ABSTRACT
This chapter explains how to verify a security solution, whether a system or commercial “off the shelf” (COTS) product, using the Common Criteria/Common Evaluation Methodology (CC/CEM). The conduct of security assurance activities is examined in detail, in particular why, how, when, and by whom these activities are conducted. Guidance is provided on how to interpret the results of security assurance activities. The relationship between these activities and a generic system lifecycle, a generic procurement process, and system certification and accreditation (C&A) is explained. Finally, the roles of security assurance activities and ongoing system operations and maintenance are highlighted.
