What gets evaluated?

The following provides a high-level overview of what gets evaluated:

• Documents defining the evaluation:
  • Security Target evaluation. Evaluation of the Security Target (ST) – a claims document that specifies the security functions under evaluation and the security assurance requirements being met.
  • Protection Profile evaluation. Evaluation of the Protection Profile (PP) – an implementation-independent statement of security needs for a technology type.
• The product (technically called a Target of Evaluation (TOE). These evaluations can include
  • Design evaluation. Evaluation of design documents – at the most basic level this will simply be an interface specification. Depending on the assurance requirements this can include multiple layers of very detailed design specs and source code review (this is becoming less common).
  • Guidance evaluation. Evaluation of all the guidance documents that are shipped with the product and any CC specific addendum or ‘Secure Installation Guide’ for achieving the evaluated configuration.
  • Life-cycle evaluation. Evaluation of configuration management practices, delivery procedures and security bug tracking (flaw remediation). Can also include development practices and site security audits.
  • Functional testing. The evaluators repeat a sample of the developer’s functional tests and come up with some independent tests to confirm the operation of the security functions as specified.
  • Vulnerability analysis / Penetration testing. The evaluators perform vulnerability analysis and penetration testing. 

Whether a particular evaluation activity gets performed is dependent on the assurance requirements that are specified in the ST.