Module 2.8 Assurance Continuity and Composition 16 August 2010 © Crown Copyright (2010) 1 “You Are Here” MODULE 2 - ASSURANCE M2.1 Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition 16 August 2010 © Crown Copyright (2010) 2 Abbreviations and References • The Abbreviations and References document, UKSP 00, is available on the Formal Documentation webpage of the CESG website at http://www.cesg.gov.uk • Also see Chapter 4 Terms and Definitions & Chapter 5 Symbols and Abbreviated Terms in CC Part 1, Version 3.1 16 August 2010 © Crown Copyright (2010) 3 Glossary • Assurance Baseline – The culmination of activities performed by the Evaluator and Developer resulting in a Certified TOE, recorded or submitted as evidence and measurable by any change to that evidence • Certified TOE – The TOE that has been successfully evaluated and certified (or reevaluated and certified) 16 August 2010 © Crown Copyright (2010) 4 Glossary • CESG CB – CESG Certification Body which is the UK Evaluation Authority • Changed TOE – The patched, updated or otherwise modified TOE that is to be subjected to Assurance Continuity • Developer Evidence – The TOE and evaluation documentation deliverables 16 August 2010 © Crown Copyright (2010) 5 Glossary • Evaluation Authority – A body that implements the CC for a specific community by means of an Evaluation Scheme • Impact Analysis Report (IAR) – The report generated by the Sponsor/Developer that records the analysis of changes to the Certified TOE – The impact of each change should be Minor for Assurance Maintenance – Otherwise a Re-evaluation will be required 16 August 2010 © Crown Copyright (2010) 6 Glossary • Maintained TOE – The Changed TOE that has successfully undergone the Assurance Maintenance process and has been awarded a Maintenance Addendum Certificate • Maintenance Addendum – The additional text that is appended to the description of the Certified TOE on the CESG website in order to describe the Maintained version(s) of the TOE 16 August 2010 © Crown Copyright (2010) 7 Glossary • Maintenance Addendum Certificate – The Certificate of the Maintained TOE, which references the Certificate of the Certified TOE • Maintenance Report – The publicly available report that describes all the changes that were made to the Certified TOE and that have been accepted under the Assurance Maintenance process 16 August 2010 © Crown Copyright (2010) 8 Glossary • Maintenance – The process applied when the changes to a Certified TOE have not adversely affected assurance in that TOE • Original TOE – The TOE prior to being subjected to any evaluation and certification • Re-evaluation – The process applied when the changes to a Certified TOE require Evaluation (reusing previous Evaluation or Maintenance results) to establish a new Assurance Baseline 16 August 2010 © Crown Copyright (2010) 9 CCRA and MRA • Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security, May 2000 • Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, Management Committee, SOGIS, Version 3.0, January 2010 16 August 2010 © Crown Copyright (2010) 10 CCRA Assurance Continuity • Assurance Continuity: CCRA Requirements, Common Criteria Interpretations Management Board, CCIMB-2004-02-009, Version 1.0, February 2004 • Reuse of Evaluation Results and Evidence, Common Criteria Recognition Arrangement Management Committee, 2002-08-009-002, Version 1, October 26th, 2002 16 August 2010 © Crown Copyright (2010) 11 UK Scheme Publication No 3 • Sponsor’s Guide – General Introduction, UKSP 03: Part I, Issue 2.2, December 2009 – Assists Sponsors and Developers intending to submit a product for Evaluation & Certification • Sponsor’s Guide – Assurance Continuity, UKSP 03: Part II, Issue 1.0, December 2009 – Describes the UK Scheme requirements for Assurance Continuity 16 August 2010 © Crown Copyright (2010) 12 UKSP 03 Part II • CCRA Assurance Continuity requirements are extended, if required, in the areas of: – – – – Technical Concepts Change Characterisation Impact Analysis Production of the Impact Analysis Report • Assurance Continuity is only allowed for products previously certified by CESG CB 16 August 2010 © Crown Copyright (2010) 13 United Kingdom Accreditation Service • To satisfy the UKAS accreditation criteria, established procedures must be used for the conduct of Assurance Continuity activities • The responsibilities that are identified in UKSP 03 Part II reflect UKAS requirements • Consult the UKAS documentation for the full accreditation requirements 16 August 2010 © Crown Copyright (2010) 14 Scope • The Assurance Continuity requirements are applicable to the security evaluations of products against the criteria laid down in the Common Criteria [CC], [CCRA] and [AC] • This is subject to the relevant International Interpretations, UK Interpretations and Scheme Information