The specific IT product being evaluated is referred to as the Target of Evaluation (TOE). The security requirements for that product are described in its security target. The DEVELOPERS write the security target. The DEVELOPERS write the scenerios. So, do you think they are going to pass evaluation? Can't think of one product that was put forward for validation, that was then dnied during the testing phase. Read it once?--Do it every day and still get a kick out of it :)--helps me get to sleep at night. Gov. entities are required by NSTISSP #11 and DoDI 8500.2 to purchase Common Criteria validated roducts, but that does not mean they are secure. Almost like saying Common Criteria = Good Security as MCSE = Good sysAdmin. Do we really believe that. Agree w/ Tom -- Certs are only face value.