home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Toolkit v2.0
/
Hackers_Toolkit_v2.0.iso
/
HTML
/
archive
/
Rainbow
/
ncsc
/
pinkncsc.txt
< prev
next >
Wrap
Text File
|
1999-11-04
|
144KB
|
2,755 lines
Rating Maintenance Phase Program
NCSC-TG-013-89
Library No. S-232,468
Version - 1
FOREWORD
The National Computer Security Center has established an aggressive
program to study and implement computer security technology, and to
encourage the widespread availability of trusted computer products for use
by any organization desiring better protection of their important data.
The Trusted Product Evaluation Program, and the open and cooperative
business relationship being forged with the computer and
telecommunications industries, will result in the fulfillment of our
country's computer security requirement. We are resolved to meet the
challenge of identifying trusted computer products suitable for use in
protecting information.
"Rating Maintenance Phase Program Document" is the latest in the series of
technical guidelines published by the National Computer Security Center.
The Rating Maintenance Phase (RAMP) of the Trusted Product Evaluation
Program provides for the maintenance of computer security ratings across
product revisions. This document describes RAMP for current and
prospective vendors of trusted systems. The primary objectives are to
provide formal statements of program requirements and to provide guidance
on addressing them.
As the Director, National Computer Security Center, I invite your
recommendations for revising this technical guideline. We plan to review
this document as the need arises.
________________
Patrick R. Gallagher, Jr.
23 June 1989
Director, National Computer Security Center
ACKNOWLEDGMENTS
The National Computer Security Center extends special recognition and
acknowledgment to Tommy Hammer, Ph.D., as principal author of this
document and to LT Patricia R. Toth (USN) as project manager for the
publication of this document.
We wish to thank the following for their contributions in developing the
concepts and procedures of rating maintenance characterized by this
document: Blaine Burnham, Ph.D., David M. Chizmadia, Donald Crossman,
Major Doug Hardie, Howard Israel, Shawn P. O'Brien, Michael J. Oehler,
Mary D. Schanken, Dana Nell Stigdon, John W. Taylor, and W. Stan Wisseman.
1. OVERVIEW OF THE RATING MAINTENANCE PHASE
1.1 BACKGROUND AND CHARACTERISTICS OF RAMP
The National Computer Security Center (the Center) evaluates commercially
marketed products against the Department of Defense Trusted Computer
System Evaluation Criteria (TCSEC) classes D through A1. Each evaluation
by the Center yields a TCSEC class designation, or rating, for the given
product. The Center publishes these ratings in the Evaluated Products List
(EPL), which is widely cited in computer system procurements. The Center
thus works in partnership with private industry to establish product
trust.
The purpose of the Rating Maintenance Phase (RAMP) is to provide currently
available trusted products. RAMP is essential for this purpose because of
the frequency with which many vendors revise their offerings. Vendors
often market new releases of a product every few months and keep multiple
versions under development at all times. Without RAMP, only the initial
evaluated version is a trusted system with a TCSEC rating. RAMP allows the
Center to establish a rating and an EPL listing for each product release
following an evaluated release.
RAMP is intended to yield an EPL listing for a revised product shortly
after its release date. This outcome is possible because RAMP builds
cumulatively upon the evidence and assurance established by a product
evaluation, and because the vendor bears primary responsibility in RAMP
for maintaining product trust as the system evolves. The vendor follows
strict procedures that integrate security analysis, configuration
management, and evidence accumulation into the development process. The
Center then extends the product rating to each successive release by
ascertaining that the vendor has executed all rating maintenance
responsibilities fully and correctly.
RAMP always builds upon a product evaluation; it provides no opportunity
to avoid an evaluation. The program does not diminish the role of
evaluations in any sense other than reducing vendor motivation to seek
product reevaluations. RAMP provides no opportunity for a product release
to obtain a different rating from the one held by the original evaluated
version (other than a D rating, which terminates RAMP for the given
product).
1.2 RAMP BENEFITS AND COSTS
The following are potential benefits of RAMP for system vendors:
1) Vendors participating in RAMP can offer their latest products in
response to procurements that favor or require systems rated under
the Trusted Product Evaluation Program.
2) RAMP makes it easier for vendors to discontinue support of previously
rated products that have become outdated.
3) RAMP can reduce a vendor's long-term need for reevaluations while
increasing the vendor's rated product offerings.
4) RAMP can clarify a vendor's representation of a new product version as
a trusted system.
5) RAMP creates a learning process for vendors that can yield valuable
knowledge for trusted system development and marketing.
RAMP participation creates four general types of cost for vendors:
1) Initial expenses of personnel training and program planning.
2) Net vendor costs of establishing RAMP and undergoing a product
evaluation with RAMP.
3) Net costs of complying with RAMP procedural requirements when
developing product revisions.
4) Costs of producing the Rating Maintenance Report and conducting related
tasks to obtain rating approval.
Costs in the second and third categories largely involve the establishment
of a rigorous configuration management system for product changes. These
net costs are highly dependent upon company policies and procedures in the
absence of RAMP, and must be judged on a case - by - case basis from the
description of the program in the following sections.
