First Results from the Site Certification/ALC-Reusability-Project

Abstract:

The “Bundesamt für Sicherheit in der Informationstechnik” (BSI) has taken the lead for a CC-project to develop and validate the procedure in order to perform re-useable evaluations of ALC material.
The motivation of this project is based on an increasing demand coming from different developers to save unnecessary evaluation efforts. In this context re-use of certified ALC material would be a significant benefit to developers who develop multiple products at one or more sites, particularly under the same procedures. This would lead to a significant reduction of time and money for evaluations which could also as a result improve the acceptance and the market of the CC.
To achieve this goal two strategies have been found namely a Development Site Certification approach and a Reusability approach. The first approach leads to a TOE independent CC certificate which is issued to confirm that a specific development environment fulfils the CC requirements regarding the related ALC class. Probably additional ISMS definitions have to be taken into account.
The second approach depends on a previous TOE evaluation in order to re-use already certified ALC related items such as the applied CM system and/or the development site security.
As a first step a project team consisting of several BSI accredited ITSEFs and the BSI itself carried out an analysis of development and production procedures for both software and hardware products. Using this as a basic the reusability process has been developed and documented. Finally the reusability process definition will be validated under several trial evaluations.
The project team was supported by different certification schemes, several software and hardware developers and a number of communities and/or boards like the CCMB and the CCDB.