|
|
|
|
Role of Development Process Assurance |
|
Development Process Assurance in the CC |
|
Class ACM – Configuration Management |
|
Class ALC – Lifecycle Support |
|
Class AMA – Maintenance of Assurance |
|
|
|
|
|
Evidence is produced in the context of a
development process |
|
The development process can limit the: |
|
Quality of the evidence |
|
Trustworthiness of the evidence |
|
Future reusability of the evidence |
|
|
|
|
|
|
CC institutionalizes Development Process
Assurance through 3 Assurance Classes containing 11 Assurance Families |
|
Configuration Management (ACM) |
|
Automation, Capabilities, Scope |
|
Life Cycle Support (ALC) |
|
Development Security, Flaw Remediation, Life
Cycle Definition, Tools and Techniques |
|
Maintenance of Assurance (AMA) |
|
Assurance Maintenance Plan, Component
Categorization Report, Evidence of Assurance Maintenance, Security Impact
Analysis |
|
|
|
|
|
Goal of CM is to impose discipline and control
on the processes for refining and modifying the TOE and its evidence |
|
The three Families in the Class are: |
|
Configuration Management Automation (ACM_AUT) |
|
Configuration Management Capabilities (ACM_CAP) |
|
Configuration Management Scope (ACM_SCP) |
|
|
|
|
|
Focus is on increasing the effectiveness of the
CM process |
|
Premise is that automated systems are less
susceptible to human error or negligence |
|
Two Components, levelled on how much of TOE is
subject to automated CM |
|
Partial CM Automation |
|
Complete CM Automation |
|
|
|
|
|
The developer shall use a CM system. |
|
provides automated means by which only
authorised changes are made to the TOE implementation representation. |
|
provides an automated means to support the
generation of the TOE. |
|
The developer shall provide a CM plan. |
|
Describe the automated tools used in the CM
system and how they are used. |
|
|
|
|
|
The developer shall use a CM system. |
|
provides automated means by which only
authorised changes are made to the TOE implementation representation, and
to all other configuration items. |
|
provides an automated means to support the
generation of the TOE. |
|
provides an automated means to ascertain the
changes between the TOE and its preceding version. |
|
provides an automated means to identify all
other configuration items that are affected by the modification of a given
configuration item. |
|
The developer shall provide a CM plan. |
|
Describe the automated tools used in the CM
system and how they are used. |
|
|
|
|
|
Goals of CM capabilities are to: |
|
ensure that the TOE is correct and complete
before it is sent to the consumer; |
|
ensure that no configuration items are missed
during evaluation; |
|
prevent unauthorised modification, addition, or
deletion of TOE configuration items |
|
Five Components, levelled on capabilities, scope
of CM documentation, and presence of developer justification that CM system
meets its security requirements |
|
Version Numbers |
|
Configuration Items |
|
Authorization Controls |
|
Generation Support and Acceptance Procedures |
|
Advanced Support |
|
|
|
|
|
The developer shall provide a reference for the
TOE. |
|
Unique TOE reference for each TOE version |
|
TOE shall be labelled with its reference. |
|
|
|
|
|
Developer shall use a CM system |
|
Shall uniquely identify all configuration items. |
|
Developer shall provide CM documentation. |
|
Shall include a configuration list that
describes the configuration items that comprise the TOE |
|
Shall describe the method used to uniquely
identify the configuration items |
|
|
|
|
|
Developer shall use a CM system |
|
shall provide measures such that only authorised
changes are made to the configuration items |
|
Developer shall provide CM documentation |
|
Shall include a CM Plan that describes how the
CM system is used |
|
Shall include evidence that all configuration
items have been and are being effectively maintained under the CM system
and that demonstrates that the CM system is operating in accordance with
the CM plan. |
|
|
|
|
|
Developer shall use a CM system |
|
Shall support generation of the TOE |
|
Developer shall provide CM documentation |
|
(In addition to configuration list and CM Plan)
shall include an acceptance plan that describes the procedures used to
accept modified or newly created configuration items as part of the TOE. |
|
|
|
|
|
|
Developer shall use a CM system |
|
That shall require that the person responsible
for accepting a configuration item into CM is not the person who developed
it. |
|
That shall clearly identify the configuration
items comprising TSF. |
|
That shall support the audit of all
modifications to the TOE, including as a minimum the originator, date, and
time in the audit trail. |
|
That shall be able to identify the master copy
of all material used to generate the TOE. |
|
Developer shall provide CM documentation (that) |
|
(In addition to configuration list, CM Plan, and
acceptance plan) shall include integration procedures describing how the CM
system is applied in the TOE manufacturing process |
|
Shall demonstrate that |
|
use of the CM system, together with the
development security measures, allow only authorised changes to be made to
the TOE |
|
use of the integration procedures ensures that
