Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007

Assurance Continuity: What and How?

Nithya Rachamadugu September 25, 2007

© Copyright 2005 CygnaCom Solutions 2

Topics

• Introduction

• History

• Process

• Maintenance Path

• Re-evaluation Path

• Impact Analysis Report

• Input to Impact Analysis Report

• Output from Impact Analysis Report


Topics (contd.)

• Guidance to Developers

• Developer Issues

• Scheme Questions/Issues

• Assurance Maintenance Statistics

• References

• Contact Information


Introduction

“The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner.” [From Assurance Continuity: CCRA Requirements v1.0February 2004]

Why?

• Keep certificate current

• Certificate to match the latest TOE, process and environment

• Certificate to address changes in company information

• Re-use evidence and results from previous evaluation


Introduction (contd.)

• Recognized by the CCRA members

• Valid for EAL1-EAL4 evaluations


History

• CC version 2.1, August 1999 -AMA class

• Separate class

• Dependencies on class (ALC, ACM, AMA)

• Difficult to follow and understand

• CC version 2.2, January 2004 – AMA class dropped

• February 2004 –Assurance Continuity v1.0, with CC V2.3


Assurance Continuity Process

• Developer assesses the changes to the evaluated TOE

• Developer updates the affected documents

• Developer writes Impact Analysis Report listing the updated documents, description of changes and a verdict

• Developer ensures that changes have no adverse effect on the Security assurance of the changed TOE

• Scheme confirms Maintenance/Re-evaluation path

• Scheme updates the validated product list entry

• If applicable, scheme issues new certificateImpact Analysis Report is a scheme defined document listing the changes to the TOE and

testing conducted by the developer.


Assurance Process [From Assurance Continuity: CCRA Requirements v1.0February 2004]


Assurance continuity

Types of Assurance Continuity

• Assurance Maintenance“Maintenance refers to the process of recognising that a set of

one or more changes made to a certified TOE have not adversely affected assurance in that TOE.”

• Assurance Re-evaluation“Re-evaluation refers to the process of recognising that

changes made to a certified TOE require independent evaluator activities to be performed in order to establish a new assurance baseline. Re-evalution seeks to reuse results from a previous evalution.”


Assurance Maintenance

• Minor changes to TOE

• Assurance affirmed by developer

• No new certificate

Examples

- Minor updates to the product not related to security

- Minor bug fixes

- Process oriented changes

- Company information changes


Assurance Re-evaluation• Changes to TOE that are not minor• Assurance Re-evaluated by an independent Lab• New certificate• Impact Analysis Report not required (but helps)

Examples - Security related updates to the evaluated TOE - Bug fixes- Many small changes - New interfaces/ADV changes- Years since last certification- Upgrading EAL level


Impact Analysis Report

• Records the analysis of the impact of changes to the certified TOE

• Generated by the developer requesting a maintenance addendum

• Submitted to the Scheme

• Impact Analysis Report forrmat- Introduction

- Description of changes

- Developer evidence changed (identify)

- Description of evidence changed

- Conclusion with verdict

- Annex: Updated evidence


Input to Assurance Continuity

• Impact Analysis Report (optional but recommended)

• Updated ST• Updated evidence documents• Updated ETR (Re-evaluation)

• From previous evaluation:- Certificate

- Certification report

- ETR

- ST


Output from Assurance Continuity

• Scheme report

- Maintenance Report

- Certification Report (Re-evaluation path)

• Updated certificate (Re-evaluation only)

• Updated Validated Product List

• Updated ST (posted on the web)

• Certified TOE


Guidance to Developers

• Build maintenance process during initial evaluation

• Keep good documentation on changes to the product

• Update all related evidence as TOE changes

• Conduct some testing before submitting Impact Analysis Report

• Not all products need to be re-evaluated, check with the scheme

• Often Labs write the IAR


Developer Issues [US experience based]• Dilemma on the choice of the continuity path

• Scheme may disagree with developer’s verdict

• Cost/effort before scheme’s decision

• Maintenance/re-evaluation decision is subjective

• Re-evaluation by the same Lab

• Unpredictable cost

• Every case is different

• Assurance Continuity for higher levels not available


Scheme Questions/Issues• Changes to crypto: Maintenance or Re-

evaluation? • Assurance Continuity from the same scheme• Certificate update to EAL5 or higher - not under

MRA• Scheme variations on Maintenance/Re-evaluation• How much is too much? [% change?]• Assurance Continuity when PP gets out dated• Assurance Continuity for products evaluated

under v2.x (ST format, Assurance requirement changes in v3.x)

• Effect of new scheme Policies on re-evaluations


CCEVS Statistics on Assurance Continuity[US Scheme based]• 217 evaluated products (Dec. 1998- Aug. 2007) • 23 Assurance Continuity : 10 EAL2, 2 EAL3, 11 EAL4

• First evaluation – Dec. 1998

• First Assurance Continuity evaluation completed- July 2003

• 15 products went through Assurance Continuity

• Some products had multiple revisions• Product types: Firewall, IDS/IPS, Switch, Router,

Network Management, Web Server, Sensitive Data Protection


CC References

• Common Criteria FOR Information Technology Security Evaluation

- Part 3 Security Assurance Requirements, August 1999, version 2.1

• Assurance Continuity: CCRA Requirements v1.0– February 2004


Questions : ???

Thank you!

Contact: Nithya Rachamadugu Director, CygnaCom CCTL [email protected] 703-270-3551

Documents

Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007