Common Criteria Evaluation and Validation Scheme
This article needs additional citations for verification. (September 2014) |
Common Criteria Evaluation and Validation Scheme (CCEVS) is a United States Government program administered by the National Information Assurance Partnership (NIAP) to evaluate security functionality of an information technology with conformance to the Common Criteria international standard.
Objectives
The CCEVS program is a partnership between the U.S. Government and industry to assist themselves and the consumers:
- To meet the needs of government and industry for cost-effective evaluation of IT products
- To encourage the formation of commercial security testing laboratories and the development of a private sector security testing industry
- To ensure that security evaluations of IT products are performed to consistent standards
- To improve the availability of evaluated IT products.
The scheme is intended to serve many communities of interest with very diverse roles and responsibilities. This community includes IT product developers, product vendors, value-added resellers, systems integrators, IT security researchers, acquisition/procurement authorities, consumers of IT products, auditors, and accreditors (individuals deciding the fitness for operation of those products within their respective organizations). Close cooperation between government and industry is paramount to the success of the scheme and the realization of its objectives.[1]
Validation Body
The Validation Body has the ultimate responsibility for the operation of the CCEVS in accordance with NIAP policies and procedures. Where appropriate it will interpret and amend those policies and procedures. The NIST and NSA are responsible for providing sufficient resources to the NIAP so that the Validation Body may carry out its responsibilities.
The Validation Body is led by a Director and Deputy Director selected by NIST and NSA management and other personnel include validators and technical experts in various technology areas.
The Validation Body ensures that appropriate mechanisms are in place to protect the interests of all parties within the CCEVS participating in the process of IT security evaluation.
Disputes brought forth by any participating party, i.e. the sponsor of an evaluation, product or Protection Profile developer or CCTL concerning the operation of the CCEVS or any of its associated activities shall be referred to the Validation Body for resolution.