1. In what ways can a consultant help with an evaluation?
2. Will my evaluation proceed more quickly or be easier if I hire a consultant?
3. If I hire a consultant to help with the evaluation, will that obviate the need for sponsor resources to be applied during the evaluation?
4. Where can I find a consultant to help with an evaluation?
5. Is there an accreditation process for consultants?
6. What criteria should I use in selecting a consultant to help with an evaluation?

Q: In what ways can a consultant help with an evaluation?
A: A knowledgeable consultant can help a vendor to prepare their Security Target, which is mostly a CC-specific document. However, the TOE Summary Specification (one important section of the Security Target) is not written with CC-specific terminology and should be written/defined by the sponsor since this provides technical details about the TOE and its relationship to the product, as well as how it meets its security claims. Consultants are also often used for evidence preparation and evaluation management, but greater success is achieved when the sponsor hires the consultant in a supporting role for these tasks. It is preferable for the sponsor to interact directly with the CCTL's evaluation team (e.g., having a consultant as a member of the sponsor's team). CCEVS strongly discourages the use of consultant to act as a middleman between the CCTL and vendor.

Back to Top

Q: Will my evaluation proceed more quickly or be easier if I hire a consultant?
A: Not necessarily, especially if the consultant does not have the considerable expertise (both in the CC and the product technology) that is required. In fact, if a consultant who does not have the proper background is hired to help with an evaluation, the evaluation process can actually take longer because the consultant will not be able to provide the CCTL with the information needed in order for the evaluation to move forward. A knowledgeable consultant who has worked on other successful evaluations (i.e., those that were completed on schedule and within budget) may help to facilitate an evaluation. Making a wise consultant choice means the difference between a successful evaluation and an evaluation with significant cost and schedule overruns.

Back to Top

Q: If I hire a consultant to help with the evaluation, will that obviate the need for sponsor resources to be applied during the evaluation?
A: No. There is usually a significant level of effort required to prepare for and complete an evaluation. Because sponsors don't generally anticipate or think about CC requirements as they develop their product, they often think it necessary to create evaluation-specific evidence after the fact in order to explain how their product meets the CC requirements.
Sometimes, documentation that has already been developed by the sponsor/vendor is sufficient to meet some of the requirements for evidence. Iit may be necessary to add rationale to the existing documentation explaining the product's security features in the context of the CC; other cases require a significant amount of CC-specific evidence to be developed.
While a knowledgeable consultant can help a sponsor with the required rationale, the sponsor is the most knowledgeable about the product details and therefore needs to be involved and available during the course of the evaluation. Regardless of whether a consultant is hired, the developer must be familiar with the CC evidence content requirements as interpreted by the CEM. CCEVS recommends that the CCTL be selected before selecting a consultant.

Back to Top

Q: Where can I find a consultant to help with an evaluation?
A: Most accredited CCTLs (which are listed on the NIAP CCEVS webpage) provide consulting services to help write Security Targets and supporting evaluation evidence. There are also independent consultants who are available and can provide these services. In either case, it is important to ensure that the consultant has the technology expertise of a sponsor's product. If an independent consultant is the best fit for you, please check with the CCTL who will be performing the evaluation prior to hiring the consultant since some CCTLs will refuse an evaluation if particular consultants are involved. All CCTLs will provide independent consultant recommendations if asked since the CCTL's reputations and bottom lines are harmed by consultant-induced lengthy and difficult evaluations.

Back to Top

Q: Is there an accreditation process for consultants?
A: No. Although it is not uncommon for individuals and companies to bill themselves as Common Criteria Experts, there are a relatively small number of consultants who have the expertise that is needed to provide useful assistance during an evaluation.

Back to Top

Q: What criteria should I use in selecting a consultant to help with an evaluation?
A: Part of the screening process that should occur prior to hiring a consultant should involve consideration of the following issues.

1. The CC is a very complex document and requires considerable hands-on training. What type of hands-on training/experience has the consultant had? Examine proof of the training/experience (e.g., examine the actual ST that was written by the consultant). If the consultant has written STs for other vendors, use those vendors as references. Try to see if the consultant has actually worked with a sponsor in your particular technology area since a good consultant must know the technology as well as the CC to be effective.
2. What is the consultant's current workload? One person can typically provide adequate support to at most two full time evaluations simultaneously.
3. Check 3-4 references. At least one of the references should be the CCTL that performed the evaluation on which the consultant assisted. When checking references, ask:
   1. How many times did the consultant have to modify or rewrite the documents before they were acceptable for evaluation? (Numerous revisions to documents indicate problems with the documents written by the consultant. This also increases costs and leads to schedule delays.)
   2. How closely did the originally agreed-upon schedule and costs match the actual schedule and costs? (Note, significant schedule slips could indicate problems with the documentation written by the consultant.)
   3. Did the project end with a successfully completed evaluation (i.e., is there a certificate and if so, check it on the NIAP CCEVS website).
   4. Would you use this consultant again on another project?

Back to Top