Notices (SINs) 16 August 2010 © Crown Copyright (2010) 15 Assurance Continuity • Assurance Continuity is an enhancement to Common Criteria Certification and consists of the following two processes: – Re-evaluation This is covered by the standard Evaluation process described in UKSP 01 and UKSP 02 – Assurance Maintenance This will be covered in the current module 16 August 2010 © Crown Copyright (2010) 16 Assurance Continuity • The concept of Assurance Maintenance is introduced in UKSP 01 – Based on an Impact Analysis Report produced by the Sponsor/Developer • If all changes to a Certified TOE have a Minor security impact then the Assurance Maintenance process is applicable • If a single change to a Certified TOE has a Major security impact then a Re-evaluation is necessary 16 August 2010 © Crown Copyright (2010) 17 Assurance Continuity • Assurance Continuity enables the Sponsor/Developer of a Certified TOE to provide ongoing assurance when the TOE is subject to any type of update, modification or change. • Assurance Continuity is intended to be a relatively quick, cheap and efficient process to achieve a Certified or Maintained TOE, since unchanged evaluation work that was previously performed does not need to be unnecessarily repeated. 16 August 2010 © Crown Copyright (2010) 18 Assurance Maintenance • Assurance Maintenance is based on the production of an Impact Analysis Report, by the Sponsor/Developer, which is submitted to the CESG Certification Body for Review • CLEF Evaluators are not involved during Assurance Maintenance, but the CB or Sponsor/Developer may utilise consultants or experts (e.g. CLEF Consultants), if required 16 August 2010 © Crown Copyright (2010) 19 Assurance Maintenance • Although there is no formal CC requirement to supply any further Developer Evidence in the assessment process, beyond those items listed in Chapter 2, the CESG CB reserves the right to inspect original and/or updated deliverables, in order to confirm whether specific changes are Major or Minor. 16 August 2010 © Crown Copyright (2010) 20 Assurance Maintenance • A satisfactory CESG CB Review will lead to the publication, on the CESG webpage for the corresponding Certified TOE, of the following: – an updated Security Target – a Maintenance Report summarising the changes from the Certified TOE – a Maintenance Addendum • A Maintenance Addendum Certificate will be issued to the Sponsor/Developer to supplement the original Certificate 16 August 2010 © Crown Copyright (2010) 21 Re-evaluation • • Any security relevant change that is deemed to be Major will necessitate a Re-evaluation if assurance in the product is to be maintained The Re-evaluation process is identical to the Evaluation process described in UKSP 01 and UKSP 02 except that the Evaluation may be optionally guided by an IAR and supported by appropriate reuse of any previous Evaluation or Maintenance evidence 16 August 2010 © Crown Copyright (2010) 22 TOE Certification Lifecycle Original Evaluation & Certification completed. Publish ST & CR. Issue Certificate Certified Re-evaluation – Major Change(s). Issue Certificate. Updated or Modified, by Sponsor or Developer Changed Updated or Modified Assurance Maintenance –Minor Changes(s) in IAR. Publish MA with MR & updated ST. Issue MA Certificate Maintained The Maintenance Addendum Certificate is produced as a supplement to the original Certificate. 16 August 2010 © Crown Copyright (2010) 23 Certification Lifecycle • Re-evaluation is basically the same as the standard CC Evaluation process; including the issue of a Certification Report and Certificate • Assurance Maintenance requires all changes in the Impact Analysis Report to be assessed & verified to have a Minor security impact on the TOE 16 August 2010 © Crown Copyright (2010) 24 Certification Lifecycle • In contrast to Section 2.2 of the CCRA Assurance Continuity document, which states that there is “no implied issuance of an updated certificate”, a MA Certificate will be produced as an Addendum to either the original Certificate or the most recent Re-evaluation Certificate 16 August 2010 © Crown Copyright (2010) 25 Certification Lifecycle • Section 2.4 of CCRA Assurance Continuity states that new vulnerabilities and attack methods are not assessed during the Assurance Maintenance process • However, even a few weeks is a long time period in terms of security vulnerability development/deployment and analysis 16 August 2010 © Crown Copyright (2010) 26 Certification Lifecycle • CESG CB may wish to increase confidence in the Assurance Maintenance process by ensuring that: – either no new vulnerabilities or attack methods have been found – or if found they are not in scope of the defined TOE boundary or at least they are not relevant to the evaluated configuration of the TOE • CESG CB is responsible for