March 2023
The Common Criteria for Information Technology Security Evaluation is an internationally accepted, consistent means for evaluating the security capabilities of information technology products. NetApp has achieved Common Criteria certification for its storage software and hardware products.
The Common Criteria for Information Technology Security Evaluation is an internationally recognized set of technical standards (ISO/IEC 15408-1:2009) for assessing the security capabilities of information technology products. Dozens of countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), officially recognizing Common Criteria certificates as the global standard. Each country has its own organization that oversees and implements Common Criteria certification. In the United States, it is the National Information Assurance Partnership (NIAP); in Canada, it is the Canadian Centre for Cyber Security (CCCS).
There are two paths to Common Criteria certification: Evaluation Assurance Levels (EAL) and Protection Profiles (PP). Each is achieved through an accredited third-party commercial testing laboratory, which tests products against standardized security requirements.
A Protection Profile is a set of Common Criteria technical standards or configurations developed for specific technology types, such as mobile devices or firewalls. The Protection Profile specifies security criteria for that type of product, against which the product is evaluated for conformance.
There are two types of Protection Profiles: Country-specific Protection Profile (PP) requirements, for which there is no guarantee of mutual recognition; and Collaborative Protection Profiles (cPP), recognized by all participating CCRA countries. As of March 2020, the Common Criteria Collaborative Protection Profiles listed versions of four basic cPPs: Stateful Traffic Filter Firewalls; Full Disk Encryption – Encryption Engine; Full Disk Encryption – Authorization Acquisition; and Network Device.
When a certifying body awards a Common Criteria certificate, it asserts that the product meets the security requirements that the company specified in the related security target. (A security target is a set of requirements that specifies the scope of the evaluation.) Purchasers of certified products must review the security target to understand the assumptions made as part of the evaluation, the product's intended environment, and the security functionality that was assessed.
Continuing a certification tradition dating back to 2005 when NetApp Data ONTAP was first certified , NetApp has achieved Common Criteria certification for its storage software and hardware products. The independent accredited testing laboratories—Epoche & Espri S.L.U. in Spain and Lightship Security in Canada—audited NetApp products for compliance with Common Criteria. Their reports were certified by the Centro Criptológico Nacional (National Cryptologic Center) in Spain for SolidFire Element OS 8 and by the Canadian Centre for Cyber Security (CCCS) for all the other NetApp products. Our government and government contractor customers can rely on NetApp’s Common Criteria certification for their purchasing requirements.
E-Series NetApp hardware was certified in Canada against the Network Device cPP. The CCCS issued a Common Criteria Certification Report for SANtricity, running on E-Series or EF-Series hardware that was reciprocated by NIAP.
Note Customers who have a support contract for our legacy products will continue to have access to patches even after the certification has expired.
Certified in Canada by the CCCS.
