The Canadian Centre for Cyber Security recently released its updated Common Criteria (CC) Program Instructions which state that they will consider accepting EAL3 and EAL4 evaluations on a case by case basis. Evaluations were previously restricted to those claiming an approved Protection Profile (PP) or EAL2.
Based on the updated instructions it’s clear that the Canadians want to make sure that there is a good business case for why they should deploy valuable resources to support a given EAL3/4 evaluation. This will include factors such as where the request for evaluation is coming from (i.e. Government of Canada, a Canadian critical infrastructure sector, or from another country), whether there is an applicable PP and whether the technology / evaluation will provide value to Canada.
This decision acknowledges the reality that in a global marketplace, demand for EAL3/4 assurance levels has persisted despite a push towards Protection Profiles and related CCRA changes, evidenced by vendors having to shop around international CC schemes to get their EAL3/4 certificates, often in parallel with their required PP evaluation.
At Lightship Security we are pleased to now offer our customers turnkey EAL3/4 evaluation services (including EAL4+) where there is a valid technical and business rationale. We also want to acknowledge the support that this pragmatic approach shows the Canadian Centre for Cyber Security has for its labs and the Canadian consumer.
Talk to us today to understand your CC certification options for North America and international procurement requirements.