1.3 RAMP COVERAGE
RAMP is currently available only for the maintenance of C1, C2, and B1
ratings. At present, a product cannot hold a B2, B3, or A1 rating without
an evaluation of the precise version in question. RAMP is currently
directed toward operating systems. Layered products are also eligible if
their sponsors can meet the same requirements that apply to operating
systems. RAMP does not cover subsystems. The Center can accommodate the
evolution of subsystem products more appropriately through reevaluations.
Networks and network components are not eligible for RAMP at this time,
pending resolution of relevant issues for these products.
Vendor participation in RAMP is required for all products under evaluation
for a C1, C2, or B1 rating. A vendor must establish an intent to
participate in RAMP prior to the vendor assistance phase of an evaluation
for the original product, and must then pursue the process continuously so
that successive versions of the product are rated at the same level as the
preceding version. (Previously evaluated products can remain on the EPL,
without RAMP involvement.) The Center reserves the right to determine at
any point in an application of RAMP that further rating maintenance is not
viable under the program because of the nature of product changes. As
described in Section 6, the Center provides advance notice of such
determinations whenever possible.
1.4 RAMP APPROACH
Figure 1 shows the aspects of a typical product life cycle that create the
need for RAMP. Figure 1 does not cover participation in RAMP (or the first
two evaluation steps listed below). The uppermost time line depicts a
vendor's development of a new product, and the second time line describes
the Center evaluation of this release. The sequence of events for a
product evaluation without RAMP is as follows.
1) The vendor submits an evaluation proposal package to the Center for the
given product.
2) The Center assesses the company, the marketability of the product, and
the feasibility of evaluating the product under the TCSEC.
3) The Center prepares a Preliminary Technical Report (PTR) describing the
condition of the product, its development schedule and requirements, and
its candidate rating level.
4) The vendor develops the product according to the schedule identified in
the PTR. The Center provides assistance in meeting the intended rating
level.
5) The vendor declares a code freeze (CF) on the given release of the
product. The code freeze is the end of substantive product changes (as
opposed to testing and fix activities).
6) The Center prepares an Initial Product Assessment Report (IPAR) for
review by the Center's Technical Review Board (TRB). In contrast to the
PTR, the IPAR is an intensive analysis yielding an estimation of whether
or not the product is able to sustain an evaluation at the targeted level
of trust.
7) The Center conducts an evaluation wherein product trust must be
demonstrated and defended to the satisfaction of the TRB.
8) The TRB makes a rating recommendation.
9) Upon ratification by the Chief of the Product Evaluation Division, the
rating is forwarded for publication on the EPL.
10) The Center publishes a Final Evaluation Report (FER) at roughly the
same time that the product appears on the EPL. The FER is a summary,
intended to be publicly releasable, of evidence on product trust.
The central portion of Figure 1 describes the vendor's evolution of the
hypothetical product over time. Long-range planning of the product's
development typically yields a prioritized list of desirable system
modifications for inclusion in releases following the original product.
The revision process works progressively down this list, with the number
of modifications in each revision determined by technical, financial, and
marketing factors.
Figure 1 depicts a fast revision cycle in which the development of each
successive product version begins before the code freeze for the previous
release. A slower cycle might involve the development of each new version
after the previous version is released. As already stated, without RAMP
only the specific product version evaluated by the Center is a trusted
system with a TCSEC rating and a listing on the EPL. This holds regardless
of the nature of system changes, because evaluation and RAMP are the only
acceptable mechanisms for verifying the performance and assurance of the
security features of the product. All new releases without RAMP continue
to be unrated until such time as the product is reevaluated, i.e., some
version undergoes evaluation by the Center and thereby receives a rating.
A goal of RAMP is life-cycle product assurance, meaning production of
evidence that the security features functionality and assurance
established in an evaluation are maintained across every system revision.
Figure 1 shows the need for several key aspects of RAMP. First, life-cycle
product assurance clearly requires vendor involvement and willingness to
integrate security concerns into the system development process. Security
analysis and the assembly of product evidence cannot be treated as
intermittent or external functions. Second, rating maintenance activities
obviously must be established very early in the product life cycle, before
the original product is completed and work has begun on subsequent
releases. Third, the manner in which the Center achieves rapid turnaround
of rating maintenance requests is reliance upon ongoing procedural
controls. These controls include program planning requirements, training
of vendor personnel to perform security analysis, and Center reviews of
the rating maintenance process.
The key elements of RAMP are security analysis and configuration
management. Security analysis is the intellectual process of designing,
analyzing, and testing product changes to assure that they do not
compromise the security characteristics of the product. Configuration
management*defined as a process of systematically managing changes across
an entire system*is the overall procedural framework for implementing and
documenting the directives and conclusions from security analysis.
Configuration management provides the fundamental linkage of product
evidence between the evaluated product and each new release under RAMP. A
rigorous configuration management system should be established prior to
the evaluation phase and applied to every product change throughout the
duration of rating maintenance. This requirement holds for any product in
RAMP. (Product evaluations without RAMP require configuration management
only for rating levels B2 and above.)
