Labgram #116/Valgram #135 - Vulnerability Evidence
Validators and CCTLs,
This labgram clarifies NIAP expectations with respect to vulnerability evidence provided in support of AVA_VAN activities, NIAP Policy 17, and NIAP Publication #6.
While following the guidelines of AVA_VAN in the CC Part 3: Security assurance requirements, there is a level of expectation as to the required vulnerability evidence. To clarify, for all NIAP evaluations, the following must be included in vulnerability evidence submissions.
· The date the vulnerability analysis was performed. Vulnerability searches must be conducted no more than 30 days prior to the PCL posting date.
· All libraries, databases, and search terms used in the vulnerability analysis. At a minimum, search terms must include:
o The list of software and hardware components that compose the TOE,
o The TOE name (including model information as appropriate), and
o Any terms identified by the technical community, as specified in the Protection Profile, and included in the AVA_VAN activities.
· All vulnerabilities identified using the specified libraries, databases, and search terms must be documented.
o All vulnerabilities discovered must be reflected in the ETR, or the IAR for Assurance Maintenance.
o Vulnerabilities that are discovered but are deemed not applicable to the evaluation must be specified in the ETR, or the IAR for Assurance Maintenance, along with the justification as to why they do not apply.
o Vulnerabilities that are discovered and deemed applicable to the evaluation, must also be summarized in the AAR, or the IAR for Assurance Maintenance.
o Any open vulnerability related to the product or product components (e.g., software, hardware, libraries, protocols, etc.) must be included in the presented analysis along with a justification or mitigation plan, in accordance with Policy 17.
The above applies for all NIAP evaluations, to include Assurance Maintenance submissions. Further, for Assurance Maintenance, all previously used vulnerability search terms from the initial evaluation must as be included in the Assurance Maintenance analysis, as well as any new applicable search terms.
If you have any questions or concerns, please contact us at 410-854-4458 or by email at firstname.lastname@example.org.
(U) The information contained herein is for the exclusive use of Government and Contractor personnel with a need-to-know for NIAP CCEVS information. Such information is specifically prohibited from posting on unrestricted bulletin boards or other unlimited access applications.