This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.
If an evaluated product does not seem to meet the requirements,
the first thing to do is carefully look at the Final Evaluation
Report (FER) and the product's Trusted Facility Manual (TFM).
The product was evaluated with specific configuration options and
on specific hardware. These should be stated in the TFM and FER
respectively. If the evaluated configuration still seems to not
meet some requirement for its rated class, then it is possible that
there was an oversight during the evaluation. You can send that
information to email@example.com and we may investigate the