Figure 2 describes the general structure of RAMP. This diagram provides a
brief overview of the topics discussed in the following sections, and is
superseded in Section 8 by a more detailed graphic depiction of RAMP
activities. The boxes in Figure 2 are task groupings arranged on a time
scale from left to right. The arrows denote flows of information and
program directives.
Ramp Approach - Continued
Box 1 depicts the Center evaluation of the original product.
(This document commonly refers to the evaluated product that starts a RAMP
process as the "original" product, even though it may in fact be a
reevaluated version of some earlier product.) The vendor has already
established an intent to participate in RAMP in the evaluation proposal
package for the given product. While the product is still under
development, one or more vendor representatives undertake a Center
training program in computer security and RAMP requirements (box 2 in
Figure 2). A person completing this program can serve as a
Center-recognized Vendor Security Analyst (VSA) in representing the
vendor's product to the Center. The VSA role is a key source of product
assurance in RAMP. (See Section 2 for a discussion of Center recognition
of VSAs.)
The vendor specifies every aspect of the vendor's RAMP process in a Rating
Maintenance Plan (RM-Plan). The RM-Plan establishes all procedures for
maintaining product trust, including control of changes to the RM-Plan
itself. The RM-Plan can be tailored to the vendor's preexisting business
practices, but it must be followed precisely throughout the product life
under RAMP. Preparation of the RM-Plan (box 3 in Figure 2) begins as soon
as the vendor has gained a sufficient understanding of rating maintenance.
The RM-Plan must be approved by the Center before the Center's issuance of
an IPAR for the original product. The RM-Plan must be in force before
development begins on the version that will supersede the evaluated
version.
The activities depicted by boxes 4 through 6 in Figure 2 recur for each
product revision. (Box 3 recurs whenever the RM-Plan is changed.) Rating
maintenance actions*box 4*are configuration management tasks conducted
entirely by the vendor. These actions include: examining proposed system
changes for security relevance; analyzing the direct and indirect impacts
of changes; giving instructions for the implementation of changes;
monitoring the implementation process; testing the revised system;
modifying the tests as necessary; and updating all documentation to
reflect each change. A VSA conducts, supervises, or monitors each of these
tasks.
The vendor's RAMP process is subject to two types of reviews by the Center
(box 5). The Center conducts an interim review after the start of rating
maintenance for each new product revision. These interim reviews may or
may not involve site visits after RAMP has operated for one or more
releases. The Center also conducts aperiodic on-site reviews. Both types
of program review have the purpose of assuring that security features
functionality and assurance are being maintained by adherence to all the
procedures established in the RM-Plan. Both reviews serve the mutual
interest of the vendor and the Center in identifying problems quickly so
that the vendor can initiate corrective actions in a timely manner.
The Center assigns a Technical Point of Contact (TPOC) to advise and
coordinate the use of RAMP for the given product. A Center Business Point
of Contact (BPOC) handles administrative and programmatic aspects of the
process. A Responsible Corporate Officer represents the vendor in
administrative matters. The Responsible Corporate Officer is a person
empowered to commit the company financially to the program and support the
technical role of the VSA. Sections 2 and 5 describe these persons and
their interactions in greater detail.
Box 6 in Figure 2 covers the submission and review of evidence for a
completed revision. The vendor submits to the Center a Rating Maintenance
Report (RMR) containing a summary of product evidence. Following an
initial review for completeness and general adequacy, the RMR is forwarded
to the Center's Technical Review Board (TRB). The VSA or VSAs associated
with the product then defend the RMR and other evidence before the TRB.
The remaining steps in a successful application of RAMP include a
recommendation by the TRB, a rating approval by the Chief of the Product
Evaluation Division, and a product listing on the EPL. The process is
designed so that, if all the vendor's preparations are complete and
accurate, only a short time should elapse between the end of the initial
RMR review and the listing of the product on the EPL.
1.5 LINKAGES BETWEEN RAMP AND EVALUATION
The establishment of RAMP is tied to the evaluation process at four
points. First, the vendor must include an intent to participate in RAMP as
part of the evaluation proposal package that starts the evaluation
process. Second, the Preliminary Technical Report (PTR) prepared by the
Center establishes the ability of the vendor to conduct RAMP activities.
The PTR examines the vendor's understanding of configuration management;
explains the implications of the TCSEC for the given product; and advises
the vendor about the contents of the RM-Plan.
Third, the Center does not complete an Initial Product Assessment Report
(IPAR) for a product covered by RAMP until an RM-Plan is approved. A
section of the IPAR confirms the adequacy of the RM-Plan and the vendor's
ability to comply with all provisions of the plan.
Fourth, the vendor of a product in RAMP prepares a RAMP audit to support
the evaluation by the Center. The RAMP audit is discussed in Section 3.
