This paper discusses how evaluated products can be combined to produce trusted systems which meet the requirements specified in a procurement document, thereby modifying, adapting, or eliminating portions of the composing product's TCB. Frequently, the requirements specified necessitate changes to the product TCBs. Because the product's rating may be invalidated when the product's TCB is changed without understanding, justification, and review; system-level assurances are necessary to compensate for the changes. It is the responsibility of the system integrator/system designer to do the utmost to retain and not invalidate the product rating. However, even with this possible invalidation, the use of an evaluated product in a system provides the knowledge that the original product was scrutinized, and those portions of the product that are not changed continue to retain that scrutiny for the correctness of processing. Therefore, even if a product's TCB must be modified, adapted, or portions eliminated, the use of an evaluated product in a system development is advantageous over the use of a non-evaluated product for the similar functionality. The combination of unequal security qualified components to build a system is another dilemma in the integration process which will not be discussed in this paper.
NCSC TECHNICAL REPORT-003