Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 (S12b)
Common Criteria (CC) or ISO/IEC 15408 allows the certification of the assurance of IT products. The standard has proven to be flexible for high-security use-cases especially for secure elements, security hardware devices and e-government project related components. But as good as the standard can be used for the base certification, the standard does not support re-certifications of updates or security-patched products. ISO/IEC 15408 nor ISO/IEC 18045 (or CEM) contain dedicated methods or evaluation activities which would support the evaluation of minor changes or minor updates. ISO SC27 WG3 has recently released draft technical report to address these problems, defining additional building blocks (i.e. SFRs for patch functionality and one additional ALC family) which can be integrated into PPs and STs to provide additional assurance for the TOE’s patching functionality and the developer’s patch management process. This presentation will show the current status of the ISO Technical Report, and explain how it address the patch management problem in tune with the Cyber Security Act requirements.