Assurance Continuity—Filling the Gap Between Maintenance and Re-certification (U13c)
Certificate maintenance is a quick and cost efficient process which allows us to extend the certificate validity to a new TOE version. However, the use of the maintenance process is currently limited to minor changes.
If the change of the TOE is to be considered as a major change, then a re-evaluation by an evaluation facility is to be used. The result is a new certificate, even when the vendor is not really interested in a new certificate. The vendor often only wants to maintain the existing certificate, e.g. due to a necessary bug-fix.
The issuing of a new certificate requires that all evidences are up-to-date. This bears the risk that further re-evaluation tasks beyond the change of the TOE (e.g. a site visit or the consideration of a new interpretation) may become necessary and make the re-evaluation more cost and time consuming.
This talk will provide an overview about assurance continuity and discuss the extension of the maintenance process by “maintenance with partial re-evaluation”. Maintenance with partial re-evaluation limits the re-evaluation to the change of the TOE. It extends (or transfers) the validity of the existing certificate to the new TOE version instead of issuing a new certificate.
The proposed process is quicker and more cost efficient than a re-evaluation and can fill the big gap between maintenance and re-certification when a new certificate is not required.