NP002 - EUCC processes v2.0
Processes describing how to get a product certified and sustain its certified status under the EUCC for assurance level high at the Dutch NCCA.
đ Document information
1. Introduction
1.1 Background and purpose
The European Common Criteria scheme (EUCC) is the first cybersecurity certification scheme developed under the Cybersecurity Act (CSA). This scheme aims to serve as a successor to the current existing national schemes operating under the SOGIS MRA (Senior Officials Group on Information Systems Security Mutual Recognition Agreement) and covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 standard.
The Dutch implementation of the CSA is regulated in Dutch law in the âUitvoeringswet cyberbeveiligingsverordeningâ (UITVW). In this law the role of NCCA is assigned to the Dutch Authority for Digital Infrastructure (RDI), which is part of the Ministry of Economic Affairs and Climate Policy. The UITVW expresses the Dutch government choice to use the âprior approval modelâ as mentioned in article 56(6)a of the CSA as the only option for issuing certificates at the assurance level âhighâ.
This document provides details of the steps and activities that the parties involved shall take in the EUCC processes in which the RDI as NCCA has a role1. The EUCC processes are:
- The forecast process (further described in chapter 2);
- The certification process (further described in chapter 3);
- The assurance continuity process (further described in chapter 4);
- The vulnerability management and disclosure process (further described in chapter 5).
The forecast, the certification and assurance continuity processes are applicable for products and protection profiles where assurance level âHighâ is claimed. Approval is necessary from the NCCA before a CAB is allowed to issue a certificate at this assurance level âHighâ. Note that a similar approach may also be applied to the certification of products and protection profiles where assurance level âSubstantialâ is claimed. In this case the approval is not required, and the involvement of the NCCA in the certification process would be nil2.
Depending on the nature of the certification, the actual activities may differ and need to be tailored as described in the following chapters.
The vulnerability management and disclosure process is applicable for products certified at either the âSubstantialâ or âHighâ assurance level.
This document is aligned with the accreditation norms ISO/IEC 17025 & ISO/IEC 17065 and the related EUCC State-of-the-Art documents while also providing detailed guidance to the formal approval steps as specified in the UITVW. The overall goal is to ensure that the formal approval can be given efficiently based on a process that reduces risks for all stakeholders by having the following characteristics:
- Quality - Approval based on verification that certification is meeting scheme requirements;
- Predictability - assurance that certification is on the right track;
- Responsiveness -Â small work packages/intermediate results are faster to review;
- Timeliness - fast final approval based on intermediate results.
1.2 Information products
Information product | From | To | Description |
---|---|---|---|
Monthly forecast | CAB | NCCA | A document containing the certification leads of a CAB. It is used by the NCCA operational manager for initial resource planning and allocation. |
Forecast overview | NCCA | NCCA | NCCA internal document compiled by the operational manager from the individual monthly forecasts. |
EUCC notification | CAB | NCCA | Official notification from a CAB to the NCCA that they wish to start the certification-process for a product or protection profile. It consists of a notification form, assessment plan and (draft) Security Target/ Protection Profile |
Assessment plan | CAB | NCCA | A document describing how the CAB will conduct the product assessment. |
Notification Review Report | NCCA | NCCA | NCCA internal report in which the NCCA keeps track of everything leading up to the rejection or acceptance of the assessment plan. |
Acceptance of assessment plan | NCCA | CAB | Official notification of acceptance of the assessment plan, after which the certification process can proceed to the certification monitoring phase. |
Rejection of assessment plan | NCCA | CAB | Official notification of rejection of the assessment plan. |
Request for developer evidence | CAB | Sponsor | A request from the CAB to the sponsor to provide the developer evidence necessary for assessment. |
Developer evidence | Sponsor | CAB | Evidence provided by the sponsor to the CAB for assessment. |
Evaluator evidence | CAB | NCCA | Reports or other material describing how the evaluator actions have been performed. This evidence is presented in the ERMs for internal review by the certifier and monitoring by the NCCA. |
Evaluation Technical Report (ETR) | CAB | NCCA | Report that combines and compiles all evaluator evidence from the product evaluation. |
Meeting minutes | CAB | NCCA | Report of an ERM that records all issues raised during the meeting, the decisions made and the conclusion. |
Project actions list | CAB | CAB NCCA |
