National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
for the
Cisco Aggregation Services Router 1004 (ASR1K)
Report Number: CCEVS-VR-10950-2019
Dated: May 20, 2019
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6940
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940
®
TM
2
ACKNOWLEDGEMENTS
Validation Team
Paul Bicknell
John Butterworth
Jenn Dotson
Sheldon Durrant
Lisa Mitchell
Linda Morrison
Claire Olin
The MITRE Corporation
Common Criteria Testing Laboratory
Ken Lasoski
Natasha Mathias
Kevin Zhang
Acumen Security, LLC
3
Table of Contents
1 Executive Summary............................................................................................................... 4
2 Identification .......................................................................................................................... 5
3 Architectural Information .................................................................................................... 6
4 Security Policy........................................................................................................................ 7
5 Assumptions, Threats & Clarification of Scope................................................................ 10
5.1 Assumptions....................................................................................................................................................................10
5.2 Threats .............................................................................................................................................................................11
5.3 Clarification of Scope...................................................................................................................................................13
6 Documentation..................................................................................................................... 15
7 TOE Evaluated Configuration ........................................................................................... 16
7.1 Evaluated Configuration.............................................................................................................................................16
7.2 Excluded Functionality................................................................................................................................................17
8 IT Product Testing............................................................................................................... 18
8.1 Developer Testing..........................................................................................................................................................18
8.2 Evaluation Team Independent Testing ...................................................................................................................18
9 Results of the Evaluation..................................................................................................... 19
9.1 Evaluation of Security Target....................................................................................................................................19
9.2 Evaluation of Development Documentation ..........................................................................................................19
9.3 Evaluation of Guidance Documents.........................................................................................................................19
9.4 Evaluation of Life Cycle Support Activities ..........................................................................................................19
9.5 Evaluation of Test Documentation and the Test Activity ..................................................................................20
9.6 Vulnerability Assessment Activity............................................................................................................................20
9.7 Summary of Evaluation Results................................................................................................................................20
10 Validator Comments & Recommendations....................................................................... 21
11 Annexes................................................................................................................................. 22
12 Security Target..................................................................................................................... 23
13 Glossary ................................................................................................................................ 24
14 Bibliography......................................................................................................................... 25
4
1 Executive Summary
This Validation Report (VR) is intended to assist the end user of this product and any security
certification Agent for that end user in determining the suitability of this Information Technology
(IT) product for their environment. End users should review the Security Target (ST), which is
where specific security claims are made, in conjunction with this VR, which describes how those
security claims were tested and evaluated and any restrictions on the evaluated configuration.
Prospective users should carefully read the Assumptions and Clarification of Scope in Section 5
and the Validator Comments in Section 10, where any restrictions on the evaluated configuration
are highlighted.
This report documents the National Information Assurance Partnership (NIAP) assessment of the
evaluation of the Cisco Aggregation Services Router 1004 (ASR1K) Target of Evaluation
(TOE). It presents the evaluation results, their justifications, and the conformance claims. This
VR is not an endorsement of the TOE by any agency of the U.S. Government and no warranty of
the TOE is either expressed or implied. This VR applies only to the specific version and
configuration of the product as evaluated and documented in the ST.
The evaluation was completed by Acumen Security in May 2019. The information in this report
is largely derived from the Evaluation Technical Report (ETR) and associated test report, all
written by Acumen Security. The evaluation determined that the product is both Common Criteria
Part 2 Extended and Part 3 Conformant and meets the assurance requirements defined in the U.S.
Government Protection Profile for Security Requirements for collaborative Protection Profile for
Network Devices Version 2.0 + Errata 20180314.
The Target of Evaluation (TOE) identified in this Validation Report has been evaluated at a
NIAP approved Common Criteria Testing Laboratory using the Common Methodology for IT
Security Evaluation (Version 3.1, Rev. 4) for conformance to the Common Criteria for IT
Security Evaluation (Version 3.1, Rev. 4), as interpreted by the Assurance Activities contained in
the NDcPP v2.0e. This Validation Report applies only to the specific version of the TOE as
evaluated. The evaluation has been conducted in accordance with the provisions of the NIAP
Common Criteria Evaluation and Validation Scheme and the conclusions of the testing
laboratory in the evaluation technical report are consistent with the evidence provided.
A validation team provided guidance on technical issues and evaluation processes and reviewed
work units documented in the ETR and the Assurance Activities Report (AAR). The validation
team found that the evaluation demonstrated that the product satisfies all of the functional
requirements and assurance requirements stated in the Security Target (ST). Based on these
findings, the validation team concludes that the testing laboratory's findings are accurate, the
conclusions justified, and the conformance claims are correct. The conclusions of the testing
laboratory in the evaluation technical report are consistent with the evidence produced.
5
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of
Standards effort to establish commercial facilities to perform trusted product evaluations.
Under this program, security evaluations are conducted by commercial testing
laboratories called Common Criteria Testing Laboratories (CCTLs). CCTLs evaluate
products against Protection Profile containing Assurance Activities, which are
interpretation of CEM work units specific to the technology described by the PP.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality
and consistency across evaluations. Developers of information technology products
desiring a security evaluation contract with a CCTL and pay a fee for their product's
evaluation. Upon successful completion of the evaluation, the product is added to NIAP's
Product Compliance List.
The following table provides information needed to completely identify the product and its
evaluation.
Table 1: Evaluation Identifiers
Item Identifier
Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme
TOE Cisco Aggregation Services Router 1004 (ASR1K)
Protection Profile collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Security Target Cisco Aggregation Services Router 1004 (ASR1K) Security Target, Version 1.0, 3 May
2019
Evaluation Technical
Report
Cisco Aggregation Services Router 1004 (ASR1K) Evaluation Technical Report,
Version 1.1, 26 April 2019
CC Version Version 3.1, Revision 4
Conformance Result CC Part 2 Extended and CC Part 3 Conformant
Sponsor Cisco Systems, Inc.
Developer Cisco Systems, Inc.
Common Criteria
Testing Lab (CCTL)
Acumen Security
Rockville, MD
CCEVS Validators Paul Bicknell
John Butterworth
Jenn Dotson
Sheldon Durrant
Lisa Mitchell
Linda Morrison
Claire Olin
6
3 Architectural Information
The Cisco Aggregation Services Router 1004 (herein after referred to as the ASR1K) is a
purpose-built, routing platform. It performs analysis of incoming frames, makes forwarding
decisions based on information contained in the frames, and forwards the frames toward the
destination. It supports routing of traffic based on tables identifying available routes, conditions,
distance, and costs to determine the best route for a given packet.
Cisco IOS-XE software is a Cisco-developed highly configurable proprietary operating system
that provides for efficient and effective switching and routing. Although IOS performs many
networking functions, this Security Target only addresses the functions that provide for the
security of the TOE itself.
7
4 Security Policy
The TOE is comprised of several security features. Each of the security features identified above
consists of several security functionalities, as identified below.
1. Security Audit
2. Cryptographic Support
3. Identification and Authentication
4. Security Management
5. Protection of the TSF
6. TOE Access
7. Trusted Path/Channels
These features are described in more detail in the subsections below.
Security Audit
The TOE provides extensive auditing capabilities. The TOE can audit events related to
cryptographic functionality, identification and authentication, and administrative actions. The
TOE generates an audit record for each auditable event. Each security relevant audit event has
the date, timestamp, event description, and subject identity. The administrator configures
auditable events, performs back-up operations and manages audit data storage. The TOE
provides the administrator with a circular audit trail or a configurable audit trail threshold to
track the storage capacity of the audit trail. Audit logs are backed up over an encrypted channel
to an external audit server.
Cryptographic Support
The TOE provides cryptography in support of other TOE security functionality. All the
algorithms claimed have CAVP certificates (Operation Environment - Intel Xeon 5200). The
TOE provides cryptography in support of VPN connections and remote administrative
management via SSHv2 and IPsec to secure the transmission of audit records to the remote
syslog server. In addition, IPsec is used to secure the session between the TOE and the
authentication servers.
Identification and authentication
The TOE performs two types of authentication: device-level authentication of the remote device
(VPN peers) and user authentication for the Authorized Administrator of the TOE. Device-level
authentication allows the TOE to establish a secure channel with a trusted peer. The secure
channel is established only after each device authenticates the other. Device-level authentication
is performed via IKE/IPsec mutual authentication. The TOE supports use of IKEv1 (ISAKMP)
and IKEv2 pre-shared keys for authentication of IPsec tunnels. The IKE phase authentication for
the IPsec communication channel between the TOE and authentication server and between the
8
TOE and syslog server is considered part of the Identification and Authentication security
functionality of the TOE.
The TOE provides authentication services for administrative users to connect to the TOE’s
secure CLI administrator interface. The TOE requires Authorized Administrators to authenticate
prior to being granted access to any of the management functionality. The TOE can be
configured to require a minimum password length of 15 characters. The TOE provides
administrator authentication against a local user database. Password-based authentication can be
performed on the serial console or SSH interfaces. The SSHv2 interface also supports
authentication using SSH keys. The TOE supports the use of a RADIUS AAA server (part of the
IT Environment) for authentication of administrative users attempting to connect to the TOE’s
CLI.
The TOE provides an automatic lockout when a user attempts to authenticate and enters invalid
information. After a defined number of authentication attempts fail exceeding the configured
allowable attempts, the user is locked out until an authorized administrator can enable the user
account.
The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for IPsec
connections.
Security Management
The TOE provides secure administrative services for management of general TOE configuration
and the security functionality provided by the TOE. All TOE administration occurs either
through a secure SSHv2 session or via a local console connection. The TOE provides the ability
to securely manage:
 Administration of the TOE locally and remotely;
 All TOE administrative users;
 All identification and authentication;
 All audit functionality of the TOE;
 All TOE cryptographic functionality;
 The timestamps maintained by the TOE;
 Update to the TOE and verification of the updates.
The TOE supports two separate administrator roles: non-privileged administrator and privileged
administrator. Only the privileged administrator can perform the above security relevant
management functions. Management of the TSF data is restricted to Security Administrators.
The ability to enable, disable, determine and modify the behavior of all of the security functions
of the TOE is restricted to authorized administrators.
Administrators can create configurable login banners to be displayed at time of login, and can
also define an inactivity timeout for each admin interface to terminate sessions after a set period
of inactivity.
9
Protection of the TSF
The TOE protects against interference and tampering by untrusted subjects by implementing
identification, authentication, and access controls to limit configuration to Authorized
Administrators. The TOE prevents reading of cryptographic keys and passwords.
Additionally, Cisco IOS-XE is not a general-purpose operating system and access to Cisco IOS-
XE memory space is restricted to only Cisco IOS-XE functions.
The TOE internally maintains the date and time. This date and time is used as the timestamp that
is applied to audit records generated by the TOE. Administrators can update the TOE’s clock
manually. Finally, the TOE performs testing to verify correct operation of the router itself and
that of the cryptographic module.
The TOE is able to verify any software updates prior to the software updates being installed on
the TOE to avoid the installation of unauthorized software.
Whenever a failure occurs within the TOE that results in the TOE ceasing operation, the TOE
securely disables its interfaces to prevent the unintentional flow of any information to or from
the TOE and reloads.
TOE Access
The TOE can terminate inactive sessions after an Authorized Administrator configurable time-
period. Once a session has been terminated the TOE requires the user to re-authenticate to
establish a new session. Sessions can also be terminated if an Authorized Administrator enters
the “exit” command.
The TOE can also display a Security Administrator specified banner on the CLI management
interface prior to allowing any administrative access to the TOE.
Trusted path/Channels
The TOE allows trusted paths to be established to itself from remote administrators over SSHv2,
and initiates outbound IPsec tunnels to transmit audit messages to remote syslog servers. In
addition, IPsec is used to secure the session between the TOE and the authentication servers.
The TOE can also establish trusted paths of peer-to-peer IPsec sessions. The peer-to-peer IPsec
sessions can be used for securing the communications between the TOE and authentication
server/syslog server.
10
5 Assumptions, Threats & Clarification of Scope
5.1 Assumptions
The specific conditions listed in the following subsections are assumed to exist in the TOE’s
environment. These assumptions include both practical realities in the development of the TOE
security requirements and the essential environmental conditions on the use of the TOE.
Table 2 TOE Assumptions
Assumption Assumption Definition
A.PHYSICAL_PROTECTION The network device is assumed to be physically protected in its
operational environment and not subject to physical attacks that
compromise the security and/or interfere with the device’s physical
interconnections and correct operation. This protection is assumed to
be sufficient to protect the device and the data it contains.As a
result, the cPP will not include any requirements on physical tamper
protection or other physicalattack mitigations. The cPP will not
expect the product to defend against physical access to the device
that allows unauthorized entities to extract data, bypass other
controls, or otherwise manipulate the device.
A.LIMITED_FUNCTIONALITY The device is assumed to provide networking functionality as its
core function and not provide functionality/ services that could be
deemed as general purpose computing. For example the device
should not provide computing platform for general purpose
applications (unrelated to networking functionality).
A.NO_THRU_TRAFFIC_PROTECTION A standard/generic network device does not provide any assurance
regarding the protection of traffic that traverses it. The intent is for
the network device to protect data that originates on or is destined to
the device itself, to include administrative data and audit data.
Traffic that is traversing the network device, destined for another
network entity, is not covered by the ND cPP. It is assumed that this
protection will be covered by cPPs for particular types of network
devices (e.g, firewall).
A.TRUSTED_ADMINISTRATOR The Security Administrator(s) for the network device are assumed to
be trusted and to act in the best interest of security for the
organization. This includes being appropriately trained, following
policy, and adhering to guidance documentation. Administrators are
trusted to ensure passwords/credentials have sufficient strength and
entropy and to lack malicious intent when administering the device.
The network device is not expected to be capable of defending
11
Assumption Assumption Definition
against a malicious administrator that actively works to bypass or
compromise the security of the device.
A.REGULAR_UPDATES The network device firmware and software is assumed to be updated
by an administrator on a regular basis in response to the release of
product updates due to known vulnerabilities.
A.ADMIN_CREDENTIALS_SECURE The administrator’s credentials (private key) used to access the
network device are protected by the platform on which they reside.
A.RESIDUAL_INFORMATION The Administrator must ensure that there is no unauthorized access
possible for sensitive residual information (e.g. cryptographic keys,
keying material, PINs, passwords etc.) on networking equipment
when the equipment is discarded or removed from its operational
environment.
5.2 Threats
The following table lists the threats addressed by the TOE and the IT Environment. The
assumed level of expertise of the attacker for all the threats identified below is Enhanced-Basic.
Table 3 Threats
Threat Threat Definition
T.UNAUTHORIZED_ADMINISTRATOR_ACCESS Threat agents may attempt to gain administrator access
to the network device by nefarious means such as
masquerading as an administrator to the device,
masquerading as the device to an administrator,
replaying an administrative session (in its entirety, or
selected portions), or performing man-in-the-middle
attacks, which would provide access to the
administrative session,orsessions between network
devices. Successfully gaining administrator access
allows malicious actions that compromise the security
functionality of the device and the network on which it
resides.
12
Threat Threat Definition
T.WEAK_CRYPTOGRAPHY Threat agents may exploit weak cryptographic
algorithms or perform a cryptographic exhaust against
the key space. Poorly chosen encryption algorithms,
modes, and key sizes will allow attackers to compromise
the algorithms, or brute force exhaust the key space and
give them unauthorized access allowing them to read,
manipulate and/orcontrol the traffic with minimal
effort.
T.UNTRUSTED_COMMUNICATION_CHANNELS Threat agents may attempt to target network devices that
do not use standardized secure tunneling protocols to
protect the critical network traffic. Attackers may take
advantage of poorly designed protocols or poor key
management to successfully perform man-in-the-middle
attacks, replay attacks, etc. Successful attacks will result
in loss of confidentiality and integrity of the critical
network traffic, and potentially could lead to a
compromise of the network device itself.
T.WEAK_AUTHENTICATION_ENDPOINTS Threat agents may take advantage of secure protocols
that use weak methods to authenticate the endpoints –
e.g., shared password that is guessable or transported as
plaintext. The consequences are the same as a poorly
designed protocol, the attacker could masquerade as the
administrator or anotherdevice, and the attacker could
insert themselves into the network stream and perform a
man-in-the-middle attack. The result is the critical
network traffic is exposed and there could be a loss of
confidentiality and integrity, and potentially the network
device itself could be compromised.
T.UPDATE_COMPROMISE Threat agents may attempt to provide a compromised
update of the software or firmware which undermines
the security functionality of the device. Non-validated
updates or updates validated using non-secure or weak
cryptography leave the update firmware vulnerable to
surreptitious alteration.
13
Threat Threat Definition
T.UNDETECTED_ACTIVITY Threat agents may attempt to access,change,and/or
modify the security functionality of the network device
without administrator awareness.This could result in the
attacker finding an avenue (e.g., misconfiguration, flaw
in the product) to compromise the device and the
administrator would have no knowledge that the device
has been compromised.
T.SECURITY_FUNCTIONALITY_COMPROMISE Threat agents may compromise credentials and device
data enabling continued access to the network device
and its critical data. The compromise of credentials
include replacing existing credentials with an attacker’s
credentials, modifying existing credentials, or obtaining
the administrator or device credentials for use by the
attacker.
T.PASSWORD_CRACKING Threat agents may be able to take advantage ofweak
administrative passwords to gain privileged access to the
device. Having privileged access to the device provides
the attacker unfettered access to the network traffic, and
may allow them to take advantage ofany trust
relationships with othernetwork devices.
T.SECURITY_FUNCTIONALITY_FAILURE An external, unauthorized entity could make use of
failed or compromised security functionality and might
therefore subsequently use orabuse security functions
without prior authentication to access,change or modify
device data, critical network traffic or security
functionality of the device.
5.3 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarifying. This text covers some of the more important limitations and clarifications of this
evaluation. Note that:
 As with any evaluation, this evaluation only shows that the evaluated configuration meets
the security claims made, with a certain level of assurance. The level of assurance for this
evaluation is defined within the NDcPP v2.0e.
14
 Consistent with the expectations of the Protection Profile, this evaluation did not
specifically search for, nor seriously attempt to counter, vulnerabilities that were not
“obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an
“obvious” vulnerability as one that is easily exploited with a minimum of understanding
of the TOE, technical sophistication and resources.
 The evaluation of security functionality of the product was limited to the functionality
specified in the claimed PPs. Any additional security related functional capabilities
included in the product were not covered by this evaluation.
15
6 Documentation
The following documents were provided by the vendor with the TOE for evaluation:
 Cisco Aggregation Services Router 1004 (ASR1K) Security Target v1.0
 Cisco Aggregation Services Router 1000 Series (ASR1K) CC Configuration Guide v1.0
16
7 TOE Evaluated Configuration
7.1 Evaluated Configuration
The TOE consists of one or more physical devices as specified in section 1.5 below and includes
the Cisco IOS-XE software. The TOE has two or more network interfaces and is connected to at
least one internal and one external network. The Cisco IOS-XE configuration determines how
packets are handled to and from the TOE’s network interfaces. The router configuration will
determine how traffic flows received on an interface will be handled. Typically, packet flows are
passed through the internetworking device and forwarded to their configured destination.
The following figure provides a visual depiction of an example TOE deployment.
Figure 1 TOE Example Deployment
17
The previous figure includes the following:
 Examples of TOE Models
 The following are considered to be in the IT Environment:
o VPN Peers
o Management Workstation
o Authentication Server
o Syslog Server
o CA Server
o Local Console
7.2 Excluded Functionality
The following functionality is excluded from the evaluation.
Table 4 Excluded Functionality
Excluded Functionality Exclusion Rationale
Non-FIPS 140-2 mode of operation This mode of operation includes non-FIPS allowed operations.
These services will be disabled by configuration settings as described in the Guidance documents
(AGD). The exclusion of this functionality does not affect compliance to the NDcPP v2.0e.
18
8 IT Product Testing
This section describes the testing efforts of the developer and the evaluation team. It is derived
from information contained in Evaluation Test Report for Cisco Aggregation Services Router
1004 (ASR1K), which is not publicly available. The Assurance Activities Report provides an
overview of testing and the prescribed assurance activities.
8.1 DeveloperTesting
No evidence of developer testing is required in the Assurance Activities for this product.
8.2 Evaluation Team Independent Testing
The evaluation team verified the product according the vendor-provided guidance documentation
and ran the tests specified in the NDcPPv2.0e. The Independent Testing activity is documented
in the Assurance Activities Report, which is publicly available, and is not duplicated here.
19
9 Results of the Evaluation
The results of the assurance requirements are generally described in this section and are
presented in detail in the proprietary documents: Detailed Test Report (DTR) and the Evaluation
Technical Report (ETR). The reader of this document can assume that activities and work units
received a passing verdict.
A verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements. The evaluation was conducted based upon CC version
3.1 rev 4 and CEM version 3.1 rev 4. The evaluation determined the Cisco Aggregation Services
Router 1004 (ASR1K) to be Part 2 extended, and meets the SARs contained in the PP.
Additionally the evaluator performed the Assurance Activities specified in the NDPP.
The Validators reviewed all the work of the evaluation team and agreed with their practices and
findings.
9.1 Evaluation of Security Target
The evaluation team applied each ASE CEM work unit. The ST evaluation ensured the ST
contains a description of the environment in terms of policies and assumptions, a statement of
security requirements claimed to be met by the Cisco Aggregation Services Router 1004
(ASR1K) that are consistent with the Common Criteria, and product security function
descriptions that support the requirements. Additionally, the evaluator performed an assessment
of the Assurance Activities specified in the NDcPPv2.0e.
9.2 Evaluation of Development Documentation
The evaluation team assessed the design documentation and found it adequate to aid in
understanding how the TSF provides the security functions. The design documentation consists
of a functional specification contained in the Security Target's TOE Summary Specification.
Additionally, the evaluator performed the Assurance Activities specified in the NDcPPv2.0e
related to the examination of the information contained in the TOE Summary Specification.
9.3 Evaluation of Guidance Documents
The evaluation team ensured the adequacy of the user guidance in describing how to use the
operational TOE. Additionally, the evaluation team ensured the adequacy of the administrator
guidance in describing how to securely administer the TOE. The guides were assessed during the
design and testing phases of the evaluation to ensure they were complete. Additionally, the
evaluator performed the Assurance Activities specified in the NDcPPv2.0e related to the
examination of the information contained in the operational guidance documents.
9.4 Evaluation of Life Cycle Support Activities
The evaluation team found that the TOE was properly labeled with a unique identifier.
20
9.5 Evaluation of Test Documentation and the Test Activity
The evaluation team ran the set of tests specified by the Assurance Activities in the NDcPPv2.0e
and recorded the results in a Test Report, summarized in the Evaluation Technical Report and
Assurance Activities Report.
9.6 Vulnerability Assessment Activity
The evaluation team performed a public search for vulnerabilities, performed vulnerability
testing and did not discover any issues with the TOE.
9.7 Summary of Evaluation Results
The evaluation team's assessment of the evaluation evidence demonstrates that the claims in
the ST are met. Additionally, the evaluation team's test activities also demonstrated the
accuracy of the claims in the ST.
21
10 Validator Comments & Recommendations
The Validation Team suggests that the consumer pay particular attention to the evaluated
configuration of the products(s). The functionality evaluated is scoped exclusively to the security
functional requirements specified in the ST, and only the functionality implemented by the
SFR’s within the ST was evaluated. All other functionality provided by the product(s) needs to
be assessed separately and no further conclusions can be drawn about the effectiveness of the
additional functionality.
Consumers employing the devices must follow the configuration instructions provided in the
Configuration Guidance documentation listed in Section 6 to ensure the evaluated configuration
is established and maintained.
22
11 Annexes
Not applicable.
23
12 Security Target
Cisco Aggregation Services Router 1004 (ASR1K) Security Target v1.0, 6 May 2019.
24
13 Glossary
The following definitions are used throughout this document:
 Common Criteria Testing Laboratory (CCTL). An IT security evaluation facility
accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and
approved by the CCEVS Validation Body to conduct Common Criteria-based
evaluations.
 Conformance. The ability to demonstrate in an unambiguous way that a given
implementation is correct with respect to the formal model.
 Evaluation. The assessment of an IT product against the Common Criteria using the
Common Criteria Evaluation Methodology to determine whether or not the claims made
are justified; or the assessment of a protection profile against the Common Criteria using
the Common Evaluation Methodology to determine if the Profile is complete, consistent,
technically sound and hence suitable for use as a statement of requirements for one or
more TOEs that may be evaluated.
 Evaluation Evidence. Any tangible resource (information) required from the sponsor or
developer by the evaluator to perform one or more evaluation activities.
 Feature. Part of a product that is either included with the product or can be ordered
separately.
 Target of Evaluation (TOE). A group of IT products configured as an IT system, or an
IT product, and associated documentation that is the subject of a security evaluation
under the CC.
 Validation. The process carried out by the CCEVS Validation Body leading to the issue
of a Common Criteria certificate.
 Validation Body. A governmental organization responsible for carrying out validation
and for overseeing the day-to-day operation of the NIAP Common Criteria Evaluation
and Validation Scheme.
25
14 Bibliography
The Validation Team used the following documents to produce this Validation Report:
1. Common Criteria for Information Technology Security Evaluation - Part 1: Introduction
and general model, Version 3.1 Revision 4.
2. Common Criteria for Information Technology Security Evaluation - Part 2: Security
functional requirements, Version 3.1 Revision 4.
3. Common Criteria for Information Technology Security Evaluation - Part 3: Security
assurance requirements, Version 3.1 Revision 4.
4. Common Evaluation Methodology for Information Technology Security Evaluation,
Version 3.1 Revision 4.
5. Collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314.
6. Cisco Aggregation Services Router 1004 (ASR1K) Security Target, Version 1.0, 3 May
2019.
7. Cisco Aggregation Services Router 1000 Series (ASR1K) CC Configuration Guide,
Version 1.0, 15 May 2019.
8. Assurance Activity Report for Cisco Aggregation Services Router 1004 (ASR1K)
running IOS-XE 16.9, Version 1.2, 2 May 2019.
9. Test Plan for cisco Aggregation Services Router 1000 Series, Version 1.1, 26 April
2019.