Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.

Published byMelvin Fox Modified over 8 years ago

Similar presentations

Presentation on theme: "Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007."— Presentation transcript:

1 Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007

2 © Copyright 2005 CygnaCom Solutions 2 Topics Introduction History Process Maintenance Path Re-evaluation Path Impact Analysis Report Input to Impact Analysis Report Output from Impact Analysis Report

3 © Copyright 2005 CygnaCom Solutions 3 Topics (contd.) Guidance to Developers Developer Issues Scheme Questions/Issues Assurance Maintenance Statistics References Contact Information

4 © Copyright 2005 CygnaCom Solutions 4 Introduction “ The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner.” [From Assurance Continuity: CCRA Requirements v1.0 February 2004] Why? Keep certificate current Certificate to match the latest TOE, process and environment Certificate to address changes in company information Re-use evidence and results from previous evaluation

5 © Copyright 2005 CygnaCom Solutions 5 Introduction (contd.) Recognized by the CCRA members Valid for EAL1-EAL4 evaluations

6 © Copyright 2005 CygnaCom Solutions 6 History CC version 2.1, August 1999 -AMA class Separate class Dependencies on class (ALC, ACM, AMA) Difficult to follow and understand CC version 2.2, January 2004 – AMA class dropped February 2004 –Assurance Continuity v1.0, with CC V2.3

7 © Copyright 2005 CygnaCom Solutions 7 Assurance Continuity Process Developer assesses the changes to the evaluated TOE Developer updates the affected documents Developer writes Impact Analysis Report listing the updated documents, description of changes and a verdict Developer ensures that changes have no adverse effect on the Security assurance of the changed TOE Scheme confirms Maintenance/Re-evaluation path Scheme updates the validated product list entry If applicable, scheme issues new certificate Impact Analysis Report is a scheme defined document listing the changes to the TOE and testing conducted by the developer.

8 © Copyright 2005 CygnaCom Solutions 8 Assurance Process [From Assurance Continuity: CCRA Requirements v1.0 February 2004]

9 © Copyright 2005 CygnaCom Solutions 9 Assurance continuity Types of Assurance Continuity Assurance Maintenance “Maintenance refers to the process of recognising that a set of one or more changes made to a certified TOE have not adversely affected assurance in that TOE.” Assurance Re-evaluation “ Re-evaluation refers to the process of recognising that changes made to a certified TOE require independent evaluator activities to be performed in order to establish a new assurance baseline. Re- evalution seeks to reuse results from a previous evalution.”

10 © Copyright 2005 CygnaCom Solutions 10 Assurance Maintenance Minor changes to TOE Assurance affirmed by developer No new certificate Examples - Minor updates to the product not related to security - Minor bug fixes - Process oriented changes - Company information changes

11 © Copyright 2005 CygnaCom Solutions 11 Assurance Re-evaluation Changes to TOE that are not minor Assurance Re-evaluated by an independent Lab New certificate Impact Analysis Report not required (but helps) Examples - Security related updates to the evaluated TOE - Bug fixes - Many small changes - New interfaces/ADV changes - Years since last certification - Upgrading EAL level

12 © Copyright 2005 CygnaCom Solutions 12 Impact Analysis Report Records the analysis of the impact of changes to the certified TOE Generated by the developer requesting a maintenance addendum Submitted to the Scheme Impact Analysis Report forrmat - Introduction - Description of changes - Developer evidence changed (identify) - Description of evidence changed - Conclusion with verdict - Annex: Updated evidence

13 © Copyright 2005 CygnaCom Solutions 13 Input to Assurance Continuity Impact Analysis Report (optional but recommended) Updated ST Updated evidence documents Updated ETR (Re-evaluation) From previous evaluation: - Certificate - Certification report - ETR - ST

14 © Copyright 2005 CygnaCom Solutions 14 Output from Assurance Continuity Scheme report - Maintenance Report - Certification Report (Re-evaluation path) Updated certificate (Re-evaluation only) Updated Validated Product List Updated ST (posted on the web) Certified TOE

15 © Copyright 2005 CygnaCom Solutions 15 Guidance to Developers Build maintenance process during initial evaluation Keep good documentation on changes to the product Update all related evidence as TOE changes Conduct some testing before submitting Impact Analysis Report Not all products need to be re-evaluated, check with the scheme Often Labs write the IAR

