Frequently Asked Questions (V4)
Evaluations
Contents
- How do I get my product evaluated?
- What is the evaluation process?
- How much does an evaluation cost?
- How do I find out about the evaluation process?
- Who actually performs the evaluations?
- What information is released about an evaluated product?
1. How do I get my product evaluated?
At the present time, products may be evaluated under the Trust
Technology Assessment Program (TTAP). Vendors desiring an evaluation against
the Common Criteria
at EAL5 and above should contact the Information Assurance Criteria
Support Office at (410) 854-4458 for further information.
Evaluations against the Common
Criteria EALs 1 through 4 should follow the procedures outlined below.
Procedures for entrance into TTAP Evaluations
A vendor of a trusted product interested in obtaining a TTAP evaluation
approaches one or more TEFs (see
Evaluation Programs FAQ, Question 3) to solicit evaluation proposals. Any discussions
regarding the price of the evaluation, the nature or conditions of payment,
and the schedule for the evaluation are left entirely up to the TEF and the
vendor. Similarly, proposal content and any screening or pre-investigation
that the TEF may wish to conduct regarding the viability of the product is
left to the discretion of the TEF. The TTAP Oversight Board will provide
resources, if available, to assist in a preliminary technical assessment of
the product at the request of the vendor or the TEF. Prior to signing any
agreement with the vendor, the TEF must ensure that there is no conflict of
interest or appearance of conflict of interest in performing this evaluation.
Once the vendor selects a TEF and the vendor and the TEF negotiate and sign a
contract, the TEF submits the name of the vendor, the name and type of product,
the schedule, and the names of the evaluation team members to the TTAP
Oversight Board. Schedule and product information is used by the TTAP
Oversight Board to allocate and schedule technical oversight
resources.
2. What is the evaluation process?
TTAP
For a detailed view appropriate to those who wish to participate
in the TTAP process, the process is described in some detail at
<http://www.radium.ncsc.mil/tpep/ttap/Process.html>
3. How much does an evaluation cost?
Under TTAP, the vendor of an IT product contracts with an NSA
authorized TTAP Evaluation Facility (TEF) and bears the costs
of evaluation activities. This cost is negotiated between
the TEF and the vendor.
For an abstract view of the evaluation process you can read
this list of Frequently Answered Questions (FAQ).
For the TTAP process, more information can be found at
<http://www.radium.ncsc.mil/tpep/ttap/Process.html>
5. Who actually performs the evaluations?
Under TTAP, TTAP Evaluation
Facilities (TEFs) conduct the evaluations.
6. What information is released about an evaluated product?
As we begin working with a product, the vendor and target
rating are made available. When that product is accepted into
evaluation, information such as the vendor, target rating, and
target completion date are announced in a Product Announcement.
A more informative Product Bulletin is published when a product
completes a significant evaluation milestone. When the evaluation
is completed, the general evaluated
product configuration, general product information, and rating
are announced in an entry on the EPL. In addition at the
completion of evaluation a report is published (see
Evaluated Products FAQ,
Question 6) along with the Security Target (see Criteria FAQ, Question 4) for the product.
The report contains the analysis of the
evaluation team, a complete description of the evaluated
product, and often comments about the usability of the product
in its evaluated configuration by the evaluation team.
EPL entries and a Final Evaluation Reports are available at
<http://www.radium.ncsc.mil/tpep/epl/index.html>.
Last updated Wed Aug 25 07:07:10 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect5.html
Questions/Comments