in IT security expertise needed to evaluate systems applicability of Common Criteria evaluated products.

The problem of applying evaluations is not new. This problem was addressed decades ago by a massive research project that defined software features that could protect information, evaluated their strength, and mapped security features needed for specific operating environment risks. The results were documented in the Rainbow Series. Rather than separating the EAL and functional requirements,