NIAP: Terms and Acronyms
  NIAP  »»  Terms and Acronyms  
Terms and Acronyms
Shown below are terms and acronyms frequently used in discussions about Common Criteria.
A B C D E F G  H  I  J   K   L  M N O P  Q   R  S T  U  V W  X   Y   Z 
Accreditation Body An independent organization responsible for assessing the performance of other organizations against a recognized standard, and for formally confirming the status of those that meet the standard.
Accredited Formally confirmed by an accreditation body as meeting a predetermined standard of impartiality and general technical, methodological, and procedural competence.
Anti-Virus An Anti-Virus application provides protection against viruses coming into the workstation from network connections and/or removable media, and is considered sufficient protection for environments where the likelihood of an attempted compromise is low.
Approval Policy A part of the essential documentation of the Common Criteria Evaluation and Validation Scheme, setting out the procedures for making an application to be approved as a CCTL and placed on the NIAP Approved Laboratories List and for the processing of such applications and of the requirements which an applicant must fulfill in order to qualify.
Approved Lab List The list of approved CCTLs authorized by the NIAP Validation Body to conduct IT security evaluations within the Common Criteria Evaluation and Validation Scheme.
Approved Test Method List The list of approved test methods maintained by the NIAP Validation Body which can be selected by a CCTL in choosing its scope of accreditation, i.e., the types of IT security evaluations that it will be authorized to conduct using NIAP-approved test methods.
Archived Protection Profile PPs are reviewed periodically to determine if the security functional and assurance requirements are still acceptable in the face of rapidly changing technology and increasing threat levels. If it is determined that specific protection profiles no longer accurately map to existing technology and threat levels, these PPs will be retired and archived. PPs listed in the archived section of the NIAP CCEVS Validated Protection Profiles page are to be used for reference purposes only.
Assurance Continuity Process A program within the Common Criteria Scheme that allows a sponsor to maintain a Common Criteria certificate by providing a means to ensure that a validated TOE will continue to meet its security target as changes are made to the IT product or its environment.
Availability Timely, reliable access to data and information services for authorized users.
Biometrics Provide stronger user authentication to facilities or workstations by adding the "something you are" to the "something you know or have" protection of passwords/tokens. The Biometric capability may involve fingerprints, whole hand geometry, facial recognition, or retina scanning devices.
CC See Common Criteria
CC Certificate A brief public document issued by the NIAP Validation Body under the authority of NIST and NSA which confirms that an IT product or protection profile has successfully completed evaluation by a CCTL. A Common Criteria certificate always has associated with it, a validation report.
CCEVS Common Criteria Evaluation and Validation Scheme
CCRA Common Criteria Recognition Arrangement
CCTL Common Criteria Testing Laboratory
CEM Common Evaluation Methodology
Certificate Management Technology used to manage the ordering, generation, distribution, and compromise recovery of public key certificates for users of cryptographic systems.
CICO Check-In/Check-Out
Common Criteria Common Criteria for Information Technology Security Evaluation, the title of a set of documents describing a particular set of IT security evaluation criteria.
Common Criteria Evaluation and Validation Scheme The program developed by NIST and NSA as part of the National Information Assurance Partnership (NIAP) establishing an organizational and technical framework to evaluate the trustworthiness of IT Products and protection profiles.
Common Criteria Testing Laboratory Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility, accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations.
Common Evaluation Methodology Common Methodology for Information Technology Security Evaluations - a technical document that describes a set of IT security evaluation methods.
Confidentiality Assurance that information is not disclosed to unauthorized individuals, processes, or devices.
Database Management System (DBMS) A trusted software system that facilitates the creation and maintenance of a database or databases, and the execution of computer programs using the database or databases. A Database is defined as a set of data that is required for a specific purpose or is fundamental to a system, project, or enterprise.
EAL Evaluation Assurance Level
EAP Evaluation Acceptance Package
ETR Evaluation Technical Report
Evaluation The assessment of an IT product against the Common Criteria using the Common Evaluation Methodology to determine whether or not the claims made are justified; or the assessment of a protection profile against the Common Criteria using the Common Evaluation Methodology to determine if the profile is complete, consistent, technically sound and hence suitable for use as a statement of requirements for one or more TOEs that may be evaluated.
Evaluation Acceptance Package A set of documentation from the CCTL consisting of a complete security target for the Target of Evaluation (TOE) and a complete evaluation work plan detailing the inputs, actions and timelines for the conduct of the evaluation; and the identification of points of contact for both the CCTL and the sponsor of the evaluation.
Evaluation Technical Report A report giving the details of the findings of an evaluation, submitted by the CCTL to the CCEVS Validation Body as the principal basis for the validation report.
Evaluation Work Plan A document produced by a CCTL detailing the organization, schedule, and planned activities for an IT security evaluation.
Firewall Deployed at enclave boundaries or on local hosts/servers to control access and restrict vulnerable services in support of an organization's security policy.
Guards Used to protect connections from a classified network. Analogous to high assurance firewalls, but with additional protection against leakage of high side data.
IAR Impact Analysis Report
IEC International Electro-technical Commission
Integrity The quality of an information system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information.
