Maintenance and Re-Evaluation
The CCEVS is pleased to acknowledge the recent international release of the CCRA Requirements on Assurance Continuity (CCIMB-2004-02-009, February 2004). It is available on the CCEVS website. This guidance is to be used by all CCEVS labs to address the topic of maintenance and re-evaluation. It formally supercedes all previous guidance issued by the CCEVS, including Scheme Publication 6.
The approach outlined in these requirements is that the sponsor will provide a report describing the changes made to the certified TOE, together with an analysis of the security impact of those changes. This report will then be reviewed by the scheme to determine whether these changes require any additional analysis by evaluators ("re-evaluation") or whether the changes are such that the analysis performed in producing the impact analysis report was sufficient ("maintenance").
These requirements present only the minimum mutually-recognized requirements on assurance maintenance and re-evaluation. They acknowledge that schemes may augment these requirements. If such additional guidance is found to be necessary in the future, then a new Scheme Publication on Re-evaluation and Maintenance will be issued. However, at this time, the CCEVS has no additional guidance to provide to its validators, evaluators, or TOE developers.