Update to the SCC Requirements and Guidance for the Accreditation of Information Technology Security Evaluation and Testing Facilities

Bulletin date:
Bulletin number:
2025-05

Action required

Effective immediately all affected ITSET Facilities are required to comply with the amended requirements of SCC Requirements and Guidance for the Accreditation of Information Technology Security Evaluation and Testing Facilities, scope of accreditation at Appendix ‘A’.

TEXT

Who should read this bulletin 

This is intended for accredited customers, applicants, Accreditation Advisory Panel (AAP), and staff and assessors in the Information Technology Security Evaluation and Testing Facilities program specialty in the Testing and Calibration Laboratories Accreditation Program (LAP). 

What you need to know 

The Canadian Centre for Cyber Security (CSE), the scheme owner for the Canadian Common Criteria Program, have amended the scope of accreditation to add clarity. The approved scope of accreditation is documented in the current version of the SCC Requirements and Guidance for the Accreditation of Information Technology Security Evaluation and Testing Facilities, Appendix ‘A’.

The amendments reduce the standards references from:

  • ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 1
  • ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 2
  • ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – Part 3

To more clearly state:

ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – All Parts

 

The rationale being that Common Criteria program are periodically adding new parts to ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security and the amendment minimizes the number of changes to assessment criteria documentation.

What you need to do 

The amended scope of accreditation is in effect immediately. All accredited ITSET facilities scope of accreditation will be updated to the amended version at their next accreditation assessment activity which could be a re-accreditation assessment or the submission of the Annual Surveillance Questionnaire (ASQ), which ever comes first.

Scope of Accreditation

In accordance with the following standards:

  • ISO/IEC 15408: Information security, cybersecurity and privacy protection – Evaluation criteria for IT security – All parts.
  • ISO/IEC 18045: Information security, cybersecurity and privacy protection – Methodology for IT security evaluation 

 

The scope of accreditation comprises the following evaluation and testing activities:

  • APE: Protection Profile Evaluation;
  • ACE: Protection Profile Configuration Evaluation
  • ASE: Security Target Evaluation;
  • EAL1: Evaluation Assurance Level 1;
  • EAL2: Evaluation Assurance Level 2;
  • EAL 3: Evaluation Assurance Level 3
  • EAL 4: Evaluation Assurance Level 4
  • ALC_FLR: Flaw Remediation; and
  • cPP: CCCS-approved collaborative Protection Profiles.

 

Important dates

There are no immediate requirements for ITSET Facilities.

 

The Standards Council of Canada will update the approved scope of accreditation during the next scheduled re-assessment accreditation activity or during the assessment of the Annual Surveillance Questionnaire as noted above.

 

Questions?

For more information, please contact Jason Hachey, Manager, Compliance and Assessment Services, Accreditation Services Branch at jason.hachey@scc-ccn.ca or +1 613 238 3222.