The Center conducts three TRB sessions. During the first session, at the
end of the Design Analysis Phase, the IPAR is reviewed. The second and
third TRB sessions occur during the Evaluation Phase. The second session
covers product testing. The third is a final, comprehensive session. The
initial RAMP audit must be evaluated and approved at the second TRB
session. (The program assessment performed at this time constitutes the
first RAMP interim review. See Section 5 for further discussion of interim
reviews.) The RAMP audit is treated at that time as an integral part of
the functional testing requirement (test suite) for the product. This is
one of several respects in which RAMP participation increases the
evaluation effort for both the vendor and the Center.
1.6 APPLICABILITY OF RAMP
The following table summarizes RAMP eligibility in terms of product type.
RAMP ELIGIBILITY BY TYPE OF PRODUCT
Eligible Products Ineligible Products
Operating Systems Subsystems
Layered products, if vendor Networks
demonstrates knowledge of base
product consistent with RAMP
requirements*
*See Sections 3 and 7
A vendor must satisfy the RAMP requirements summarized in the Appendix.
These requirements are linked to the timing of the product evaluation and
are determined as the evaluation proceeds. A vendor failing to satisfy
these requirements loses the opportunity to participate in RAMP until such
time as the product in question is reevaluated.
1.7 DOCUMENT CONTENTS
The organization of material in the remainder of this document generally
follows the numbering of boxes in Figure 2. The one exception is that
description of the RM-Plan is deferred until all subjects covered by the
plan have been discussed.
Section 2 addresses the training of vendor personnel as VSAs.
(Description of the VSA role continues in Sections 4 through 6.) Rating
maintenance actions are the subject of Sections 3 and 4. Section 3
discusses the conceptual aspects of configuration management in RAMP, and
Section 4 addresses procedural issues. Section 5 deals with program
reviews and the structure of RAMP in terms of communication and
accountability. Section 6 covers the presentation of evidence for a
product revision and the steps leading to a rating determination. Section
7 describes the contents of the RM-Plan. Section 8 provides an overview of
the RAMP process. The Appendix summarizes the vendor's and the Center's
requirements for RAMP.
2. VENDOR PERSONNEL
2.1 INTRODUCTION
RAMP defines two roles for vendor personnel: the Vendor Security Analyst
(VSA) and the responsible corporate officer. At least one
Center-recognized VSA, and a responsible corporate officer, must be
maintained while rating maintenance actions are underway. The use of
multiple persons in the VSA role is a practical necessity for some
products. Vendors choosing to use multiple VSAs must designate one of
these persons as the lead VSA and must maintain clearly defined areas of
VSA responsibility.
VSAs are responsible for the execution of all technical tasks in RAMP
including the presentation and defense of product evidence. Other persons
can participate in RAMP tasks at the discretion of the vendor, but only
VSAs can represent the RAMP process technically to the Center. The ability
of RAMP to yield timely rating approvals for an evolving product depends
heavily upon the credibility and expertise of the responsible VSA or VSAs.
These VSA characteristics are acquired and demonstrated through the VSA
training program and the operation of the RAMP process.
The responsible corporate officer provides overall management of the
vendor's RAMP effort and serves as the point of corporate responsibility
for RAMP to the Center. The responsible corporate officer designates
persons as VSAs; oversees the nonresident phase of VSA training;
establishes VSA responsibilities; communicates with the Center on
administrative and programmatic issues; and provides corporate assurance
that the RM-Plan and submissions of evidence accurately describe the
vendor's RAMP process. Any misrepresentation of the process places the
product rating at risk, reflecting upon both the responsible corporate
officer and the VSAs involved. The responsible corporate officer must
occupy a sufficiently prominent position in the corporate structure to
bear this responsibility and to commit the necessary company resources to
RAMP.
This subsection addresses the VSA training program, the establishment of
VSA credibility, and the program requirements pertaining to multiple VSAs.
The next four subsections describe VSA duties and responsibilities in more
specific terms. Section 7 then discusses the establishment of the VSA role
in the RM-Plan, and Section 8 covers Center and vendor responses to
failures in this role.
2.2 SELECTION AND RECOGNITION OF VSAS
While the vendor will probably employ numerous technical personnel in
support of product development and maintenance, the Center only recognizes
as RAMP representatives those individuals who have completed the VSA
training program and are named by the vendor's RM-Plan as VSAs. Only these
Center-recognized VSAs and the responsible corporate officer can interact
with the Center on behalf of the product.
The remainder of this subsection discusses criteria that should be
considered by the responsible corporate officer when selecting personnel
who will support the technical development or maintenance of a product (to
include both VSAs and other technical personnel). Additional criteria,
applying only to VSAs, are discussed in the next subsection, Admission To
Training Program.
Recommended Criteria for Vendor Selection of Technical Personnel:
1) Knowledge of the product on which the person will work.
2) Knowledge of computer science and computer security.
3) Corporate position and expected longevity of association with the
vendor and the given product.
4) Time availability for involvement in RAMP tasks.
5) Contribution to multiple-VSA strategy (if used).