Intrusion Detection System/Intrusion Prevention System Devices generally deployed on networks or user hosts to monitor traffic and look for evidence of unauthorized intrusions or network attacks.
ISO International Organization for Standards
IT Information Technology
Mobile Code Technology that enforces security policy restrictions on mobile code. These restrictions may be implemented within boundary protection solutions or may be enforced on user hosts or servers.
MR Memorandum of Record
MSR Monthly Summary Report
Network Management Technology that helps to protect networks against malicious attacks that might deny access or use of the network. For example, the technology used to control access to network management centers and to protect network management transactions from various kinds of attacks.
NIAP National Information Assurance Partnership
NIAP Validation Body A governmental organization responsible for carrying out validation and for overseeing the day-to-day operation of the CCEVS.
NIST National Institute of Standards and Technology
NSA National Security Agency
NSS National Security Systems
NVLAP National Voluntary Laboratory Accreditation Program the U.S. accreditation authority for CCTLs operating within the NIAP CCEVS.
Observation Decision A response to an Observation Report (OR). The observation decision (OD) is the formal documented response from the Validation Body that provides clarification/guidance to the CCTL on a submitted OR.
Observation Report A report issued to the NIAP Validation Body by a CCTL or sponsor identifying specific problems or issues related to the conduct of an IT security evaluation.
OD Observation Decision
ODRB Observation Decision Review Board
Operating System Operating systems which offer security mechanisms such as authentication, access control, data separation, and auditing to enforce security policies set by the system administrators or users.
OR Observation Report
Peripheral Switch A trusted electronic or physical device that allows a user to share a single peripheral (e.g. a monitor or keyboard) across two workstations operating on different system high networks. The switch must prevent leakage or sharing of data across the two networks.
PP Protection Profile
Protection Profile An implementation independent set of security requirements for a category of IT products which meet specific consumer needs.
Public Key Infrastructure (PKI)/Key Management Infrastructure Refers to the collection of technologies, facilities, people and processes used to manage the provisioning of public key and traditional key management services to users of cryptographic products.
Secure Messaging Messaging applications that offer authentication, signature, and encryption mechanisms to provide privacy and integrity for user data. These services are usually enabled by the use of public keying techniques.
Security Management Security management is a set of pervasive security mechanisms which support the security services by direct and supervisory administration, automated processes, and by the activities of all information users.
Security Target A specification of the security required (both functionality and assurance) in a Target of Evaluation (TOE), used as a baseline for evaluation under the CC. The security target specifies the security objectives, the threats to those objectives, and any specific security mechanisms that will be employed.
Sensitive Data Protection The implementation of administrative, technical, or physical measures to guard against the unauthorized access to data.
SF Security Function
SFR Security Functional Requirement
Single Level Web Server Web servers that provide access control, audit, and authentication and data encryption services appropriate for use on system high networks.
Smart Cards Small user tokens generally used to securely store user authentication credentials (e.g. the private portion of public key material) and to control access and use of these credentials.
Sponsor The person or organization that requests a security evaluation of an IT product or protection profile.
ST Security Target
System Access Control A technique used to define or restrict the rights of individuals or application programs to obtain data from, or place data onto, a storage device. The definition or restriction of the rights of individuals or application programs to obtain data from, or place data into, a storage device. Limiting access to information system resources only to authorized users, programs, processes, or other systems.
TC Technical Community- A collaborative group of Government, industry, and academia with the key goal to develop Protection Profiles.
Test Method An evaluation assurance package from the CC, the associated evaluation methodology for that assurance package from the CEM, and any technology-specific derived testing requirements.
TOE Target of Evaluation - An IT product or group of IT products configured as an IT System and associated documentation that is the subject of a security evaluation under the CC. Also, a protection profile that is the subject of a security evaluation under the CC.
TRRT Technical Rapid Response Team- Teams to which anyone (CCTLs, Vendors, Schemes, or NIAP) can direct their technical questions.
Validation The process carried out by the NIAP Validation Body leading to the issue of a CC certificate.
Validation Oversight Review Provides a process for CCEVS to ensure the technical quality of evaluations, confirms that the CCTLs correctly applied all CCEVS policies and accomplished all the required analysis.
Validation Report A publicly available document issued by the NIAP Validation Body which summarizes the results of an evaluation and confirms the overall results, (i.e., that the evaluation has been properly carried out, that the CC, the Common Evaluation Methodology, and scheme-specific procedures have been correctly applied; and that the conclusions of the Evaluation Technical Report are consistent with the evidence adduced).
Virtual Private Network (VPN) A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. The idea of the VPN is to ensure that the right people can access your network resources.
VOR Validation Oversight Review
VPL A publicly available document issued periodically by the NIAP Validation Body giving brief particulars of every IT product or protection profile which holds a currently valid CC certificate awarded by that body and every product or profile validated or certified under the authority of another Party for which the certificate has been recognized.
VR Validation Report
Wireless LAN (WLAN) WLANs provide wireless network communication over short distances using radio signals instead of traditional network cabling. A WLAN typically extends an existing wired local area network. WLANs are built by attaching a device called the access system, to the edge of the wired network. Clients communicate with the access system using a wireless network adapter similar in function to a traditional Ethernet adapter.
Site Map              Contact Us              Home