The National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS) is managed and staffed by the National Security Agency (NSA).
The focus of the CCEVS is to establish a national program for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation. The CCEVS approves participation of security testing laboratories in the scheme in accordance with its established policies and procedures. During the course of an evaluation, the CCEVS provides technical guidance to those testing laboratories, validates the results of IT security evaluations for conformance to the Common Criteria, and serves as an interface to other nations for the recognition of such evaluations.
IT security evaluations are conducted by commercial testing laboratories accredited by the NIST's National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the CCEVS. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTLs). NVLAP accreditation is one of the requirements for becoming a CCTL. The purpose of the NVLAP accreditation is to ensure that laboratories meet the requirements of ISO/IEC Guide 25, General Requirement for the Competence of Calibration and Testing Laboratories and the specific scheme requirements for IT security evaluation. Other requirements for CCTL approval are CCEVS-specific and are outlined in scheme policies and scheme publications.
The CCEVS assesses the results of a security evaluation conducted by a CCTL within the scheme and when appropriate, issues a Common Criteria certificate. The certificate, together with its associated validation report, confirms that an IT product or protection profile has been evaluated at an accredited laboratory using the Common Evaluation Methodology for conformance to the Common Criteria. The certificate also confirms that the IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the testing laboratory are consistent with the evidence presented during the evaluation.
The CCEVS maintains a Validated Products List (VPL) containing all IT products and protection profiles that have successfully completed evaluation and validation under the scheme. The VPL includes those products and profiles successfully completing similar processes under the schemes of authorized signatures to the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of Information Technology Security.