The Applicant (mostly an organization) wants to get into an IDS, therefore he needs to make sure that the components he uses as well as his operational environment are IDS compliant and therefore certified. He can approach either the IDSA directly in order to find a suitable Evaluation Facility that carry out the assessment in order get certified, or he can find an EF on its own. The Applicant will need to provide all necessary documents and access to relevant material to the Evaluation Facility to get assessed and evaluated. In the end, the Applicant will receive an evaluation report from the EF with which he can request the certificate at the Certification Body (CB). In case of a positive result, the Applicant gets an IDS certificate from the CB and additionally, the x.509 certificate from the Certificate Authority (CA).
The Evaluation Facility carries out the actual assessment of the Applicant’s components or operational environment. In most cases, other EFs perform the evaluation of the components than those of the Operational Environment. To become an EF, the organization must go through the IDS approval process for IDS Evaluation Facilities. This process is carried out by the IDS Certification Body and needs to be repeated after 2 years. To ensure that the Evaluation Facilities incorporate all changes concerning the certification, ad-hoc audits may take place, organizes by the CB.
The Certification Body is responsible for:
• The approval and re-approval of the Evaluation Facilities
• The monitoring of the evaluation carried out by the EF on a regular basis (ensuring that EF is testing on latest requirements, etc.)
• Issuing the certificate to the Applicant
• Notifying the CA that the digital certificate can be issued to the Applicant
The first Certification Body will be run within the IDSA, as a separated section, assigning an external expert to carry out the approval of EF and other technical related tasks.
The Certificate Authority (CA) will be notified by the CB if a positive evaluation of the Applicant took place and issues the digital x.509 certificate to the Applicant directly.