Frequently Asked Questions
What is Common Criteria?
The Common Criteria (CC) is a set of internationally recognized IT security evaluation criteria that enables a vendor to have their IT security product's security independently evaluated and recognized globally by participating countries. A list of all those countries that recognize results of a Common Criteria certification can be found at http://www.commoncriteriaportal.org/ccra/members/
Do I qualify for a Common Criteria Evaluation/Certification?
It is often said that it is possible to evaluate a brick under the Common Criteria, and indeed it is true in many cases. That being said, in order to be evaluated under Common Criteria and have the results certified, a vendor must have an IT product that offers some security functionality. In Canada the governing body CSEC determines eligibility for evaluation. Details of CSEC scheme documentation can be found at http://www.cse-cst.gc.ca/its-sti/services/cc/index-eng.html. CSEC provides a number of documents that dictate Scheme requirements, and they should be contacted for provision of such documents.
In the US, NIAP runs the CCEVS (Common Criteria Evaluation and Validation Scheme). Please visit http://www.niap-ccevs.org/ for more information.
How long does an evaluation take?
The length of a CC Evaluation typically depends on a number of factors including complexity of the product, the set of security functionality in scope for the evaluation, and most importantly the commitment of the vendor to completing the evaluation. Typically this process can take anywhere between three and 24 months, with most evaluations around 12 months in duration.
Which roles do various parties play in evaluation?
The lifecycle of a CC evaluation starts with the Developer, who has developed a product with a security component for evaluation. The Developer (or Vendor or Sponsor if different) then provides lifecycle documentation of the product in accordance with the CC requirements. This can be done by either the developer, or more commonly and efficiently, by CygnaCom or a third party Documentation Provider.
The documentation and the product are submitted for evaluation by an evaluation facility (such as CygnaCom) that has been accredited by the national scheme for that country.
Finally, the results of the evaluation are certified by the national scheme before being recognized by all other CC scheme members under the Common Criteria Recognition Arrangement (CCRA).
CygnaCom is an accredited lab(200002-0) under the US Scheme and is a accepting evaluations for evaluation in the Canadian Scheme
What is EAL and which levels can I use?
EAL refers to the Evaluation Assurance Level of the product being evaluated, which in turn is known as the Target Of Evaluation (TOE). The EAL number ranges from 1-7 and typically is one of a number of pre-defined assurance levels provided by the CC framework. At present there is an agreed upon evaluation methodology within the CCRA only up to EAL4, meaning mutual recognition does not exists above this level.
In both Canada and the US, a recent ruling has dictated that Evaluation Assurance Levels cannot exceed EAL2. It is the Developer/Vendor/Sponsor's decision, typically based on market requirements, whether to undergo EAL1 or EAL2 evaluation.
What is a FIPS 140-2 validation, and do I need one?
The Common Criteria explicitly excludes an evaluation of strength of cryptographic function. Many security products contain cryptographic functionality that is integral to the secure operation of that product, and if this is the case, a separate method - FIPS 140-2 Validation - is required to validate that functionality. Further information can be found at http://csrc.nist.gov/groups/STM/cmvp/index.html.
Certificates are issued jointly by the US and the Canadian Schemes.
CygnaCom lab is accredited (200002-0) for FIPS 140-2 validation under both Schemes.
What is a Protection Profile (PP) and how does it affect my evaluation?
A Protection Profile (PP) is an implementation-independent statement of security needs for a Target of Evaluation (TOE) type, meaning that it is a document that provides a framework with a minimum set of security requirements that your product must demonstrate and enumerate based on your technologies particular security attributes.
There are currently PPs that cover most technology types, and if your product is of one of these technology types, you must comply with the relevant PP to begin evaluation in both the US and Canada.
For instances where PPs do not exist for your technology type, the Scheme will determine whether or not the product is acceptable for evaluation.
How can CygnaCom help?
CygnaCom is a full service company, meaning we can help you to understand your evaluation requirements, determine your readiness for evaluation, support you in preparing for and undergoing evaluation, and perform the evaluation, both for Common Criteria and FIPS. For further information on how CygnaCom can help you with evaluation, please email firstname.lastname@example.org .
Where can I find more information on Common Criteria?
The following link provides a repository for the Common Criteria, CCRA information, certified products, and much more:
Where can I find more information on Common Criteria evaluation schemes?
Information on the Canadian Scheme can be found at:
Information on the US Scheme can be found at: