History
- Priority
- must
- Nov 2018
- Removed
- Removed due to it leading to a perception that using unevaluated products is risky.
- 2017
- Agencies must not use unevaluated products, unless the risks have been appropriatelyaccepted and documented.
- 2015
- Agencies must not use unevaluated products, unless the risks have been appropriatelyaccepted and documented.
- 2010
- When choosing a product agencies must document the justification for any decision to choose a productthat has not completed an evaluation and accept any security risk introduced by the use of such a product.
- 2008
- When choosing a product, agencies must document: a. the desired degree of assurance in the product’s key functions b. the actual degree of assurance provided by the chosen product, based on the level of evaluation it has received for its key functions c. justification for any decisions to drop to the next level in the defined selection order of preference d. acknowledgement and acceptance of any risk introduced by the use of a product of lower assurance than desired, particularly if using a product that has not, and might never, complete all relevant evaluation processes.