the generation of the TOE is correctly performed in an authorised manner |
|
CM system is sufficient to ensure that the
person responsible for accepting a configuration item into CM is not the
person who developed it. |
|
Shall justify that the acceptance procedures
provide for an adequate and appropriate review of changes to all
configuration items. |
|
|
|
|
|
Goal of CM Scope is to: |
|
ensure that the TOE implementation
representation is tracked; |
|
ensure that all necessary documentation,
including problem reports, are tracked during development and operation; |
|
ensure that configuration options (e.g. compiler
switches) are tracked; and |
|
ensure that development tools are tracked. |
|
Three Components, levelled on the basis of what
information is beingtracked by the CM system |
|
TOE CM Coverage |
|
Problem Tracking CM Coverage |
|
Development Tools CM Coverage |
|
|
|
|
|
Developer shall provide CM documentation that
shall: |
|
show that the CM system, as a minimum, tracks
the following: the TOE implementation representation, design documentation,
test documentation, user documentation, administrator documentation, and CM
documentation |
|
describe how configuration items are tracked by
the CM system |
|
|
|
|
|
Developer shall provide CM documentation that
shall: |
|
show that the CM system, as a minimum, tracks
the following: the TOE implementation representation, design documentation,
test documentation, user documentation, administrator documentation, and CM
documentation, and security flaws |
|
describe how configuration items are tracked by
the CM system |
|
|
|
|
|
Developer shall provide CM documentation that
shall: |
|
show that the CM system, as a minimum, tracks
the following: the TOE implementation representation, design documentation,
test documentation, user documentation, administrator documentation, and CM
documentation security flaws, and development tools and related information |
|
describe how configuration items are tracked by
the CM system |
|
|
|
|
|
Goal of life cycle support is to integrate and
formalize security engineering and evidence production into the development
process |
|
The four Families in the Class are: |
|
Development Security (ALC_DVS) |
|
Flaw Remediation (ALC_FLR) |
|
Life Cycle Definition (ALC_LCD) |
|
Tools and Techniques (ALC_TAT) |
|
|
|
|
|
Goal of Development Security is to establish
measures to remove or reduce threats that might exist at the developer’s
site |
|
Two Components, levelled on the basis of
justification for sufficiency of security measures |
|
Identification of Security Measures |
|
Sufficiency of Security Measures |
|
|
|
|
|
The developer shall produce development security
documentation that shall |
|
describe all the physical, procedural,
personnel, and other security measures that are necessary to protect the
confidentiality and integrity of the TOE design and implementation in its
development environment |
|
provide evidence that these security measures
are followed during the development and maintenance of the TOE |
|
|
|
|
|
|
The developer shall produce development security
documentation that shall |
|
describe all the physical, procedural,
personnel, and other security measures that are necessary to protect the
confidentiality and integrity of the TOE design and implementation in its
development environment |
|
provide evidence that these security measures
are followed during the development and maintenance of the TOE |
|
the evidence shall justify that the security
measures provide the necessary level of protection to maintain the
confidentiality and integrity of the TOE |
|
|
|
|
|
Goal of Flaw Remediation is to: |
|
Ensure future maintenance and support for the
TOE |
|
Track, correct, and distribute flaw corrections |
|
Three Components, levelled on the increasing
extent in scope of the flaw remediation procedures and the rigour of the
flaw remediation policies |
|
Basic Flaw Remediation |
|
Flaw Reporting Procedures |
|
Systematic Flaw Remediation |
|
|
|
|
|
The developer shall document the flaw
remediation procedures (in a way that shall): |
|
describe the procedures used to track all
reported security flaws in each release of the TOE |
|
require that a description of the nature and
effect of each security flaw be provided, as well as the status of finding
a correction to that flaw |
|
require that corrective actions be identified
for each of the security flaws |
|
describe the methods used to provide flaw
information, corrections and guidance on corrective actions to TOE users |
|
|
|
|
|
The developer shall establish a procedure for
accepting and acting upon user reports of security flaws and requests for
corrections to those flaws (in a way that shall): |
|
ensure that any reported flaws are corrected and
the correction issued to TOE users |
|
provide safeguards that any corrections to these
security flaws do not introduce any new flaws |
|
|
|
|
|
The developer shall document the flaw
remediation procedures (in a way that shall): |
|
require timely responses for the automatic
distribution of security flaw reports and the associated corrections to
registered users who might be affected by the security flaw |
|
The developer shall designate one or more