A list in which the CAB keeps track of all actions including their status related to the assessment as discussed during the ERMs. The final version will be provided to the NCCA as part of the request for approval. |
Certifier Review Report | CAB | CAB NCCA |
Report in which the CAB keeps track of all its review activities leading up to its certification decision. Final version will be provided to the NCCA as part of the request for approval. |
Certification Report (CR) | CAB | NCCA | A document containing a high-level description of the product and the certification performed. This document will be published in conjunction with the certificate. |
Draft certificate | CAB | NCCA | A draft of the certificate that the CAB makes before formal approval for certification is given by the NCCA. |
Request for approval | CAB | NCCA | Request from the CAB to the NCCA to approve the issuance of an EUCC certificate. |
Approval Review Report | NCCA | NCCA | NCCA internal document in which the NCCA keeps track of everything leading up to its decision regarding the final approval. |
Approval to issue certificate | NCCA | CAB | Official notification sent by the NCCA to the CAB to approve the issuance of an EUCC certificate. |
Rejection of approval | NCCA | CAB | Official notification sent by the NCCA to the CAB to reject the issuance of an EUCC certificate. |
Certification notification | CAB | Sponsor NCCA ENISA |
Notification to the sponsor, NCCA and ENISA that a product has been certified under EUCC. |
Protection Profile (PP) | Sponsor | CAB NCCA |
A document describing a set of security requirements for a class of products. I.e. it specifies the security needed in a IT product. This document can be the subject of a certification, or can be used by a productâs Security Target to claim compliance with. |
Security Target (ST) | Sponsor | CAB NCCA |
A document describing a set of implementation-dependent security requirements for a product. I.e. it specifies the security provided in a specific IT product and forms the basis for a product assessment. |
Security Target Lite (ST-Lite) | Sponsor | CAB NCCA |
A Security Target sanitised by the removal or paraphrasing of proprietary technical information. |
Evaluation Technical Report for composite evaluations (ETRfC) | CAB | NCCA CAB |
A subset of an ETR that is intended for re-use in a composite certification process (by another CAB). |
Site Technical Audit Report (STAR) | CAB | NCCA CAB |
A report describing the audit results of the development and production environment of the product that is intended for re-use in another product certification process (by another CAB). |
Impact Analysis Report (IAR) | Sponsor | CAB NCCA |
A document describing changes to a certified product, used as input for assurance continuity. |
All documents or other material (e.g., presentations) exchanged with the NCCA shall be in electronic form and in the English language. If the material contains proprietary or sensitive information, it should be submitted in encrypted form with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.
Please refer to the NCCA instruction NI001 - Information exchange for further guidelines on how documents or other material shall be exchanged with the NCCA. This applies to all instances in this document where the words âsend to the NCCAâ is used.
1.3 Roles
Role | Responsible entity | Description |
---|---|---|
Certificate issuer | CAB | Designated person within a CAB with the authority to issue certificates. |
Certifications manager | CAB | Overall point-of-contact for the general operation of the CAB. Will submit the monthly forecasts and the certification notifications. |
Certifier | CAB | Person from the CAB responsible for the review of the evaluation activities and generation of the certification report. |
Evaluator | CAB | Person performing the evaluation activities and generation of the evaluator evidence and ETR. |
Certification auditor | NCCA | Person responsible for the monitoring of the certification process comprising the activities of the certifier who has reviewed and assessed the activities of the evaluator. |
Audit supervisor | NCCA | Person responsible for processing the monthly forecast and pre-allocating resources, preparing the official rejection or acceptance of the notification and providing the official rejection or acceptance of the certificate. |
External expert | CAB | Person (internal to the RDI or from an external organisation) supporting the certification auditor providing technical expertise not possessed by the NCCA itself. |
Sponsor role | Sponsor | The sponsor is the entity that wishes a product to be certified under EUCC and is responsible for providing all the necessary developer evidence. The sponsor will become the holder of the certificate. Usually the sponsor is the manufacturer or supplier of the product to be certified under EUCC. |
2. Forecast process
The Forecast Process is asynchronous to the Certification Process and is intended to allow the NCCA to take the necessary preparation steps for upcoming EUCC notifications. Knowing beforehand the amount and type of EUCC notifications enables the NCCA to perform adequate resource planning and allocation such that the lead time of the Certification Process can be optimised.