determining the extent of any additional vulnerability analysis that is required beyond that produced by the Developer 16 August 2010 © Crown Copyright (2010) 27 Deliverables Required for Assurance Maintenance • For the Certified TOE: – – – – Common Criteria Certificate including any Maintenance Addendum Certification Report including any Maintenance Report Evaluation Technical Report including any Evaluation Work Packages Security Target, including the Security Target for any Maintained TOE 16 August 2010 © Crown Copyright (2010) 28 Deliverables Required for Assurance Maintenance • For the Changed TOE: – – – – Impact Analysis Report Security Target (updated) Product and supporting documentation Developer Evidence (updated) • The above deliverables for the Certified and Change TOE are suitable for input into the CESG CB Assurance Maintenance process 16 August 2010 © Crown Copyright (2010) 29 Assurance Maintenance • CESG CB may require the following additional inputs to resolve any decisions regarding the characterisation or categorisation of changes: – – – – – Security Architecture and Design Vulnerability Analysis Test Scripts and Results Configuration List Operational Guidance 16 August 2010 © Crown Copyright (2010) 30 Assurance Maintenance • Although there is no defined time limit between the TOE Certification date and the start of the Assurance Maintenance process, the Certifier should ensure that the time gap is consistent and reasonable in relation to other aspects of the proposed Assurance Maintenance process 16 August 2010 © Crown Copyright (2010) 31 Assurance Maintenance • The CESG Certification Body will perform a Review of the Impact Analysis Report, using a standard CESG CB Review form, to ensure that all changes have a Minor security impact on the assurance of the TOE 16 August 2010 © Crown Copyright (2010) 32 Assurance Maintenance • If all changes are Minor then a Maintenance Report and Maintenance Addendum will be produced and published on the CESG website, as an update to the information about the Certified TOE • Note that the IAR is normally shared only between the Sponsor/Developer and the CESG Certification Body 16 August 2010 © Crown Copyright (2010) 33 Assurance Maintenance • • The Maintenance Addendum is just a few paragraphs, referencing the Maintenance Report and the updated Security Target, which are appended to the entry about the Certified TOE on the CESG website This satisfies the Maintenance Addendum requirements in Section 2.4.1.2 of [AC] 16 August 2010 © Crown Copyright (2010) 34 Re-evaluation • Apart from the potential use of a formal Impact Analysis Report in a Re-evaluation, everything else in Section 2.4.2 of [AC] regarding the Re-evaluation process is already covered by UKSP 02 16 August 2010 © Crown Copyright (2010) 35 Certification Work Programme • • The CESG CB Certification activities for the Assurance Maintenance process and Reevaluation process are outlined in the Standard Certification Work Programme, see [CWP-AM] and [CWP] Depending on the scope and quantity of changes, the CB may seek the support of a consultant to perform the analysis of the changes in the IAR and to draft the Maintenance Report. 16 August 2010 © Crown Copyright (2010) 36 Characterisation of TOE Changes • • No additional information is required in addition to Chapter 3 of [AC], which just contains some examples of changes that have Minor or Major security impact In general, it is very difficult to determine whether the impact on assurance of any specific change to a TOE should be classified as Minor or Major 16 August 2010 © Crown Copyright (2010) 37 Characterisation of TOE Changes • There is no guarantee that the security of an updated product can be determined by checking the updates only and ignoring the unchanged aspects, in the context of the whole product • In practice, the categorisation is agreed between the Sponsor, Developer and the CB, together with any assigned CB consultant, but the decision of the CB will be final 16 August 2010 © Crown Copyright (2010) 38 Performing an Impact Analysis • No additional information is required in addition to Chapter 4 of [AC], which states that any changes that impact on any aspect of the original Evaluation and Certification (eg Objectives, Threats, SFRs, SARs, Documentation, etc) should be addressed by the Sponsor/Developer, who will produce updated Documentation and the Impact Analysis Report 16 August 2010 © Crown Copyright (2010) 39 Performing an Impact Analysis • Steps 1 to 5 in Section 4.3 of [AC] may be used as a checklist by the Sponsor/Developer or the CESG Certification Body to ensure that the IAR covers all the stated requirements • A stricter requirement for evaluation deliverables or a stronger level of assurance than the Original TOE Evaluation and Certification is unnecessary