certification bodies, working together to ensure that these Protection Profiles include core functionality that can be evaluated in an effective manner.

  1. Who should use the Common Criteria?
    1. For the Unclassified domain with sensitive information:
      • System architects /Network engineers needing confidence in the correct implementation of security features found in IT products within their network. For example network routers for boundary control.
    2. For the Classified domain:
      • Security architects requiring validated commercial IT products that meet a restricted set of security characteristics. For example smartcards for strong authentication.
  1. I’m designing  a new IT System, how do I use Common Criteria? 
    1. The Common Criteria can be used at each stage of the lifecycle for an IT product, as follows:

Step 1: System requirements:

  • A TRA is typically conducted that identifies any critical components of the system/network that requires strong assurance.  Assured products are often used to mitigate risk in critical components.
  • Business requirements may identify a need for specific assured products.

Step 2: Technical Design:

  • The system architect would examine the results of the TRA that identifies critical components of the network and analyzes potential solutions. 
    • Examples of solutions that mitigate typical risks would be the use of a Firewall, IDS/IPS, and secure desktop/server operating systems; and
    • Identify Protection Profiles that correspond to these technologies, such as: Stateful Traffic Filter Firewall; extended package for Intrusion Prevention System; and General Purpose Operating System (See Protection Profiles).

Step 3: Build/Construction:

  • The process to procure the products should make use of contract clauses that call for Common Criteria products (See Certified Products) that meet the identified Protection Profile(s).
  1. I’m configuring an existing business application to allow remote access from the Internet through our departmental network, how would I make use of the Common Criteria?

Step 1: Conduct a threat assessment to identify the new risks as a result of this change:

  • An example of a typical solution to mitigate risks of this nature would be the use of an authentication server and a VPN gateway; and
  • Identify Protection Profiles that correspond to these technologies, such as: Extended Package for Authentication Servers and VPN gateway.

Step 2: Procure the new components:

  • The process to procure the products should make use of contract clauses that call for Common Criteria products that meet the identified Protection Profile(s).
  1. What commercial labs operate under the Canadian CC Program?
    1. See Our Scheme Evaluation Facilities page
  2. How do I get a product evaluated under the Canadian CC Program?
    1. Contact one of the commercial labs operating under the Canadian CC Program.