An evaluated product is considered to be operating in an evaluated configuration if:
- functionality that it uses was in the scope of the evaluation and it is implemented in the specified manner
- only product updates that have been assessed through a formal assurance continuity process have been applied
- the environment complies with assumptions or organisational security policies stated in the evaluation documentation.
An evaluated product is considered to be operating in an unevaluated configuration when it does not meet the requirements of the evaluated configuration and guidance provided in its certification report.
Patching evaluated products
In the majority of cases, the latest patched version of an evaluated product will be more secure than an older unpatched version. While the application of patches will not normally place an evaluated product into an unevaluated configuration, some vendors may include new functionality, which has not been evaluated, with their patches. In such cases, organisations should use their judgement to determine whether this deviation from the evaluated configuration constitutes additional security risk or not.
Installation and configuration of evaluated products
Product evaluation provides assurance that a product’s security functionality will work as expected when operating in a clearly defined configuration. The scope of the evaluation specifies the security functionality that can be used and how a product is to be configured and operated. Using an evaluated product in an unevaluated configuration could result in the introduction of security vulnerabilities that were not considered as part of the product’s evaluation.
For Common Criteria certified products, information is available from vendors regarding its installation, configuration, administration and operation. Additional information is also available in its evaluation documentation. For high assurance ICT equipment, installation and configuration guidance can be obtained from the ACSC.
Security Control: 0289; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation.
Security Control: 0290; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC.
Use of high assurance ICT equipment in unevaluated configurations
Given the value of the information being protected by high assurance ICT equipment, it should always be operated in an evaluated configuration.
Security Control: 0292; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
High assurance ICT equipment is only operated in an evaluated configuration.
Further information on the use of ICT equipment can be found in the Guidelines for ICT Equipment.
Further information on patching can be found in the system patching section of the Guidelines for System Management.