Aerospace plays an active and vital role in the evaluation of security claims for commercial computing and computer-based products under the Common Criteria for Information Technology Security Evaluation. The Common Criteria defines a formal vocabulary for stating security and assurance requirements that allows a third-party investigator to ascertain whether a product actually meets those requirements.
In the United States, the agency responsible for these evaluations is the Common Criteria Evaluation and Validation Scheme, jointly managed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). A vendor submits a product and a description of its security functions (called a security target) to a certified testing laboratory, which tests and analyzes the product according to Common Criteria procedures and reports its findings to the Scheme, which issues the certificate. The work of the labs is monitored by teams of validators (drawn from the FFRDC community) to ensure that it is performed properly and that the resulting conclusions are correct. Eleven information assurance experts from Aerospace serve as validators.
Aerospace has been providing security certification services to the government since 1985, initially performing security evaluations in the NSA's Trusted Product Evaluation Program in accordance with the Trusted Computer System Evaluation Criteria (colloquially known as the "Orange Book"). Developed by the Department of Defense, these criteria were formally synthesized with corresponding criteria of other countries during the 1990s and issued as the Common Criteria.
As members of the development team, Aerospace personnel played a major role in writing the Common Criteria. In 1998, the United States signed an international mutual recognition agreement and subsequently created the Common Criteria Evaluation and Validation Scheme to enable evaluations by commercial laboratories. The original Aerospace evaluators became validators, and the company has maintained and extended its technological expertise in the process of formal government-sanctioned security evaluation.