previous page: 33  How do I get my product evaluated? (Computer Security Evaluation)
page up: Computer Security Evaluation FAQ
next page: 35  How long does an evaluation take? (Computer Security Evaluation)

34 What is the evaluation process? (Computer Security Evaluation)


This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.

34 What is the evaluation process? (Computer Security Evaluation)

The evaluation process is described in detail at
<http://www.radium.ncsc.mil/tpep/process/procedures.html> In
general terms, a successful evaluation proceeds through the
following stages:

Proposal Review

A product proposal, submitted by a vendor for consideration of
evaluation by TPEP is reviewed for two purposes. The first is
to determine the potential market benefits of accepting the
product for evaluation (i.e., the DoD customer base). The
market analysis is performed based upon both the vendor's proposal
and upon TPEP customer input, which is actively solicited on a
regular basis. The second part of the proposal review is to
determine, at a very preliminary level, if the product appears
to provide feasible security mechanisms such that the requirements
of the TCSEC can be satisfied. Once the review of the product
proposal is completed, the vendor is notified in writing of the
acceptance or rejection of the product for evaluation.

Technical Assessment

Products whose proposals were recommended as "accept" are
considered candidates for evaluation and proceed to the next
step in pre-evaluation, the Technical Assessment (TA), where
a vendor must demonstrate that the product design and the
associated evaluation evidence are complete. A TA is often
the first examination of the product and the evidence by a
technical evaluation team. Vendors may have excellent and
complete documentation, indicating a readiness to undergo an
Intensive Preliminary Technical Review (IPTR) which is the
gateway to evaluation when successfully completed. Advice may
be recommended based on readiness.


The purpose of advice is to aid the vendor in producing a product
and supporting documentation that is capable of being evaluated
against the TCSEC and its interpretations. Advice can be provided
by contractors outside of TPEP or TPEP evaluators may be assigned
to advise the vendor. TPEP-provided advice begins after a vendor
has submitted a proposal and a technical assessment has been
performed that deemed the product suitable for evaluation, but
not yet ready for an IPTR.

Intensive Preliminary Technical Review (IPTR)

The IPTR is an independent assessment by the TPEP evaluators to
determine a product's readiness for evaluation. An IPTR lasts
for approximately 7-10 days and is performed by a team of
approximately 5 TPEP evaluators. During the IPTR, which is
usually held at the vendor's site, the team becomes familiar with
the product (through vendor presentations); reviews documentation,
test plans, and procedures; and documents its findings in a report.
The IPTR report is provided to the vendor and TPEP management and
documents the team's assessment of the product's readiness for
evaluation. Completion of a successful IPTR results in the
product moving into evaluation (pending availability of TPEP
evaluation resources).


Evaluation is the comprehensive technical analysis of a product's
security functionality. At the beginning of evaluation, the
vendor provides the evaluation team with system level, developer-
oriented training for the product. Training is followed by
analysis of the product design, focusing specifically on security
features. This analysis includes both hardware and software
components of the product and associated documentation. Testing
of the product involves running the vendor's test suite, as well
as tests formulated by the evaluation team. Upon successful
completion of testing and rigorous technical reviews by senior
members of the evaluation community, the product is awarded an
Evaluated Products List (EPL) entry.

Rating Maintenance Phase (RAMP)

RAMP provides a mechanism for a vendor to maintain the TCSEC
rating of a product throughout its life cycle. During RAMP,
the vendor works with the TPEP assigned Technical Point of
Contact (TPOC) to analyze the security impact of proposed changes
to the evaluated product. The Vendor Security Analyst (VSA)
actually performs the security analysis of the product changes
as they occur. The changes and associated analysis results are
presented to a TPEP Technical Review Board (TRB) which recommends
approval (or disapproval) of the rating for the "new" product.


Continue to:

previous page: 33  How do I get my product evaluated? (Computer Security Evaluation)
page up: Computer Security Evaluation FAQ
next page: 35  How long does an evaluation take? (Computer Security Evaluation)