Common Criteria Evaluation And Validation Scheme
   HOME

TheInfoList



Click Here for Items Related To - Common Criteria Evaluation And Validation Scheme
OR:
Common Criteria Evaluation And Validation Scheme on:   [Wikipedia]   [Google]   [Amazon]

Common Criteria Evaluation and Validation Scheme (CCEVS) is a
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
Government A government is the system or group of people governing an organized community, generally a state. In the case of its broad associative definition, government normally consists of legislature, executive, and judiciary. Government is a ...
program administered by the
National Information Assurance Partnership The National Information Assurance Partnership (NIAP) is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency (NSA), and was ...
(NIAP) to evaluate security functionality of an
information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
with conformance to the
Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. Common Criteria ...
international standard international standard is a technical standard developed by one or more international standards organizations. International standards are available for consideration and use worldwide. The most prominent such organization is the International Or ...
. The new standard uses Protection Profiles and the Common Criteria Standards to certify the product. This change happened in 2009. Their stated goal in making the change was to ensure achievable, repeatable and testable evaluations.


Objectives

The CCEVS program is a partnership between the U.S. Government and industry to assist themselves and the consumers: *To meet the needs of government and industry for cost-effective evaluation of IT products *To encourage the formation of commercial security testing laboratories and the development of a private sector security testing industry *To ensure that security evaluations of IT products are performed to consistent standards *To improve the availability of evaluated IT products. The scheme is intended to serve many communities of interest with very diverse roles and responsibilities. This community includes IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives.


Validation Body

The Validation Body has the ultimate responsibility for the operation of the CCEVS in accordance with NIAP policies and procedures. Where appropriate it will interpret and amend those policies and procedures. The
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
and
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
are responsible for providing sufficient resources to the NIAP so that the Validation Body may carry out its responsibilities. However as of 2009 the NIAP has reached out to other vendors, labs, academia and customers to help in the evaluation of products therefore diminishing the reliance on the NSA. The Validation Body is led by a Director and Deputy Director selected by NIST and NSA management and other personnel include validators and technical experts in various technology areas. The Validation Body ensures that appropriate mechanisms are in place to protect the interests of all parties within the CCEVS participating in the process of IT security evaluation. Disputes brought forth by any participating party, i.e. the sponsor of an evaluation, product or
Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provid ...
developer or CCTL concerning the operation of the CCEVS or any of its associated activities shall be referred to the Validation Body for resolution. Once the product has been certified it is listed as PP Compliant in the NIAP Product Compliant List (PCL).


External links


NIAP

NSA NIAP

DoDI 8500.2


References

{{Commons category Crime prevention Data security Information technology in the United States National Security Agency