assurance continuity: what and how? nithya rachamadugu september 25, 2007
TRANSCRIPT
© Copyright 2005 CygnaCom Solutions 2
Topics
• Introduction
• History
• Process
• Maintenance Path
• Re-evaluation Path
• Impact Analysis Report
• Input to Impact Analysis Report
• Output from Impact Analysis Report
© Copyright 2005 CygnaCom Solutions 3
Topics (contd.)
• Guidance to Developers
• Developer Issues
• Scheme Questions/Issues
• Assurance Maintenance Statistics
• References
• Contact Information
© Copyright 2005 CygnaCom Solutions 4
Introduction
“The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner.” [From Assurance Continuity: CCRA Requirements v1.0February 2004]
Why?
• Keep certificate current
• Certificate to match the latest TOE, process and environment
• Certificate to address changes in company information
• Re-use evidence and results from previous evaluation
© Copyright 2005 CygnaCom Solutions 5
Introduction (contd.)
• Recognized by the CCRA members
• Valid for EAL1-EAL4 evaluations
© Copyright 2005 CygnaCom Solutions 6
History
• CC version 2.1, August 1999 -AMA class
• Separate class
• Dependencies on class (ALC, ACM, AMA)
• Difficult to follow and understand
• CC version 2.2, January 2004 – AMA class dropped
• February 2004 –Assurance Continuity v1.0, with CC V2.3
© Copyright 2005 CygnaCom Solutions 7
Assurance Continuity Process
• Developer assesses the changes to the evaluated TOE
• Developer updates the affected documents
• Developer writes Impact Analysis Report listing the updated documents, description of changes and a verdict
• Developer ensures that changes have no adverse effect on the Security assurance of the changed TOE
• Scheme confirms Maintenance/Re-evaluation path
• Scheme updates the validated product list entry
• If applicable, scheme issues new certificateImpact Analysis Report is a scheme defined document listing the changes to the TOE and
testing conducted by the developer.
© Copyright 2005 CygnaCom Solutions 8
Assurance Process [From Assurance Continuity: CCRA Requirements v1.0February 2004]
© Copyright 2005 CygnaCom Solutions 9
Assurance continuity
Types of Assurance Continuity
• Assurance Maintenance“Maintenance refers to the process of recognising that a set of
one or more changes made to a certified TOE have not adversely affected assurance in that TOE.”
• Assurance Re-evaluation“Re-evaluation refers to the process of recognising that
changes made to a certified TOE require independent evaluator activities to be performed in order to establish a new assurance baseline. Re-evalution seeks to reuse results from a previous evalution.”
© Copyright 2005 CygnaCom Solutions 10
Assurance Maintenance
• Minor changes to TOE
• Assurance affirmed by developer
• No new certificate
Examples
- Minor updates to the product not related to security
- Minor bug fixes
- Process oriented changes
- Company information changes
© Copyright 2005 CygnaCom Solutions 11
Assurance Re-evaluation• Changes to TOE that are not minor• Assurance Re-evaluated by an independent Lab• New certificate• Impact Analysis Report not required (but helps)
Examples - Security related updates to the evaluated TOE - Bug fixes- Many small changes - New interfaces/ADV changes- Years since last certification- Upgrading EAL level
© Copyright 2005 CygnaCom Solutions 12
Impact Analysis Report
• Records the analysis of the impact of changes to the certified TOE
• Generated by the developer requesting a maintenance addendum
• Submitted to the Scheme
• Impact Analysis Report forrmat- Introduction
- Description of changes
- Developer evidence changed (identify)
- Description of evidence changed
- Conclusion with verdict
- Annex: Updated evidence
© Copyright 2005 CygnaCom Solutions 13
Input to Assurance Continuity
• Impact Analysis Report (optional but recommended)
• Updated ST• Updated evidence documents• Updated ETR (Re-evaluation)
• From previous evaluation:- Certificate
- Certification report
- ETR
- ST
© Copyright 2005 CygnaCom Solutions 14
Output from Assurance Continuity
• Scheme report
- Maintenance Report
- Certification Report (Re-evaluation path)
• Updated certificate (Re-evaluation only)
• Updated Validated Product List
• Updated ST (posted on the web)
• Certified TOE
© Copyright 2005 CygnaCom Solutions 15
Guidance to Developers
• Build maintenance process during initial evaluation
• Keep good documentation on changes to the product
• Update all related evidence as TOE changes
• Conduct some testing before submitting Impact Analysis Report
• Not all products need to be re-evaluated, check with the scheme
• Often Labs write the IAR
© Copyright 2005 CygnaCom Solutions 16
Developer Issues [US experience based]• Dilemma on the choice of the continuity path
• Scheme may disagree with developer’s verdict
• Cost/effort before scheme’s decision
• Maintenance/re-evaluation decision is subjective
• Re-evaluation by the same Lab
• Unpredictable cost
• Every case is different
• Assurance Continuity for higher levels not available
© Copyright 2005 CygnaCom Solutions 17
Scheme Questions/Issues• Changes to crypto: Maintenance or Re-
evaluation? • Assurance Continuity from the same scheme• Certificate update to EAL5 or higher - not under
MRA• Scheme variations on Maintenance/Re-evaluation• How much is too much? [% change?]• Assurance Continuity when PP gets out dated• Assurance Continuity for products evaluated
under v2.x (ST format, Assurance requirement changes in v3.x)
• Effect of new scheme Policies on re-evaluations
© Copyright 2005 CygnaCom Solutions 18
CCEVS Statistics on Assurance Continuity[US Scheme based]• 217 evaluated products (Dec. 1998- Aug. 2007) • 23 Assurance Continuity : 10 EAL2, 2 EAL3, 11 EAL4
• First evaluation – Dec. 1998
• First Assurance Continuity evaluation completed- July 2003
• 15 products went through Assurance Continuity
• Some products had multiple revisions• Product types: Firewall, IDS/IPS, Switch, Router,
Network Management, Web Server, Sensitive Data Protection
© Copyright 2005 CygnaCom Solutions 19
CC References
• Common Criteria FOR Information Technology Security Evaluation
- Part 3 Security Assurance Requirements, August 1999, version 2.1
• Assurance Continuity: CCRA Requirements v1.0– February 2004
© Copyright 2005 CygnaCom Solutions 20
Questions : ???
Thank you!
Contact: Nithya Rachamadugu Director, CygnaCom CCTL [email protected] 703-270-3551