Every CAB is expected to report to the NCCA on a monthly basis all certification leads for assurance-level high of which it expects with more than 70% certainty that they will lead to a notification within the next three months.
The Forecast Process only consists of one phase: the Forecast Phase.
2.1 Phase 0: Forecast Phase
2.1.1 Step 0.1: Prepare and submit monthly forecast
Responsible: CAB | Executed by: Certifications manager |
---|
Note 1: This information has to be collected on a monthly basis. If the CAB makes use of external ITSEFs, then it may request this information every month from the ITSEFs, or procedurally demand from the ITSEF that they send this information structurally every month to them. Note 2: A CAB is expected to report to the NCCA on a monthly basis all evaluation/certification leads for assurance-level high of which it expects with more than 70% certainty that they will lead to a notification within the next three months. |
Responsible: CAB | Executed by: Certifications manager |
---|
Note: In the case a sponsor approached multiple CABs/ITSEFs to perform an evaluation on their product, add all these requests to the forecasting template. |
Note 1: It is understood that the information is commercially sensitive. NCCA will only use this information for its resource planning. Note 2: The monthly forecast may be submitted encrypted or unencrypted. If the CAB wishes to submit the monthly forecast encrypted it may do so with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website. |
2.1.2 Step 0.2: Collect monthly forecasts and create forecast overview
Responsible: NCCA |Â Executed by: Audit supervisor |
---|
|
|
|
Responsible: NCCA |Â Executed by: Audit supervisor |
---|
|
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
Note 1: The pre-allocated certification auditor must be independent from, and not be involved in, the activities of the sponsor/developer and the CAB. Note 2: There may be a need for additional expertise from outside the NCCA. This could be because the relevant expertise is not present within the NCCA, there are insufficient resources available or for other reasons. In such cases the certification auditor could be assisted by an external expert. |
3. Certification process
The certification process comprises of the following three phases:
- The Notification Phase: in which the formal notification is submitted and processed, resulting in a formal approval or rejection by the NCCA;
- The Evaluation and Review Phase: in which the actual assessment is performed by the CAB and its (subcontracted) ITSEF. The phase normally ends in a formal request for approval from the CAB to the NCCA for the issuance of a certificate;
- The Certification Approval Phase: in which the concluding actions are performed, resulting in a formal approval or rejection by the NCCA and the actual issuance of an EUCC certificate.
During the assessment of the notification, the NCCA will determine whether there will be NCCA monitoring throughout the evaluation and review phase or not. In the latter case it is expected by the NCCA that a timely approval to issue a certificate can be given without this monitoring.
3.1 Phase 1: Notification Phase
3.1.1 Step 1.1: Prepare for certification
This first step in the notification phase and the related actions are described for completeness and are solely intended as guidance to the sponsor.