specific points of contact for user reports and inquiries about security
issues involving the TOE |
|
|
|
|
|
Goal of Life Cycle Definition is to provide
effective (management) control over the system engineering process used to
develop the TOE |
|
Three Components, levelled on the basis of
increasing requirements for standardisation and measurability of the
life-cycle model, and for compliance with that model |
|
Developer Defined Life-cycle Model |
|
Standardized Life-cycle Model |
|
Measurable Life-cycle Model |
|
|
|
|
|
The developer shall establish a life-cycle model
to be used in the development and maintenance of the TOE (that shall): |
|
provide for the necessary control over the
development and maintenance of the TOE |
|
The developer shall provide life-cycle
definition documentation (that shall): |
|
describe the model used to develop and maintain
the TOE |
|
|
|
|
|
The developer shall use a standardised
life-cycle model to develop and maintain the TOE |
|
The developer shall provide life-cycle
definition documentation (that shall): |
|
explain why the model was chosen |
|
explain how the model is used to develop and
maintain the TOE |
|
demonstrate compliance with the standardised
life-cycle model |
|
|
|
|
|
The developer shall use a standardised and
measurable life-cycle model to develop and maintain the TOE |
|
The developer shall measure the TOE development
using the standardised and measurable life-cycle model |
|
The developer shall provide life-cycle
definition documentation (that shall): |
|
describe the model used to develop and maintain
the TOE, including the details of its arithmetic parameters and/or metrics
used to measure the TOE development against the model |
|
demonstrate compliance with the standardised and
measurable life-cycle model |
|
provide the results of the measurements of the
TOE development using the standardised and measurable life-cycle model |
|
|
|
|
|
Goal of Tools and Techniques is to prevent
ill-defined, inconsistent or incorrect development tools from being used to
develop the TOE |
|
Three Components, levelled on the basis of
increasing requirements on the description and scope of the implementation
standards and the documentation of implementation-dependent options |
|
Well-Defined Development Tools |
|
Compliance With Implementation Standards |
|
Compliance With Implementation Standards – All
Parts |
|
|
|
|
|
The developer shall identify the development
tools being used for the TOE |
|
All development tools used for implementation
shall be well-defined |
|
The developer shall document the selected
implementation-dependent options of the development tools |
|
(This documentation) shall unambiguously define
the meaning of all statements used in the implementation |
|
(This documentation) shall unambiguously define
the meaning of all implementation-dependent options |
|
|
|
|
|
The developer shall describe the implementation
standards to be applied |
|
At this level, the accountability is only for
the implementation representations that the developer is actually
developing |
|
|
|
|
|
The developer shall describe the implementation
standards for all parts of the TOE |
|
At this level, the accountability is extended to
the implementation representations that are automatically incorporated by
the tools that the developer is using (e.g., runtime libraries) |
|
|
|
|
|
Goal of Assurance Maintenance is to ensure that
an evaluated and certified TOE still meets its ST requirements as the TOE
or its environment changes |
|
The four Families in the Class are: |
|
Assurance Maintenance Plan (AMA_AMP) |
|
TOE Component Categorization Report (AMA_CAT) |
|
Evidence of Assurance Maintenance (AMA_EVD) |
|
Security Impact Analysis (AMA_SIA) |
|
|
|
|
|
Goal of the Assurance Maintenance Plan is to
identify the plans and procedures a developer must implement in order to
ensure that the assurance that was established in the certified TOE is
maintained as changes are made to the TOE or its environment. |
|
The AM Plan is specific to the TOE, and is
tailored to the developer's own practices and procedures |
|
One Component |
|
Assurance Maintenance Plan |
|
|
|
|
|
The developer shall provide an AM Plan (that
shall) |
|
contain or reference a brief description of the
TOE, including the security functionality it provides |
|
identify the certified version of the TOE, and
shall reference the evaluation results |
|
reference the TOE component categorisation
report for the certified version of the TOE |
|
define the scope of changes to the TOE that are
covered by the plan |
|
describe the TOE life-cycle, and shall identify
the current plans for any new releases of the TOE, together with a brief
description of any planned changes that are likely to have a significant
security impact |
|
describe the assurance maintenance cycle,
stating and justifying the planned schedule of AM audits and the target
date of the next re-evaluation of the TOE |
|
|
|
|
|
The developer shall provide an AM Plan (that
shall) |
|
identify the individual(s) who will assume the
role of developer security analyst for the TOE |
|
describe how the developer security analyst role
will ensure that the procedures documented or referenced in the AM Plan are
