CONTENTS

CCM: General Evaluation Guidelines

General Evaluation Guidelines.  There are three types of evaluations, which are PP, ST, and TOE evaluation.  They will be explained in detail below. 

PP evaluation.  The PP evaluation is carried out against the evaluation criteria for PPs contained in CC Part 3. The goal of such an evaluation is to demonstrate that the PP is complete, consistent, and technically sound and suitable for use as a statement of requirements for a TOE.

ST evaluation.  The evaluation of the ST for the TOE is carried out against the evaluation criteria for STs contained in Part 3. The goal of such an evaluation is twofold: first to demonstrate that the ST is complete, consistent, and technically sound and hence suitable for use as the basis for the corresponding TOE evaluation; second, in the case where an ST claims conformance to a PP, to demonstrate that the ST properly meets the requirements of the PP.

TOE evaluation.  The TOE evaluation is carried out against the evaluation criteria contained in CC Part 3 using a substantially complete ST as the basis. A substantially complete ST reduces the risk of problems later on in the evaluation process and is where all sections have been completed to an extent acceptable by the evaluation scheme and for which no significant evaluation hurdles are foreseen. The result of a TOE evaluation is to demonstrate that the TOE meets the security requirements contained in the evaluated ST.

Evaluation Methodology.  Evaluation methodology can be obtained from the CEM official version from [3].

Evaluation Verdicts
The CEM recognizes three mutually exclusive verdict states:

  • Conditions for a pass verdict are defined as an evaluator completion of the CC evaluator action element and determination that the requirements for the PP, ST or TOE under evaluation are met. The conditions for passing the element are defined as the constituent work units of the related CEM action.  
  • Conditions for an inconclusive  verdict are defined as an evaluator incompletion of one or more work units of the CEM action related to the CC evaluator action element.
  • Conditions for a fail verdict are defined as an evaluator completion of the CC evaluator action element and determination that the requirements for the PP, ST, or TOE under evaluation are not met. 

All verdicts are initially inconclusive and remain so until either a pass or fail verdict is assigned. The overall verdict is pass if and only if all the constituent verdicts are also pass. If the verdict for one evaluator action element is fail then the verdicts for the corresponding assurance component, assurance class, and overall verdict are also fail.

Evaluation Example.  The following example provides three TOEs, all of which are based upon the same virtual private networking (VPN) firewall product, but which yield different evaluation results because of the differences in the STs.

Case 1.  A VPN-firewall, which is configured in such, a way that the VPN functionality is turned off. All threats in the ST are concerned with access to the safe network from the unsafe network.


Figure 1: Evaluation Context

The TOE is the VPN-firewall configured in such a way that the VPN functionality is turned off. If the administrator were to configure the firewall such that some or all VPN functions were enabled, the product would not be in an evaluated configuration; it would therefore be considered to be unevaluated, and so nothing could be stated about its security.

Case 2.  A VPN-firewall, where all threats in the ST are concerned with access to the safe network from the unsafe network.   The TOE is the entire VPN-firewall. The VPN functions are part of the TOE, so one of the things to be determined during the evaluation would be whether there are means to gain access to the safe network from the unsafe network through the VPN functions.

Case 3: A VPN-firewall, where all threats in the ST are concerned with either access to the safe network from the unsafe network or confidentiality of traffic on the unsafe network.  The TOE is the entire VPN-firewall. The VPN functions are part of the TOE, so one of the things to be determined during the evaluation would be whether the VPN functions permit the realization of any of the threats described in the ST. 

CC / CEM Relationship.  CC validation is based on the evaluation criteria, the evaluation method as well as the evaluation scheme as shown in Figure 1. There is a distinct mapping between the CC specifications with the activities in the CEM as shown in Figure 2. Different parties involved in the CC validation may use the mapping in order to cross-validate correctness and completeness of the validation and the validation methodology.


Figure 2: Mapping of CC and CEM structures