Menu

Common Criteria

blue gray background with white magnify glass

October 2021

The Common Criteria for Information Technology Security Evaluation is an internationally accepted, consistent means for evaluating the security capabilities of information technology products. NetApp has achieved Common Criteria certification for its storage software and hardware products.


The Common Criteria for Information Technology Security Evaluation is an internationally recognized set of technical standards (ISO/IEC 15408-1:2009) for assessing the security capabilities of information technology products. Dozens of countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), officially recognizing Common Criteria certificates as the global standard. Each country has its own organization that oversees and implements Common Criteria certification. In the United States, it is the National Information Assurance Partnership (NIAP); in Canada, it is the Canadian Centre for Cyber Security (CCCS).

There are two paths to Common Criteria certification: Evaluation Assurance Levels (EAL) and Protection Profiles (PP). Each is achieved through an accredited third-party commercial testing laboratory, which tests products against standardized security requirements.

  • Evaluation Assurance Levels (EAL) are ratings based on how the product satisfies various functional and assurance security requirements. Seven levels describe the rigor and depth of the assessment, with EAL1 being the most basic and EAL7 the most stringent. The CCRA has agreed that EAL1 and EAL2 evaluations are to be recognized by all participating countries regardless of where the evaluation was completed. 
    Although EAL evaluations are no longer performed in the United States and are not listed on the NIAP Product Compliant List, EAL certifications may still be used in U.S. public sector procurement. EALs are still performed in other countries that are CCRA signatories and they are listed on the Common Criteria website. 
  • A Protection Profile is a set of Common Criteria technical standards or configurations developed for specific technology types, such as mobile devices or firewalls. The Protection Profile specifies security criteria for that type of product, against which the product is evaluated for conformance. There are two types of Protection Profiles: Country-specific Protection Profile (PP) requirements, for which there is no guarantee of mutual recognition; and Collaborative Protection Profiles (cPP), recognized by all participating CCRA countries. As of March 2020, the Common Criteria Collaborative Protection Profiles listed versions of four basic cPPs: Stateful Traffic Filter Firewalls; Full Disk Encryption – Encryption Engine; Full Disk Encryption – Authorization Acquisition; and Network Device.

When a certifying body awards a Common Criteria certificate, it asserts that the product meets the security requirements that the company specified in the related security target. (A security target is a set of requirements that specifies the scope of the evaluation.) Purchasers of certified products must review the security target to understand the assumptions made as part of the evaluation, the product's intended environment, and the security functionality that was assessed.

NetApp and Common Criteria

Continuing a certification tradition dating back to 2005 when  NetApp Data ONTAP was first certified , NetApp has achieved Common Criteria certification for its storage software and hardware products. The independent accredited testing laboratories—Epoche & Espri S.L.U. in Spain and Lightship Security in Canada—audited NetApp products for compliance with Common Criteria. Their reports were certified by the Centro Criptológico Nacional (National Cryptologic Center) in Spain for SolidFire Element OS 8 and by the Canadian Centre for Cyber Security (CCCS) for all the other NetApp products. Our government and government contractor customers can rely on NetApp’s Common Criteria certification for their purchasing requirements.

NetApp in-scope products

  • ONTAP 9.7P13, 9.5, 9.3, and 9.1
  • ONTAP Select 9.5, 9.3 and 9.1
  • Data ONTAP 7-Mode 8.2.2 and 8.2.1
  • SolidFire Element OS 10.3 and 8
  • E-Series and EF Series SANtricity OS 11.50

Audits, reports, and certificates


Common Criteria certification applies only to configurations and versions specified by the certified security target. An Assurance Continuity process allows minor product changes to be evaluated and then documented on the original certificate, which covers version updates noted in the NetApp products listed below.

ONTAP

ONTAP was certified in Canada, and the CCCS issued a Common Criteria Certification Report for each product:

Note  Customers who have a support contract for our legacy products will continue to have access to patches even after the certification has expired.

SolidFire

E-Series

E-Series NetApp hardware was certified in Canada against the Network Device cPP, and the CCCS issued a Common Criteria Certification Report for SANtricity, running on E-Series or EF-Serieshardware, that was reciprocated by NIAP.

  • E-Series and EFeries SANtricity OS 11.50 NDcPP (NDcPP US)

Frequently asked questions

Why is ONTAP not on the NIAP PCL?

Historically, NetApp has achieved EAL certifications and NIAP no longer lists them; they are listed on the Common Criteria web portal.
Back To Top

More information