followed |
|
describe how the developer security analyst role
will ensure that all developer actions involved in the analysis of the
security impact of changes affecting the TOE are performed correctly |
|
justify why the identified developer security
analyst(s) have sufficient familiarity with the security target, functional
specification and (where appropriate) high-level design of the TOE, and
with the evaluation results and all applicable assurance requirements for
the certified version of the TOE |
|
describe or reference the procedures to be
applied to maintain the assurance in the TOE, which as a minimum shall
include the procedures for configuration management, maintenance of
assurance evidence, performance of the analysis of the security impact of
changes affecting the TOE, and flaw remediation |
|
|
|
|
|
Goal of the TOE Component Categorization Report
is to complement the AM Plan by providing a categorisation of the
components of a TOE (e.g. TSF subsystems) according to their relevance to
security |
|
This categorisation acts as a focus for the
developer's security impact analysis, and also for the subsequent
re-evaluation of the TOE |
|
One Component |
|
TOE Component Categorization Report |
|
|
|
|
|
|
The developer shall provide a TOE component
categorisation report for the certified version of the TOE (that shall): |
|
categorise each component of the TOE, |
|
in each TSF representation from the most
abstract to the least abstract |
|
according to security relevance– at least
categorised as either TSP-enforcing or non-TSP-enforcing |
|
describe the categorisation scheme used, |
|
Know how to categorise new components |
|
Know when to re-categorise existing TOE
components following changes to the TOE or its security target |
|
identify any tools used in the development
environment that, if modified, will have an impact on the assurance that
the TOE satisfies its security target |
|
|
|
|
|
Goal of Evidence of Assurance Maintenance is to
establish confidence that the assurance in the TOE is being maintained by
the developer, in accordance with the AM Plan |
|
Developer produces evidence of security analysis
and security process conformance |
|
Evaluator audits evidence (to keep developer
honest) |
|
One Component |
|
Evidence of Maintenance Process |
|
|
|
|
|
|
The developer security analyst shall provide AM
documentation for the current version of the TOE (that shall): |
|
include a configuration list and a list of
identified vulnerabilities in the TOE |
|
The list of identified vulnerabilities in the
current version of the TOE shall show, for each vulnerability, that the
vulnerability cannot be exploited in the intended environment for the TOE |
|
describe the configuration items that comprise
the current version of the TOE |
|
provide evidence that the procedures documented
or referenced in the AM Plan are being followed |
|
|
|
|
|
Goal of Security Impact Analysis is to provide
confidence that assurance has been maintained in the TOE |
|
Relies on a developer analysis of the security
impact of all changes affecting the TOE since it was certified |
|
Two Components, levelled according to the degree
to which an evaluator validates the developer's security impact analysis |
|
Sampling of Security Impact Analysis |
|
Examination of Security Impact Analysis |
|
|
|
|
|
|
The developer security analyst shall, for the
current version of the TOE, provide a security impact analysis that covers
all changes affecting the TOE as compared with the certified version (which
shall): |
|
identify the certified TOE from which the
current version of the TOE was derived |
|
identify all new and modified TOE components
that are categorised as TSP-enforcing |
|
for each change affecting the security target or
TSF representations |
|
briefly describe the change and any effects it
has on lower representation levels |
|
identify all IT security functions and all TOE
components categorised as TSP-enforcing that are affected by the change |
|
|
|
|
|
for each change which results in a modification
of the implementation representation of the TSF or the IT environment,
identify the test evidence that shows, to the required level of assurance,
that the TSF continues to be correctly implemented following the change |
|
for each applicable assurance requirement in the
configuration management (Class ACM Configuration management), life cycle
support (Class ALC Life cycle support), delivery and operation (Class ADO
Delivery and operation) and guidance documents (Class AGD Guidance
documents) assurance classes, identify any evaluation deliverables that
have changed, and provide a brief description of each change and its impact
on assurance |
|
for each applicable assurance requirement in the
vulnerability assessment (Class AVA Vulnerability assessment) assurance
class, identify which evaluation deliverables have changed and which have
not, and give reasons for the decision taken as to whether or not to update
the deliverable |
|
|
|
|
No additional developer requirements |
|
Evaluator is required to do a complete check of
the security impact analysis documentation to verify that all changes to
the TOE have been analyzed and the conclusions documented |
|
Notes