and is not required 16 August 2010 © Crown Copyright (2010) 40 Impact Analysis Report • The required minimum contents of the IAR are as follows and could be used by the Sponsor/Developer as a basis for an IAR template: Introduction: • – – – – – – – the IAR configuration control identifiers (e.g. name, date and version); current TOE configuration control identifiers (the current version of the TOE) configuration control identifiers for the ETR, CR, and Certified TOE (Assurance Baseline) configuration control identifiers for the version of the ST related to the Certified TOE identity of the Developer information in relation to legal or statutory aspects information related to any previous Assurance Maintenance activity (e.g. MR) 16 August 2010 © Crown Copyright (2010) 41 Impact Analysis Report (IAR) • Description of changes: – – • Affected Developer Evidence: – • changes to the product changes to the development environment for each change, the Developer shall list the affected items of the original Developer Evidence (i.e. the affected Evaluation Deliverables) Modifications to Developer Evidence: – the developer shall describe the required modifications to the affected items of the original Developer Evidence 16 August 2010 © Crown Copyright (2010) 42 Impact Analysis Report (IAR) • Conclusions: – – – – • for each change the Developer shall report if the impact on assurance is considered Minor or Major for each change the Developer should provide a supporting rationale for the reported impact the Developer shall report if the overall impact is considered Minor or Major the Developer should include a supporting rationale, taking all the changes into consideration Annex: Updated Developer Evidence: – the Developer shall report the title and the unique reference (e.g. issue date and version number) of each updated item of Developer Evidence 16 August 2010 © Crown Copyright (2010) 43 Templates for Assurance Continuity • • • • • Assurance Maintenance Plan template is provided on the CESG website in CTAS Methodology Impact Analysis Report template, for the Sponsor / Developer, is provided in Chapter V of UKSP03 Part II IAR Review template, for the CESG Certification Body is provided by a standard CESG CB Review Form Maintenance Report template, for the CESG Certification Body, is available from the CESG CB Maintenance Addendum template, for the CESG Certification Body, is not specifically provided 16 August 2010 © Crown Copyright (2010) 44 Main Principles for Assurance Continuity • Maintain Impartiality and Objectivity, as with all Common Criteria evaluation and certification tasks • There should not be any time, money or resource pressures that would affect the impartiality or objectivity of the Assurance Continuity process 16 August 2010 © Crown Copyright (2010) 45 Main Principles for Assurance Continuity • Reuse evaluation results wherever possible • For parts of the Changed TOE where there has been no change, there is no point in repeating work that has already been performed during the evaluation of the Certified TOE 16 August 2010 © Crown Copyright (2010) 46 Main Principles for Assurance Continuity • No more detail is required than that provided during the evaluation of the Certified TOE • Only the changes that actually affect the deliverables of the Certified TOE are required to be reported – For example, if a document was not provided as a deliverable for the Certified TOE then any updates to that document do not need to be provided for the Maintained TOE 16 August 2010 © Crown Copyright (2010) 47 Main Principles for Assurance Continuity • Details of changes should be sufficient to support Repeatability and Reproducibility across CBs • A non-security related change is usually completely irrelevant to the TOE and IAR – it can be eliminated quickly – it does not need to be discussed in detail • The impact of non-security related changes can be categorised as None (rather than Minor) • Changes categorised as None would not have been discussed in the Original TOE evaluation 16 August 2010 © Crown Copyright (2010) 48 Main Principles for Assurance Continuity • Correcting an implementation fault (even to security functionality) is just strengthening the claimed behaviour of the TOE and hence cannot be considered a Major change for the Impact Analysis Report • Generic wording that may be used for this situation is as follows: “The < fault correction | bug fix > relating to the < subsystem | component > is a correction to the TOE functionality and hence does not affect the expression of the SFRs in the assurance evidence” 16 August 2010 © Crown Copyright (2010) 49 Procedures • The CESG CB procedures for the Initial Stage of Assurance Maintenance are: – – – – – Prepare for the IAR Review (i.e. familiarise with the previous ST, ETR, CR, IAR, MR as appropriate) Confirm