This project is to achieve EAL4 Conformance for Deos. Any EAL certification must be done in the context of a specific security profile. The end user would usually provide the profile. However, there is one "standard" profile: GP-OSPP (General-Purpose Operating System Protection Profile) which is what we will use for the purposes of this effort.

One must use an [National_Information_Assurance_Partnership NIAP lab] to do the evaluation and declare you conformant. There is a formal submittal process and a certain timeframe for getting the product through evaluation. The lab will work with us to make sure we have all required documentation.

At a high level, to conform we would have to provide the following minimum capability:

1. Audit capability for security relevant events
2. Cryptographic Services - SSH, TLS, and IPSEC
3. Data Protection
   1. Discretionary access control
   2. Network information flow control
4. Identification and authentication
5. Management of security attributes

One option may be to do a NIAP certification to the GP-OSPP and state that it is functionally equivalent to EAL4 based on the information in Common Criteria (CC) Part 3.

CC v3.1 Release 4 consists of three parts:

• Part 1: Introduction and general model - background
• Part 2: Security functional requirements
• Part 3: Security assurance requirements

Finally, Chapter 8 defines the requirements for each EAL. There is a table that correlates requirements to EAL's.