What does DoD Directive 8500.2 say about CC?
Feel free to read it, however, to paraphrase section E3.2.5: If there is a certified product, you must use it. If there is no product that’s certified, it should be “in evaluation.” If there is no product in evaluation, a commitment from the vendor to evaluate should be made before you buy. If there is no defined protection profile for a product class (eg. VMware), the vendor should create a security target and have it evaluated.