One of the largest sets of activities in an evaluation is the examination of
the development environment through the assurance components ACM, ADO
and ALC. At EAL3 and above this includes a site visit. For each new
product a developer wants evaluated they are required to perform another
site visit. This leads to a much greater cost when we are in many instances
evaluating the same site with the same procedures. While a thorough
examination may be justified if the product was developed at a different
site, or major changes have been made to any of these components; this
is not always the case.
So why not certify the developer’s site and procedures? If a developer could
have their site certified it would mean that we could treat it as if
the site itself was an evaluated product and perform re-evaluations
of the site when major changes require it. In order to allow this, rules
would need to be outlined as to what would constitute a major change.
This could be conducted similar to assurance continuity with an Impact
Analysis Report (IAR).
This presentation will outline why certifying a site separately
will not detract from the assurance provided by the associated components.
It will show how these changes could in fact add extra assurance to
products evaluated at EAL2 and below where a site visit would not normally
be performed. This presentation will also explore changes that would
need to be made in the evaluation in order to show what parts of these
components would still need to be evaluated each time and which ones
would simply require evidence showing that no major changes have occurred.