Responsible: Sponsor | Executed by: Sponsor role |
---|
|
|
Responsible: Sponsor | Executed by: Sponsor role | In cooperation with: Optionally with a CC consultant or the envisaged CAB |
---|
|
Note: drafting a ST or PP is a specialised task for which the sponsor may want to contract/hire a CC consultant or expert. This may be an independent consultant, but the envisaged CAB could also provide this consultancy service. However the CSA and EUCC impose restrictions on consulting services. |
Note: If the CAB makes use of external ITSEFs, then the sponsor may also need to come to a contractual agreement with the ITSEF for performing the evaluation part of the certification activities. |
3.1.2 Step 1.2: Prepare notification
Responsible: CAB | Executed by: Certifications manager |
---|
|
Note 1: The EUCC (in recital 3 and 5) requires the sponsor to provide a rationale for selecting the correct assurance level which the CAB shall review. This review must be included under the âappropriatenessâ section in the assessment plan. Note 2: While scheduling the ERMs, consideration must be given that the ERMs cannot be held without the NCCA approval for the suggested ERM dates in the assessment plan. In practice the first ERM should not be planned soon after the notification has been submitted as this increases the risk that the ERM will have to be rescheduled due to NCCA resource management and preparation. In general a 15 working days delay is needed after the formal approval has been issued by the NCCA (see Action 1.3.4: Issue formal decision on assessment plan). |
|
Responsible: Sponsor | Executed by: Sponsor role |
---|
|
|
Responsible: CAB | Executed by: Certifications manager |
---|
|
Note 1: The EUCC notification form and related documents may be submitted encrypted or unencrypted. If the CAB wishes to submit the documents encrypted it may do so with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website. |
The reception of the notification is a milestone for the NCCA after which the notification has to be processed within the legally defined terms.
3.1.3 Step 1.3: Assess notification
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
|
Note 1: The appointed certification auditor must be independent from, and not be involved in, the activities of the sponsor/developer and the CAB. Note 2: There may be a need for additional expertise from outside the NCCA. This could be because the relevant expertise is not present within the NCCA, there are insufficient resources available or for other reasons. In such cases the certification auditor could be assisted by external expert(s). |
Responsible: NCCA | Executed by: Certification auditor |
---|
Note: The Notification Review Report is intended to collect findings on the notification documents, and forms the basis for the formal decision on the assessment plan. |
|
Note: The checks on scope and authorisation will not take part in case the EUCC notification is part of an initial assessment that the CAB needs to perform as part of its initial accreditation and licensing process. |
Responsible: NCCA | Executed by: Certification auditor | In cooperation with: Optionally with an external expert |
---|
Note: The EUCC (in recital 5) requires the sponsor to provide a rationale for selecting the correct assurance level which the CAB shall review. This review must be included under the âappropriatenessâ section in the assessment plan. |
Note: The EUCC (in article 7) requires security assurance requirements classes for vulnerability assessment and independent functional testing to be included in the evaluation. The EUCC in Chapter V and VI also has requirements related to vulnerability monitoring, management and disclosure for which the sponsor shall establish and maintain the necessary procedures. In the Netherlands these procedures need to be included in the evaluation. |
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
Note: The letter of acceptance will include the name of the certification auditor and where applicable the name of the external expert(s). Also if monitoring will be performed is indicated. |
Note: The formal acceptance is based on the content of the provided assessment plan. This plan may need to change at a later stage and then requires a renewed acceptance by the NCCA. Changes of the assessment plan or deviations thereof may have consequences for the NCCA approval to issue a certificate. See also Step 2.5: Project monitoring. |
The acceptance of the assessment plan is a milestone for the CAB after which the assessment can formally commence.
In case of rejection the certification process stops and a new submission of an EUCC notification is required.
3.2 Phase 2: Evaluation and Review Phase
The evaluation and review phase consists of an iteration of 3 activities, one for each of the Evaluation Review Meetings (ERMs) followed by a final reporting activity. By default there will be 3 ERMs in this phase, but this will be dependent on the evaluation approach as defined in the assessment plan during the notification phase.
The evaluator is responsible for delivering the evaluator evidence which records the results of the evaluation activities (ref. ISO/IEC 17065 section 7.4 / ISO/IEC 17025 chapter 7). These reports are reviewed by the CABs certifier (ref. ISO/IEC 17065 section 7.5) and the review comments are communicated to the evaluator in Certifier Review Reports (and discussed in an ERM). The CAB is responsible for recording minutes of the ERMs and tracking of the action items.
