This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.
The length of time a developer needs to prepare for an
Intensive Preliminary Technical Review (IPTR) varies
considerably. The IPTR is a short (one to two week) assessment
of the state of the product documentation and testing. A
successfull IPTR ensures that the materials needed for
evaluation are complete and usable. Currently, we expect
successful evaluations at the C2/B1 class to take approximately
one year to complete from successful IPTR to final technical
review. IPTRs should ideally take place approximately eight
months before product release for a typical C2/B1 product, and
even earlier in the product cycle for products targeted at B2,
B3 or A1. We continue to explore ways to reduce the time
required. Higher class evaluations take longer, although this
is somewhat mitigated by the fact that the TPEP is usually
involved earlier in the design process for systems at
relatively higher classes. Problems during evaluation, changes
in the configuration the vendor is planning to market, and
system complexity can all add to the length of evaluation.
Vendors participating in the RAMP (Rating Maintenance) process
can perform analysis of changes to an already evaluated system
to maintain the evaluated rating on subsequent versions and
configurations. The length of time to obtain a RAMP rating is
largely dependent on the vendor and on the nature and
complexity of the change. However, it is reasonable to expect
this RAMP to take far less time than an evaluation.
 
Continue to: