Guidance to Consumers of Validated Products

It is important that consumers of IT products and protection profiles understand how to interpret the results of IT security evaluations conducted within the scheme. These results are described in evaluation technical reports produced by Common Criteria Testing Laboratories (CCTL) and summarized in the associated validation reports and Common Criteria certificates published by the NIAP Validation Body.

An IT product is typically evaluated in a generic laboratory setting at a CCTL within the scheme. In that regard, there are some general assumptions made about the operational environment where the product is ultimately to be employed subsequent to the security evaluation. In some cases, an evaluated IT product may be integrated into a more complex configuration of products that compose an IT system. The actual environment of use may also be significantly different from the one described in the original assumptions set forth in the security target. In the end, consumers must assess the overall contribution to assurance made by the evaluated IT product. When making that assessment, there are several things a consumer should consider:

  • The accuracy and completeness of security evaluation results are dependent on the accuracy and completeness of the information and documentation provided to the CCTL by the sponsor of the evaluation;
  • The quality of a security target (i.e., security specification), and the reported results of an IT product evaluated against that security target, are a function of how well the product is able to be described under the Common Criteria and the degree to which the Common Methodology and the derivative test methods are able to measure conformance to the security target;
  • The security evaluation results are only applicable to that particular version and release of the product in its evaluated configuration. Consumers are responsible for determining the security impact of installing or operating an evaluated IT product in a configuration other than the configuration in which it was evaluated.