After the final ERM, when all Certifier Review Report comments have been addressed and any action items closed, the evaluation is concluded with the generation of the final Evaluation Technical Report (ETR) by the evaluator. The certifier shall use the final ETR to create a Certification Report (CR) and draft Certificate. At the conclusion of the evaluation and review phase these documents will then be submitted to the NCCA for approval.
There are usually multiple iterations of the steps 2.1 â 2.3 according to the number of ERMs specified in the assessment plan. There are three ERMs defined for a typical EAL4 and higher evaluation (see NCCA instruction NI002 - Content and presentation of evaluation review meetings), but some of these meetings can be combined for evaluations claiming lower assurance level packages (outside the scope of this document) and for maintenance and re-certification tasks. The content to be discussed in each ERM is also specified in NCCA instruction NI002 - Content and presentation of evaluation review meetings and refined in the assessment plan. This will dictate what evaluator evidence is to be provided and what evaluation activities are to be performed by the evaluator in preparation for the ERM. Similarly, the agenda for each meeting is taken from the definition of the ERMs specified in the assessment plan.
In the case where there is NCCA monitoring foreseen throughout the evaluation and review phase, the certification auditor (NCCA) will be in copy of all meeting deliverables, but he may choose not to attend the ERMs. Being in copy shall not be the case when there is no NCCA monitoring, and only the request for approval including all associated documents will be delivered to the NCCA for approval (see output from Action 2.4.5: Submit request for approval). This means that when there is no NCCA monitoring, there will be no NCCA involvement during the evaluation and review phase other than Step 2.5: Project monitoring.
See also the NCCA instruction NI002 - Content and presentation of evaluation review meetings for an overview of the ERMs and the associated meeting deliverables.
3.2.1 Step 2.1: Assess developer evidence and generate meeting deliverables
Responsible: CAB | Executed by: Evaluator |
---|
|
|
Responsible: CAB | Executed by: Evaluator |
---|
|
|
Responsible: CAB | Executed by: Evaluator |
---|
|
|
|
Responsible: CAB | Executed by: Certifier |
---|
|
|
Note 1: The meeting deliverables are to be sent to the NCCA/certification auditor at least 5 working days before the meeting is scheduled to be held. Note 2: The meeting deliverables and invitation are optionally sent to the sponsor depending on the agreement between the CAB and sponsor. Note 3: The ERMs shall be held as a physical only meeting on a location in the Netherlands. |
3.2.2 Step 2.2: Prepare developer evidence
Responsible: Sponsor | Executed by: Sponsor role |
---|
|
Note: Developer evidence can take many forms, including documents, e-mails or physical access to the development site. The form in which the developer evidence is supplied to the CAB needs to be mutually agreed. The CAB may for example agree to get access to the information on the premises of the manufacturer or provider. |
3.2.3 Step 2.3: Conduct evaluation review meeting 1, 2 and 3
Responsible: NCCA | Executed by: Certification auditor |
---|
|
|
|
Responsible: Sponsor | Executed by: Sponsor role |
---|
|
|
Responsible: CAB | Executed by: Certifier | In cooperation with: Evaluator (Note: both NCCA and sponsor may attend) |
---|
Note: ERM deliverables can only be provisionally approved as subsequent ERMs may invalidate the verdicts due to new information found. The final formal approval takes place in Step 2.4: Generate final evaluation & certification reports. |
Responsible: CAB | Executed by: Certifier or evaluator |
---|
Note 1: No full meeting minutes are required to record every aspect of discussion, but rather these minutes serve as a record summary of issues discussed, the verdicts and conclusions made during the meeting. Note 2: The meeting minutes and updated project actions list needs to be provided within 3 working days after the meeting. |
3.2.4 Step 2.4: Generate final evaluation & certification reports
Responsible: CAB | Executed by: Evaluator |
---|
|
|
|
Responsible: CAB | Executed by: Certifier |
---|
|
|
|
|
Responsible: CAB | Executed by: Certifier |
---|
|
|
|
Responsible: CAB | Executed by: Evaluator | In cooperation with: Sponsor |
---|
|
|
|
Responsible: CAB |Â Executed by: Certifier |
---|
|
|
|
|
The reception of the request for approval is a milestone for the NCCA after which the request has to be processed with the legally defined terms.
