The Communications Security Establishment (CSE), the governing body of Common Criteria in Canada, has officially stated they will only accept Protection Profile (PP) based evaluations starting in September of 2017. Furthermore, they have stated that they will only be accepting evaluations against CSE-approved PPs; a full list of which can be found here.
Additional guidance on process and restrictions that may be of interest to product vendors include:
- CSE has eliminated the formal Common Criteria eligibility process and replaced it with an informal process for all evaluations not based on a CSE-approved PP
- All Target of Evaluations (TOE) claiming conformance to a CSE-Approved PP will be accepted into evaluation, there is no eligibility process
- Labs will have 6 weeks from when CSE approves the TOE for evaluation to complete the ASE evaluation and submit the ASE pETR
Factors now to consider when looking into a Canadian Common Criteria Certification:
- For TOE’s that are conformant to a CSE-Approved PP, this will impact lab engagement in Canada from now until Sept 2017
- A clearly Defined TOE Boundary
- Establishing a stable list of Security Functional Requirements (SFRs)
Contact Corsec to better understand how this might affect your security certification strategy.