Regarding the first two criteria, the emphasis of RAMP upon VSA capability
provides strong motivation for vendors to staff this function with the
most knowledgeable persons available. The third and fourth criteria are
practical considerations of obvious significance and are particularly
relevant to personnel serving as VSAs. Problems can result from relying
upon persons at either end of the corporate hierarchy. Low-ranking persons
may lack sufficient authority and influence to fill the VSA role
effectively, whereas high-ranking persons may not have enough time for
day-to-day participation in rating maintenance tasks. Ideally, a VSA
should be devoted full-time to the security analysis and rating
maintenance of the given product. Continuity of involvement is critical
because smooth operation of RAMP depends upon the progressive
establishment of VSA credibility with the Center.
The last criterion covers such possibilities as using backup VSAs,
establishing mentoring relationships among VSAs, and selecting VSAs to
fill specialized roles within the RAMP process.
2.3 ADMISSION TO TRAINING PROGRAM
Vendors should submit VSAs for training by the Center as soon as possible
when planning to use RAMP. The Center views timely involvement in the
training program as an indicator of vendor commitment to the RAMP process.
The responsible corporate officer sends a written request for vendor
training with a statement of qualification for each potential trainee.
(Ideally, the responsible corporate officer also undergoes training.) The
Center strongly urges vendors to submit candidates with the following
qualifications:
General:
1) Participants in the Center training program should have sufficient
background in computer science to analyze all aspects of system
design including functional hardware logic and software code.
2) A trainee should be knowledgeable about the specific product for which
he or she will serve as VSA. (A person can possibly serve as a
Center-recognized VSA for multiple products, but at any given time the
Center only deals with a VSA as a representative of a specific product.)
Specific:
3) A trainee should have obtained a degree from a four- or five-year
college program with a major in computer science, engineering , or
other technical field that emphasizes computer science;
OR, a trainee should have at least five years of professional
experience working with computers in a design or analytical capacity.
4) A trainee should have at least one year of experience with the
specific product for which she or he will serve as VSA.
2.4 CENTER TRAINING PROGRAM
The VSA training program addresses the following subject areas:
general principles of computer security; requirements and Center
interpretations of the TCSEC; security issues in the system development
process; and all aspects of RAMP. The calendar time required for a trainee
to complete the course depends upon scheduling factors but should not
exceed two months given an adequate time commitment. It is not possible in
such a period to train persons as security evaluators capable of
conducting an unsupervised product evaluation; but the course does impart
sufficient capability to establish product trust when working from an
evaluated system. The Center assumes no responsibility for the selection
of a VSA and, in particular, the consequences of an inappropriate
selection of a VSA by a vendor. The Center training program is provided as
an additional measure to help the vendor prepare and select appropriate
personnel to serve as VSAs who will, in turn, increase the likelihood that
the vendor will be able to maintain a given product's level of trust. The
Center's principal concern is, and will remain, the maintenance of a
product's rating, not the certification of a VSA. For this reason, the
Center will assist in the training of, but will not formally certify,
VSAs.
The training program currently consists of a three-week program of study
conducted at facilities in the Baltimore/Washington, D.C., area. Beginning
in 1990 the Center plans to implement a dual-phase program, which will
include a nonresident (correspondence) phase and a resident phase (with
the former always occurring first).
The remaining description of the Center training program describes the
planned implementation of the dual-phase program. The current Center
residence program incorporates all resident testing and assessment of
VSAs.
The nonresident portion of the training program does not require a
classroom setting and can take place at any location convenient to the
vendor and the trainees. The flexibility of this phase with regard to
location and scheduling allows the training program to be driven by vendor
demand. However, the course requires a significant block of time and
cannot simply be scheduled around an employee's normal workload. The
responsible corporate officer must take responsibility for assuring that
each trainee has adequate time for the program. In addition, the
nonresident phase will not begin until the vendor has provided for VSA
utilization of the Center's Dockmaster information system (described in
Section 5).
The materials utilized in the nonresident phase of the training program
include:
1) documents prepared by the Center for use in the course;
2) additional required and recommended readings; and
3) tests covering the course documents and required readings.
A vendor representative serves as proctor for the nonresident coursework.
The proctor monitors the progress of each trainee and administers tests
and written assignments. The responsible corporate officer designates the
proctor, monitors the conduct of the course, and provides assurance to the
Center that all aspects of the nonresident phase are executed
conscientiously. A Center training point of contact is available to answer
technical and administrative questions about the program.
Trainee performance in the nonresident phase is evaluated on the basis of
tests, written assignments, and open-book group projects. The tests cover
the course documents and required readings. These materials are forwarded
to the vendor with guidelines for interpreting results, such as the scores
that constitute satisfactory performance on each test. The vendor has
responsibility for determining that a trainee has mastered the nonresident
coursework sufficiently to enter the resident phase.
Trainees then undertake approximately one week of resident classwork at
the Center facility in Maryland. The resident phase focuses upon a worked
example of a Trusted Computing Base (TCB), designed to provide practical
experience in security analysis. The related course materials include a
sample RM-Plan and a sample Rating Maintenance Report. Trainees are
evaluated in this phase by written assignments and an oral examination
that takes the form of a product defense before a mock Technical Review
Board (TRB).