3.2.5 Step 2.5: Project monitoring
Certification is in general a process that continues for some weeks, if not months. The assessment plan on which the NCCA based its initial approval may therefore be subject to changes and these changes may require a renewed approval.
Also the certification process may be terminated prematurely on request of either the sponsor or the CAB. The NCCA may also terminate the certification process under certain conditions in which case the approval of the assessment plan is withdrawn by a revocation decision.
The above two activities are combined into an asynchronous step that can be executed independent of the other steps and are further described below.
Changes in the approved assessment plan
An assessment plan forms the baseline for the evaluation and certification work and the approval by the NCCA. As it is agreed upon by all involved parties it cannot be changed or executed in a different way by a single party. Possible changes that might have an impact can be categorised as follows:
- Re-scheduling of milestones; these include both deliverables and review meetings: The assigned certification auditor (and if applicable external experts) expects to review meeting deliverables and attend ERMs based on the agreed planning. Time is reserved in their agenda which is difficult to re-allocate if deliverables are not submitted at the agreed date. The same is also true for the delivery date of the request for approval with its associated documents and any re-scheduling of meetings;
- TOE scope changes: the (draft) ST/PP is reviewed during the notification phase, and is accepted as having a valid TOE scope by the approval of the assessment plan by the NCCA. Changes to the TOE scope mostly have an impact on the certification and evaluation work already performed and could in extreme cases even result in inappropriate removal of security features or inappropriate additions of assumptions;
- Evaluation scope/approach changes: changes to the evaluation scope (e.g. more or less development sites to be audited), additional/different deliverables, or when additional review meetings are needed, will always have an impact on the evaluation and certification work and the approval of the assessment plan by the NCCA;
- Certification project staffing assignment changes: the certification auditor only accepts deliverables that are authorized by the persons listed in the assessment plan.
All type of changes, including the rationale for the change, must be reported without undue delay so that their impact against the formal approval of assessment plan can be determined. Changes need to be communicated initially via e-mail. The impact is assessed by the NCCA as the assessment plan is used to verify that the evaluation and certification work has been conducted according to the assessment plan. This verification is part of the assessment of the CABs request to issue a certificate (see Action 3.1.3: Review ETR, CR and certificate). Based on its assessment, the NCCA may require the CAB to make an update of assessment plan so that an formal approval of it can be re-issued.
Changes in certification staffing (resulting in a change of point of contact at the CAB) and rescheduling of a ERM and meeting deliverables have to be communicated at the latest 5 working days before it was planned for the meeting deliverables to be sent to the NCCA/certification auditor. Preferably this change is communicated in combination with a proposal for a new delivery and meeting date. The NCCA/certification auditor will assess the change and where necessary seek agreement on a new delivery and meeting date. These type of changes generally do not require an update of the assessment plan.
An update to the assessment plan will generally be required when there is a change to the TOE scope or evaluation scope/approach. However it is not always the case that all certification scope/approach changes require an update to the assessment plan. For example, a change to discuss the ALC site audit checklist in ERM1 rather than ERM2 is a change in certification approach, but this change is considered minor and could be agreed by the NCCA through an e-mail.
Termination of the certification process
In most cases a certification is executed in accordance with the assessment plan and the delivery schedule mentioned, even though slight changes in the planned dates might occur.
However, if during a certification process there are no evaluation and certification activities for more than 6 months, the NCCA may decide to terminate the process so that resources are no longer allocated. In case of a monitored certification, the 6 months period will be calculated from the agreed date of the first upcoming ERM. When the certification is not monitored, the 6 Months will be calculated from the agreed delivery date of the request for approval.
In exceptional cases also the CAB may decide that they do not want to continue the certification. In this situation the NCCA must officially be informed of such request to terminate the certification process and the rationale for it.
In either case the NCCA will document its decision in a Termination Justification Report. Based on this a formal termination decision will be send after which the NCCA will close the project in the NCCA document management system.
3.3 Phase 3: Certification Approval Phase
3.3.1 Step 3.1: Assess request for approval
Responsible: NCCA | Executed by: Certification auditor |
---|
|
Responsible: NCCA | Executed by: Certification auditor |
---|
Note: The Approval Review Report is intended to collect findings on the request for approval document, and forms the basis for the formal approval or rejection to issue a certificate. |
|
Responsible: NCCA | Executed by: Certification auditor | In cooperation with: Optionally with an external expert |
---|
|
|
|
|
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
|
|
The approval to issue a certificate is a milestone for the CAB after which the certificate can be formally issued.
In case of rejection the certification process stops and the CAB is not allowed to issue an EUCC certificate. A new submission of a corrected Request for Approval is required to restart the process.
3.3.2 Step 3.2: Issue certificate
Responsible: CAB | Executed by: Certifier/Certifications manager |
---|
|
Note: ENISA will develop a procedure for the release of the EUCC mark and label, including the QR code. This most likely will involve the CAB to provide a XML file containing information derived from the Certification Report. |
|
|
Responsible: CAB | Executed by: Certifier/Certifications manager |
---|
|
Note: In accordance with EUCC (article 40), all records shall be securely and accessibly stored for a period of at least five (5) years after the withdrawal of the certificate. |
Responsible: CAB | Executed by: Certifier/Certifications manager |
---|
|
|
|
3.3.3 Step 3.3: Conclude approval process
Responsible: NCCA | Executed by: Certification Auditor |
---|
|
|
|
4. Assurance continuity process
This chapter is work in progress and will be updated in the near future. The text below may serve as a guideline on how the maintenance process will be implemented. In any case the requirements from both EUCC Annex IV âAssurance Continuity and certificate reviewâ and the CCRA supporting document âAssurance Continuity: CCRA Requirementsâ apply whereby the EUCC requirements take precedence.
In accordance with EUCC Annex IV âAssurance Continuity and certificate reviewâ the sponsor can apply for a review of the certificate in in the following cases:
- the EUCC certificate is due to expire within nine months;
- there has been a change either in the certified TOE or in another factor which could impact its security functionality;
- the sponsor demands that the vulnerability assessment is carried out again in order to reconfirm the EUCC certificateâs assurance associated with the TOEâs resistance against present cyberattacks.
The CAB that issued the certificate will then perform maintenance activities related to the following:
- a re-assessment if an unchanged certified ICT product still meets its security requirements;
- an evaluation of the impacts of changes to a certified ICT product on its certification;
- if included in the certification, the application of patches in accordance with an assessed patch management process;
- if included, the review of the certificate holderâs lifecycle management or production processes.
The following procedure applies:
- The sponsor submits an application form to the CAB with the request to perform the necessary activities to update the certificate. This step is similar to Step 1.1: Prepare for certification;
- In case the sponsor applies for an evaluation of the impacts of changes to a certified ICT product on its certification, the CAB assesses the IAR in consultation with the original ITSEF and decides whether a maintenance process can be followed or that re-certification is necessary;
- The NCCA template NT003 - EUCC notification form shall refer to an Impact Analysis Report (IAR) as defined in the CCRA supporting document âAssurance Continuity: CCRA Requirementsâ;
Remarks:
- In case of re-certification the standard procedure defined in Phase 2: Evaluation and Review Phase is applied. Depending on the nature of the alterations, it is possible that items from the earlier certification (of the âsameâ TOE) are re-used. The details of the certification process and the options for re-use shall described in the assessment plan.
5. The vulnerability management and disclosure process
This chapter is work in progress and will be updated in the near future. In any case the requirements from EUCC Chapter VI âVulnerability management and disclosureâ apply.