[jnwatson]

The assumptions about environment and the system-under-test has been the Achilles' heel in any certification I've been part of.

It isn't like the CC folks aren't aware of the problem. The idea was that the Security Target (definition of the system) could declare conformance to a standardized Protection Profile which consumers could use as a shortcut to understanding what was promised.

However, nobody looks at STs nor PPs except the vendor and the certifier, so all that work is for naught. You could absolutely get a CC cert with the environment that it is unplugged from a network.

[ralph84]

Just like almost every FIPS 140 validated crypto module has a "FIPS mode" that is what was validated but is never actually used in production, even by government customers.

[jnwatson]

I'm unfortunately quite familiar with that.

Beyond getting slower updates, etc, FIPS mode has the unintentional side effect of being the "look at me I have interesting stuff" flag for potential attackers. It is usually quite easy to determine remotely that a networked device is in FIPS mode, too (due to allowed crypto protocols, etc).