The Center will notify the vendor of each trainee's performance in the
resident phase and offer a recommendation as to whether or not the given
person should be used as a VSA. The assessment provided will note the
VSA's performance using both an absolute scale of reference (i.e., raw
scores on tests) as well as a relative scale (i.e., the VSA's performance
as compared to other VSA candidates who have attended the training). These
scores will be supplemented by a subjective assessment of the candidate
VSA's performance. In the case of a weak candidate, the Center may
indicate that using the given person as a VSA will jeopardize the vendor's
RAMP process. The vendor makes the final decision in this regard. The only
absolute requirements for Center recognition of a vendor representative as
a VSA are: 1) completion of both phases of the training program, and 2)
assignment of VSA responsibilities to the given person in the vendor's
RM-Plan (discussed later).
The VSA training program addresses general principles of computer security
and system development, and is not product-specific. In the event a VSA
becomes a vendor representative for some other product, the training
program need not be repeated.
2.5 FURTHER ESTABLISHMENT OF VSA CREDIBILITY
Smooth operation of the RAMP process requires a higher level of VSA
credibility and expertise than can be established in classroom training
alone. In each RAMP cycle, vendors must demonstrate to the satisfaction of
the Technical Review Board (TRB) that security analysis has been conducted
thoroughly and correctly according to the RM-Plan. This demonstration
involves written evidence, VSA defense of the evidence, and VSA
credibility based upon past performance in RAMP. The higher the level of
demonstrated VSA capability, the less need for time-consuming examination
and information requests, and the less risk of a negative rating
determination.
A practicing VSA builds credibility through program reviews and
presentations to the TRB. The former includes interim reviews during every
RAMP cycle and aperiodic reviews on a less frequent basis. The Center
places major emphasis on a VSA's first interim review. (See Section 5.) In
the first presentation of evidence by a VSA, the TRB examines the VSA's
understanding of the product as well as the management of changes under
RAMP. The topics of questioning include: 1) the product and its security
features and assurances; 2) the procedures followed in applying RAMP on a
day-to-day basis; and, 3) the substance and rationale of decisions
regarding product changes. Section 6 provides further discussion of the
evidence submission process.
Vendors are made aware of any VSA credibility problems through TRB
recommendations and other communications between the Center and the
responsible corporate officer. A VSA who knowingly misrepresents any
aspect of rating maintenance for a product will no longer be recognized by
the Center as a RAMP participant for any product. Furthermore, when a
vendor (responsible corporate officer) allows a misrepresentation to
occur, the RAMP process is terminated with no rating approval for the
product version that was misrepresented. The Center then reviews the
previous cycles of rating maintenance to determine whether the rating
should be rolled back across earlier releases. (See Section 8.) Lesser
infractions consisting of inadvertent VSA errors and oversights can yield
serious delays and uncertainties in rating approval. Overall, there is
strong vendor self-interest in using VSAs who can establish and maintain a
high level of credibility with the TRB.
2.6 MULTIPLE VSAS
Vendors can often benefit from using more than one Center-recognized VSA
for a given product. The multiple-VSA approach supports program continuity
in the event that a VSA becomes unavailable for duty or proves to be
deficient in some respect. For some products, multiple VSAs may be
essential in order to assign separate responsibility for different
production sites, different parts of a product, or different aspects of
rating maintenance. A vendor may also employ some VSAs without assigning
them any official responsibilities in the RM-Plan. The vendor can use such
persons in backup, apprenticeship, or other supporting roles while
limiting the number of product representatives.
The Center encourages the use of multiple VSAs subject to the conditions
stated in the following paragraphs. These conditions, and all further
references to VSAs in the present document, pertain just to
Center-recognized VSAs who have completed the training program and are
assigned RAMP responsibilities in the RM-Plan. Other VSAs can be deployed
freely by the vendor in the same fashion as regular employees but cannot
interact directly with the Center.
The Center must know at all times which VSAs are representing the product
and precisely what their individual responsibilities are. At least one
Center-recognized VSA must be representing the product at any time that
rating maintenance actions are underway. The RM-Plan should describe the
primary area of responsibility for each VSA in such a fashion that all
RAMP activities are covered and there is no ambiguity as to who is
answerable for any given aspect. Divisions of responsibility by production
site or corporate department should be noted along with divisions of
responsibility by RAMP task. VSA responsibilities cannot be altered
without formally changing the RM-Plan to describe the new assignments. As
described in Section 7, the vendor must obtain approval for any change in
the RM-Plan from the Center Technical Point of Contact. The RM-Plan
approval constitutes the Center's recognition of any VSAs named for the
first time as responsible representatives of the RAMP process. Vendors are
urged to make any changes in VSA responsibilities at the beginning of a
rating maintenance cycle, i.e., within a month after the previous rating
approval.
Every recognized VSA must sign the Rating Maintenance Report and be
prepared to defend product evidence for the given cycle before the TRB.
Ultimate responsibility for the RMR rests with the responsible corporate
officer. Other VSA duties can be conducted by one rather than all VSAs.
For example, only one VSA need be a member of the Configuration Control
Board. (See Section 4.) Vendors should nevertheless be aware that the use
of multiple VSAs does not lessen the degree to which each is accountable.
An application of RAMP is only as strong as its weakest link in terms of
VSA credibility.
