The Gaming Boardroom

Where the gambling industry comes to think

Canadian Common Criteria program requirements and procedures for testing laboratories – Canadian Centre for Cyber Security

Steve Tyler Free Content

Canadian Common Criteria program requirements and procedures for testing laboratories – Canadian Centre for Cyber Security

Summary

This Cyber Centre publication (effective 8 May 2025) supersedes the March 2023 version and sets out the requirements and procedures for commercial organisations to become and operate as approved Common Criteria testing laboratories within the Canadian Common Criteria (CC) programme. It is aimed primarily at companies seeking accreditation as testing labs, but is also useful for vendors, developers and consumers who want to understand lab obligations.

Key Points

  • Testing labs must hold a valid ITSET facility accreditation from the Standards Council of Canada (conformance with ISO/IEC 17025).
  • Strict conflict of interest controls are required, including separation from parent companies and controls between advisory and evaluation activities.
  • Security safeguards for vendor-proprietary and sensitive information are mandatory (designated organisation screening or PSPC document safeguarding assessment).
  • Labs must maintain a permanent physical facility in Canada and an IT infrastructure that supports evaluation activities and Cyber Centre oversight.
  • Personnel requirements include at least two Canada-based evaluators with Cyber Centre-issued evaluator certificates in good standing; changes must be notified within ten working days.
  • Technical proficiency must be demonstrated via a successful trial evaluation against Cyber Centre-approved products and by following Common Criteria methodology and Canadian programme instructions.
  • Steps to become a testing lab: verify requirements, contact the Cyber Centre, obtain ITSET accreditation, enter a formal agreement and complete a trial evaluation; failure to meet requirements can lead to revocation of approval.

Content Summary

The document details administrative and technical requirements for testing laboratories operating under the Canadian CC programme. Key sections cover accreditation (ITSET/ISO 17025), conflict of interest policies, security and safeguarding of sensitive information, physical presence and infrastructure in Canada, staffing and evaluator certification, and demonstration of technical proficiency through trial evaluations.

Procedural guidance explains how a company expresses interest, demonstrates compliance, enters into a formal agreement with the Cyber Centre, and completes trial evaluations that both satisfy Cyber Centre oversight and form part of the ITSET accreditation proficiency testing. It also explains maintenance obligations and conditions under which approval may be revoked.

Context and Relevance

This guidance is the definitive Canadian rulebook for labs performing Common Criteria evaluations. It ensures evaluation integrity, protects vendor-sensitive information, and aligns Canada with international recognition under the CCRA. For vendors and purchasers of evaluated IT products, it provides assurance that accredited Canadian labs meet recognised technical and procedural standards. For the wider industry, it reflects ongoing emphasis on supply-chain security and trustworthy product evaluation.

Why should I read this?

Short and blunt: if you run — or want to run — a Common Criteria testing lab in Canada, this is the checklist you can’t ignore. It tells you what accreditation, security, staffing and trial evidence you must have to get approved and to stay approved. Saves you time and guesswork so you don’t waste resources preparing the wrong stuff.

Source

Source: https://cyber.gc.ca/en/guidance/canadian-common-criteria-program-requirements-and-procedures-testing-laboratories