whether the ST is essentially unchanged (except for trivial changes such as software versions) Review the draft IAR and check its change categorisations Audit any updated deliverables regarding specific changes (such as the bug list and test results) Perform a search for any obvious vulnerabilities 16 August 2010 © Crown Copyright (2010) 50 Procedures • The CESG CB procedures for the Final Stage of Assurance Maintenance are: – – – – – – – Review and approve the final IAR Address any issues raised by CESG CB or the Sponsor/Developer Produce and agree the Maintenance Report Record the decision rationale Produce and agree the MA and MA Certificate Update the entries on the CESG and CC portal websites using ST, MR, and MA Submit the MA Certificate to the Sponsor/Developer 16 August 2010 © Crown Copyright (2010) 51 {End of New Presentation…} • {…and start of Old Presentation} 16 August 2010 © Crown Copyright (2010) 52 Introduction • Assurance maintenance – assessment of changes to TOE – assurance maintained after certification • Composition – TOE comprises component products – certified components included • Some TOEs may involve both 16 August 2010 © Crown Copyright (2010) 53 Assurance Maintenance Options • Ad-hoc re-evaluation – initiated when desired • Certificate Maintenance Scheme (CMS) – requires ongoing developer support 16 August 2010 © Crown Copyright (2010) 54 Assurance Maintenance Fundamentals • • • • Previous evaluation results Security impact analysis Categorisation report ‘Evaluation’ activity 16 August 2010 © Crown Copyright (2010) 55 Ad-hoc Re-evaluation - Process and Reporting • Updated deliverables – may include impact analysis • Standard evaluation process – re-use of previous results • Observation reports and ETR 16 August 2010 © Crown Copyright (2010) 56 CMS - Process • Certificate Maintenance Plan (CMP) – planned maintenance cycle for TOE • Developer Security Analyst (DSA) – responsible developer representative • CMS rules 16 August 2010 © Crown Copyright (2010) 57 CMS - Maintenance Cycle TOE Certified CMP Approved CMP Updated TOE Maintained Under CMS TOE Re-certified CMP Updated 16 August 2010 © Crown Copyright (2010) 58 CMS - Certificate Maintenance Plan • Covers one maintenance cycle • Identifies changes – components affected – assurance required • Release plans • Audit schedule/Re-evaluation schedule • DSA • Maintenance and Vulnerability Tracking Procedures 16 August 2010 © Crown Copyright (2010) 59 CMS - Developer Security Analyst • ‘Qualifications’ – familiar with TOE – criteria and methodology knowledge – impartiality • Responsibilities: – deliverables – testing – vulnerabilities 16 August 2010 © Crown Copyright (2010) 60 CMS - Security Impact Analysis • Responsibility of DSA – production and maintenance of SIA • Contents – changes – test evidence • Purpose 16 August 2010 © Crown Copyright (2010) 61 CMS - Categorisation Report Security Enforcing TSP-enforcing: Security Critical Security Relevant TSP-enforcing: Security Supporting Security Irrelevant Non-TSP-enforcing 16 August 2010 © Crown Copyright (2010) 62 CMS - Reporting • Observation Reports • Audit Reports • ETR (following re-evaluation) 16 August 2010 © Crown Copyright (2010) 63 ITSEC vs. CC Certificate Maintenance Plan Assurance Maintenance Plan Categorisation Report TOE Component Categorisation Report Certificate Maintenance Audit Report Assurance Maintenance Audit Report Security Impact Analysis Security Impact Analysis Certificate Maintenance Status Report Evidence of Assurance Maintenance 16 August 2010 © Crown Copyright (2010) 64 Composite TOEs • Certified Products and Bespoke Applications – re-use component product results – assess interaction between components Bespoke RDBMS Operating System Certified Hardware 16 August 2010 © Crown Copyright (2010) 65 Summary • Assurance maintenance involves – Reuse of previous results – SIA • Options for ad-hoc re-evaluation or CMS • CMS also involves – CMP – DSA • Composition – Re-use of component product results 16 August 2010 © Crown Copyright (2010) 66 Further Reading ITSEC Evaluation • UKSP 05 Part III, Chapter 11 • UKSP 16 CC evaluation • CC Part 3, Sections 2.8, 15 and 16 16 August 2010 © Crown Copyright (2010) 67 Exercise - Maintenance Month 1 TOE Completes evaluation Month 4 Minor bug fixes are carried out relating to the display of fields Month 8 Administrator manuals are updated to clarify certain actions Month 12 The maximum number of audit records is extended 16 August 2010 © Crown Copyright (2010) 68 Exercise - Maintenance (Cont) Month 15 The authentication mechanism is changed Month 18 An additional service is added to the firewall Month 21 Testing documentation is updated to reflect new vulnerabilities Month 24 16 August 2010 Security Relevant Functionality is added to the TOE © Crown Copyright (2010) 69