This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Francisco Partners to Acquire Forcepoint from Raytheon Technologies.

Common Criteria Evaluation vs Assessment & Authorization - The Alphabet Soup Decoded

Vendors who claim that their product(s) are “authorized by DIA,” “certified by NSA” or other similar claims are technically inaccurate. In reality, their product is part of an authorized system.

The Common Criteria Evaluation and Validation Scheme (CCEVS) and the U.S. Government Assessment & Authorization (A&A) processes address product risk independent of and inside of an environment, respectively. Although few in number, the differentiating features of these two processes are significant, and understanding these formal approaches toward risk management is critical.

Important Comparison Points Between CCVES and A&A Include:

  • Products can be Evaluated, but not Authorized
  • The Two Processes are Independent
  • Separate Technical Testing is Required
  • Separate Approval Bodies Between Evaluation and A&A
  • Separate Approval Bodies within Assessment