NIAP: Frequently Asked Questions (FAQ)
NIAP/CCEVS
  NIAP  »»  Evolution  »»  Frequently Asked Questions (FAQ)  
Frequently Asked Questions (FAQ)

The "Frequently Asked Questions", dated 28 March 2012, address many key questions asked of CCEVS about the most recent activities in the NIAP transformation. All scenarios and questions cannot be addressed, so if you have a question not covered in the FAQ below, please email or call the NIAP CCEVS office at niap@niap-ccevs.org or 410-854-4458.

The “Questions and Answers on the NIAP’s Evolution”, dated 21 October 2009, address the critical questions asked of CCEVS since NIAP’s public announcement of our evolution on 16 March 2009. All scenarios and questions cannot be addressed, so if you have a question not covered in the Q&A below, please call or email the NIAP CCEVS office at 410-854-4458 or niap@niap-ccevs.org.

The Frequently Asked Questions below are prior to NIAP's evolution announcement on 16 March 2009. Be advised, many policies have changed or are being changed.

To aid in the printing of the NSTISSP FAQ, they are stored in PDF format, a document format created by Adobe. If you don't have the easy to install software, simply click on the Adobe Acrobat icon and you will be directed to the Adobe Acrobat website.

Click here to open the NSTISSP #11 FAQ PDF Document
(Last updated 24 March 2005)


FAQ About NIAP CCEVS

How do I get a product evaluated?
How do I find a lab to evaluate my product?
How do we tell developers what types of IT security we want?
How do we know if developers produced what we asked for?
How can we achieve assurance in our products and systems?
How do I get my laboratory accredited?


Q: How do I get a product evaluated?
A: The majority of activity in the early stages of an evaluation takes place between the sponsor of the evaluation and the Common Criteria Testing Laboratory (CCTL). The sponsor is responsible for providing the security target (ST) and the associated IT product that will become the target of evaluation (TOE). The sponsor must ensure that all essential documentation to be provided to the CCTL is available. The sponsor then contacts a CCTL to negotiate a contract and initiate the security evaluation.
Click here to get additional details.

Back to Top

Q: How do I find a lab to evaluate my product?
A: When selecting a CCTL for consulting prior to an evaluation, or for performing the evaluation, or both, the sponsor should use a careful screening process. The experience of the CCTL personnel with both the technology and the target Evaluation Assurance Level (EAL), the fees, the estimated schedule, and any other pertinent factors should be reviewed and considered before the sponsor enters into a contractual relationship with a CCTL. Details of the contract between the CCTL and the sponsor are left to the two parties to negotiate, with no involvement by the Validation Body. Visit the link in the navigation bar for a list of accredited CCTLs.

Back to Top

Q: How do we tell developers what types of IT security we want?
A: In the area of IT security requirements definition and specification, NIAP works closely with various government, industry and consumer constituency groups through its forum activities to promote the use of the CC in develoing technology-based protection profiles. The forums provide an opportunity for open discussion of significant technical and business-related issues, public vetting of requirements, and consensus buiilding.

Back to Top

Q: How do we know if developers produced what we asked for?
A: Evaluating products and systems against well-defined sets of IT security requirements or security specifications is the next logical step in the process. NIAP operates a full service evaluation and validation program to assist consumers in making informed choices about the security-related aspects of IT products and systems. NIAP employs the National Voluntary Laboratory Accreditation Program (NVLAP) at NIST to ensure that the private sector accredited security testing laboratories meet its high standards for technical competence and integrity.

Back to Top

Q: How can we achieve assurance in our products and systems?
A: NIAP continues to look for better ways to specify security requirements and more cost-effective and timely methods for evaluating IT products and systems. Through its research and development arm, NIAP assists government, industry and the IT security commmunity by creating automate Support Tools, designing new test methods, and exploring alternative assurance approaches for the assessment of IT products and systems. NIAP also offers a variety of technical classes in support of its IT security-related activities.

Back to Top

Q: How do I get my lab accredited?
A: IT security evaluations are conducted by commercial testing laboratories accredited by NVLAP and approved by the Evaluation Body. These approved testing laboratories are called Common Criteria Testing Laboratories (CCTL). NVLAP accreditation is the primary requirement for becoming a CCTL. A commercial entity desiring to become a CCTL must also meet specific NIAP-CCEVS requirements, as well.
Click here for additional information/details
.

Back to Top

Site Map              Contact Us              Home