Common Criteria Evaluation vs Assessment & Authorization - The Alphabet Soup Decoded


Vendors who claim that their product(s) are “authorized by DIA,” “certified by NSA” or other similar claims are technically inaccurate. In reality, their product is part of an authorized system.

The Common Criteria Evaluation and Validation Scheme (CCEVS) and the U.S. Government Assessment & Authorization (A&A) processes address product risk independent of and inside of an environment, respectively. Although few in number, the differentiating features of these two processes are significant, and understanding these formal approaches toward risk management is critical.

Important Comparison Points Between CCVES and A&A Include:

  • Products can be Evaluated, but not Authorized
  • The Two Processes are Independent
  • Separate Technical Testing is Required
  • Separate Approval Bodies Between Evaluation and A&A
  • Separate Approval Bodies within Assessment