Getting a Product EvaluatedEvaluation is the assessment of an IT product for conformance to the Common Criteria. The evaluation determines how well the product, or Target of Evaluation (TOE), upholds its functional and assurance security specification contained in its security target (ST). The objective is to enable the Common Criteria Testing Laboratory (CCTL) conducting the evaluation to prepare an impartial report stating whether or not the TOE satisfies its ST.
The ST serves as both specification of the security functions against which the IT product (i.e., TOE) will be evaluated and as a description relating the product to the environment in which it will operate. The sponsor of an evaluation provides the ST, which includes a list of claims about the IT product made by the sponsor. The content and presentation of the ST must be specified in terms of the Common Criteria. The ST may also claim conformance to a protection profile (PP). The deliverables for an IT security evaluation are typically items of hardware, firmware, software, or other technical documentation normally generated during the development of the product. The sponsor of an evaluation must ensure the timely supply of deliverables for the evaluation. Appropriate contractual arrangements shall be made by the sponsor to ensure the supply of evaluation deliverables to the CCTL. If the TOE consists of multiple IT products, some of which have been previously evaluated, the sponsor of the evaluation must ensure that contractual arrangements include authority for the release of previous evaluation results. The sponsor of an IT security evaluation must ensure that the CCTL and the Validation Body have access to any proprietary information necessary to conduct the evaluation and validation, respectively. The CCTL may be unable to perform an evaluation of the product, and the Validation Body may be unable to publish its validation report if access to such proprietary information is denied. The Validation Body and CCTL shall ensure that no sensitive or proprietary information is released to unauthorized parties during the course of an evaluation that would in any way compromise this information. The CCTL shall ensure that the nature and extent of the proprietary information is defined and apply appropriate rules for its protection. The majority of activity in the early stages of an evaluation takes place between the sponsor of the evaluation and CCTL. The sponsor is responsible for providing the ST and the associated IT product that will become the TOE. The composition of a TOE may be varied and consist of hardware, firmware, and software (or a combination thereof). The TOE may also include multiple IT products (sometimes referred to as an IT system), some of which may already be evaluated. All security-relevant information and documentation produced during the IT product development process shall be included in the deliverables supplied to the CCTL conducting the evaluation. The sponsor must ensure that arrangements have been made to provide all essential documentation to the CCTL in order to conduct a successful security evaluation. |
![[X]](/assets/images/button_close.gif){kind=small}