A vendor using multiple VSAs must designate one person as the lead VSA.
Most technical communication between the vendor and the Center involves
the lead VSA. The Center may require at its discretion that all technical
communication be routed through the lead VSA during some or all of the
RAMP cycle. It is logical but not necessary for the lead VSA to have
supervisory powers over other VSAs. The RM-Plan should describe any
supervisory or coordinating relationships among VSAs. These issues are
discussed further in Sections 5 and 7.
3. SECURITY ANALYSIS AND CONFIGURATION
MANAGEMENT
3.1 SECURITY ANALYSIS
Security analysis is the intellectual core of rating maintenance.
Configuration management is the supporting framework that assures an
accurate translation of security analysis findings into implemented
product changes and evidence of product trust. Security analysis can be
viewed as an aspect of configuration management (or configuration
control). The present document maintains a distinction between these
concepts because for many persons configuration management connotes a set
of mechanical procedures rather than a thought process.
Security analysis is closely associated with design tasks that would be
needed to effect product changes whether or not a product was a trusted
system. RAMP not only introduces security as a design consideration but
also requires security to be the dominant consideration. RAMP does not
permit any compromise of security for the sake of other product design
criteria such as performance, cost, and marketability. There can be
negotiation among possible ways of implementing security for a given
change, but no tradeoff of security features and assurances against other
objectives. The dominance of security is always an integral part of
security analysis as referenced here.
Security analysis draws upon the vendor's full understanding of the
function and interrelationships of security features in the product. This
understanding is applied in diverse ways that do not permit description of
security analysis as a standardized set of procedures. The following
paragraphs indicate briefly the activities, issues, and outcomes of
security analysis for a typical product.
Security analysis starts by establishing the precise nature of all effects
of a product change upon the Trusted Computing Base (TCB). (There may or
may not be a separate, preliminary screening for the existence of TCB
effects; see Section 4.) As defined by the TCSEC, the TCB is the totality
of protection mechanisms *including hardware, firmware, and software*that
together enforce a security policy. The present document uses a somewhat
different definition covering all system elements that support protection
mechanisms. The TCB addressed by security analysis and configuration
management in RAMP includes system code, tests, associated software tools,
test plan documentation, test results, the trusted facility manual, the
security features user's guide, and design documentation. (For hardware,
the program relies upon functional testing rather than configuration
management.)
A product change affects the TCB if it: alters code or documentation
within the identified TCB boundary; augments the contents of the TCB; or
indirectly affects the function of TCB elements. The determination of
indirect effects on the TCB is a critical aspect of security analysis. The
analysis considers any possibility of effects due to interrelationships
among the product's security features. The analysis also acknowledges and
assesses cumulative effects involving multiple product changes. (For
example, two otherwise acceptable changes may conflict in terms of
security because one change assumes conditions that no longer hold, given
the other change.) Security analysis can potentially identify many
different TCB effects resulting from a proposed change to a single
configuration item.
Security analysis enters a design mode once all TCB effects are identified
and understood. The requirement is then to verify that a proposed change
can be implemented without compromising the security features and
assurances of the product, or else to remove the change from
consideration. The security analysis assures that any change is consistent
with approved architectures and does not circumvent defined security
policy. The process of addressing these criteria is usually integrated or
coordinated with the pursuit of other design objectives, but security is
always the paramount concern. Depending upon the nature of the change and
the vendor's business practices, this phase of security analysis may or
may not extend into code-level product development tasks. (See Section 4.)
Security analysis includes checking the adequacy of existing system tests
as affected by each proposed change. The analysis modifies existing tests
or creates new tests as necessary to maintain the effectiveness of the
test suite.
The outputs of security analysis include: instructions for implementing
changes; recommendations for rejecting other changes; new tests and test
documentation; and descriptions of all identified TCB effects, related
analytical findings, and design decisions. The RAMP process subjects the
conclusions of security analysis to two stages of review and retains all
of the above outputs in the configuration management system. Security
analysis is also addressed by the RAMP audit function described at the end
of this section.
3.2 OVERVIEW OF CONFIGURATION MANAGEMENT
Configuration management is a discipline applying technical and
administrative direction to: 1) identify and document the functional and
physical characteristics of each configuration item for a product; 2)
manage all changes to these characteristics; and 3) record and report the
status of change processing and implementation. Configuration management
involves process monitoring, information capture, quality control,
bookkeeping, and an organizational framework to support these activities.
The "configuration" being managed is the TCB plus all tools and
documentation related to the configuration management process.
The overall objectives of configuration management in RAMP are to assure
that the findings of security analysis are implemented correctly, and to
generate product evidence linking with the evidence established in the
evaluation. Configuration management records the "footprint" of the
security analysis and controls and documents all subsequent rating
maintenance tasks. This involves the central direction of system changes
to:
1) maintain the integrity of system information and the standards
affecting its accuracy, timeliness, and reliability;
2) ensure that documentation and tests remain congruous with the rest of
the system;
3) ensure adequate testing of changes prior to incorporation;
4) maintain the integrity of all system interfaces; and
5) support the objective of security analysis.