16 © Copyright 2005 CygnaCom Solutions 16 Developer Issues [US experience based] Dilemma on the choice of the continuity path Scheme may disagree with developer’s verdict Cost/effort before scheme’s decision Maintenance/re-evaluation decision is subjective Re-evaluation by the same Lab Unpredictable cost Every case is different Assurance Continuity for higher levels not available

17 © Copyright 2005 CygnaCom Solutions 17 Scheme Questions/Issues Changes to crypto: Maintenance or Re-evaluation? Assurance Continuity from the same scheme Certificate update to EAL5 or higher - not under MRA Scheme variations on Maintenance/Re-evaluation How much is too much? [% change?] Assurance Continuity when PP gets out dated Assurance Continuity for products evaluated under v2.x (ST format, Assurance requirement changes in v3.x) Effect of new scheme Policies on re-evaluations

18 © Copyright 2005 CygnaCom Solutions 18 CCEVS Statistics on Assurance Continuity [US Scheme based] 217 evaluated products (Dec. 1998- Aug. 2007) 23 Assurance Continuity : 10 EAL2, 2 EAL3, 11 EAL4 First evaluation – Dec. 1998 First Assurance Continuity evaluation completed- July 2003 15 products went through Assurance Continuity Some products had multiple revisions Product types: Firewall, IDS/IPS, Switch, Router, Network Management, Web Server, Sensitive Data Protection

19 © Copyright 2005 CygnaCom Solutions 19 CC References Common Criteria FOR Information Technology Security Evaluation - Part 3 Security Assurance Requirements, August 1999, version 2.1 Assurance Continuity: CCRA Requirements v1.0 –February 2004

20 © Copyright 2005 CygnaCom Solutions 20 Questions : ??? Thank you! Contact: Nithya Rachamadugu Director, CygnaCom CCTL Nithya@cygnacom.com 703-270-3551

Download ppt "Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007."

Similar presentations

16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.

16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.
© Crown Copyright (2000) Module 3.1 Evaluation Process.

© Crown Copyright (2000) Module 3.1 Evaluation Process.
© Crown Copyright (2000) Module 3.2 Evaluation Management.

© Crown Copyright (2000) Module 3.2 Evaluation Management.
SMALL BUSINESS SHOWCASE COACT, Inc. is a Service Disabled Veteran Owned Small Business (SDVOSB). Niche Areas: Certification & Accreditation (C&A) FIPS140.

SMALL BUSINESS SHOWCASE COACT, Inc. is a Service Disabled Veteran Owned Small Business (SDVOSB). Niche Areas: Certification & Accreditation (C&A) FIPS140.
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
OVERVIEW & LIBRARY SUPPORT FOR DATA MANAGEMENT/SHARING Jim Van Loon, MSME/MLIS Science Librarian.

OVERVIEW & LIBRARY SUPPORT FOR DATA MANAGEMENT/SHARING Jim Van Loon, MSME/MLIS Science Librarian.
2015-2016 FAFSA ® Updates Applicant Products Team.

FAFSA ® Updates Applicant Products Team.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan

Software Quality Assurance Plan
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Minnesota Agricultural Water Quality Certification Program Senate Environment, Economic Development And Agriculture Finance Committee March 11, 2013.

Minnesota Agricultural Water Quality Certification Program Senate Environment, Economic Development And Agriculture Finance Committee March 11, 2013.
NASBLA ERAC Terms and Definitions Project Next Steps Webinar July 15, 2013 2:00 p.m. EDT www.nasbla.org/terms.

NASBLA ERAC Terms and Definitions Project Next Steps Webinar July 15, :00 p.m. EDT
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
7th February 20061 PQG Supplier Auditor Certification and Training scheme Introduction to the scheme & implications of the changes David Mogg PQG Chairman.

7th February PQG Supplier Auditor Certification and Training scheme Introduction to the scheme & implications of the changes David Mogg PQG Chairman.
Registration Teaching Council Induction Colm O’Leary Registration Officer.

Registration Teaching Council Induction Colm O’Leary Registration Officer.
Westminster City Council and Westminster Primary Care Trust Voluntary Sector Funding 2009/10 Voluntary Sector Funding Eligibility, Application Form Funding,

Westminster City Council and Westminster Primary Care Trust Voluntary Sector Funding 2009/10 Voluntary Sector Funding Eligibility, Application Form Funding,

Similar presentations

Ads by Google