Many vendors of products rated C1 through B1 already use some form of
configuration management before participating in RAMP. The existing
procedures can often meet RAMP requirements with few modifications,
although fundamental changes are sometimes needed. The RAMP requirements
are sufficiently flexible to accommodate substantial variations in vendor
business practices. Typically, the greatest deficiencies of existing
practices relative to RAMP standards involve security analysis rather than
the record-keeping aspects of configuration management.
The four major aspects of configuration management are configuration
identification, configuration control, configuration status accounting,
and configuration auditing. The present section summarizes these
activities in conceptual terms. Section 4 then addresses procedural issues
in rating maintenance using a representative business model to discuss
specific functions needed for RAMP.
3.3 CONFIGURATION IDENTIFICATION
Configuration management entails decomposing the TCB into identifiable,
understandable, manageable, trackable units known as configuration items
(CIs). The decomposition process is called configuration identification.
To support RAMP, this process must occur before the initial RM-Plan is
completed so that the plan can include the CIs for the original product.
The configuration of the evaluated system is thereby established as a
baseline for assessing future changes.
CIs can vary widely in size, type, and complexity. Although there are no
hard-and-fast rules for system decomposition, the granularity of CIs can
have great practical importance. Selecting CIs that are too small can
impede the audit process by yielding an unmanageable volume of identifying
data. Overly large CIs can hinder configuration management by obscuring
product changes and interrelationships among changes. A potentially
favorable strategy is to designate relatively large CIs for system
elements that are not expected to change over the life of the product, and
small CIs for elements likely to change. System identification ideally
should begin early in the design stage for a product when CIs are most
readily established on a logical basis. For example, each CI might be a
module of code designed to meet one requirement. Regardless of the
strategy for establishing CIs, the granularity of control is defined to be
the module level. The process must allow for the possibility that system
changes will convert non-CI components into CIs.
Vendors in RAMP decompose at least the following system components into
CIs and assign a unique identifier to each.
1) Software and firmware components of the baseline (evaluated) TCB.
2) Design and user documentation.
3) Software tests including functional and system integrity tests and
associated documentation.
4) Development tools including any configuration management tools.
5) Any tools used for generating current configuration items.
6) Any audit trail reduction tools used in the configuration management
context.
7) Any other components of the TCB as broadly defined.
Throughout the application of RAMP to product revisions, each change in a
configuration item is uniquely identified. The changes of significance for
RAMP are any alterations to the TCB since the product evaluation. The date
of a CI change is identifiable along with any changes to the related
documentation, tests, or development tools. Each change in software source
code is separately identifiable, although changes need not be separately
stored.
3.4 CONFIGURATION CONTROL
Configuration control is a means of assuring that system changes are
approved before being implemented, that only the proposed and approved
changes are implemented, and that the implementation is complete and
correct. This involves strict procedures for proposing, monitoring, and
approving system changes and their implementation. Configuration control
entails central direction of the change process by corporate functions
that coordinate analytical tasks, approve system changes, review the
implementation of changes, and supervise other tasks such as
documentation. These procedural requirements of RAMP are the primary
subject of Section 4.
Configuration control involves not only the approval of changes and their
implementation but also the updating of all related material to reflect
each change. There should be guidelines for creating and maintaining
functional test software and documentation throughout the life of the
system. The change process should include a phase for test creation and
maintenance, with associated updating of documentation. Relevant tests
should be performed and evaluated whenever system changes are implemented
and/or tests are updated. The vendor must rerun the entire test suite
before submitting RAMP evidence to the Center.
A vendor's production arrangements may hinder or complicate the process of
controlling system change. Hardware and software may be developed by
separate groups within the vendor organization, perhaps located at
different sites. Code development and integration may occur in different
cities, with testing conducted at both locations. Also, a vendor may
propose RAMP for a system (layered product) that incorporates another
vendor's products. Vendors faced with these difficulties acknowledge the
resulting limitations on security analysis and configuration control in
their RM-Plans, and establish alternative procedures of equal
effectiveness for upholding product trust.
A vendor applying RAMP to a layered product demonstrates configuration
management cognizance over all parts of the product, including parts
manufactured by other vendors. This means that the vendor understands the
base product and its changes since evaluation and conducts security
analysis of these changes, to the same extent as required by RAMP for an
in-house product. (See Section 7.) Some form of collaboration among
vendors is thus virtually essential for RAMP coverage of a layered
product.
A vendor's configuration management system includes policies and
procedures for correcting any security bugs identified in the product.
Responses to flaws, bugs, and breakdowns of RAMP assurance are discussed
in Section 8.
3.5 CONFIGURATION ACCOUNTING
Configuration accounting documents the status of configuration control
activities and in general provides the information needed to manage a
configuration effectively. It allows managers to trace system changes and
establish the history of any developmental problems and associated fixes.
Configuration accounting also tracks the status of current changes as they
move through the configuration control process. Configuration accounting
establishes the granularity of recorded information and thus shapes the
accuracy and usefulness of the audit function.
Configuration accounting should yield answers to questions such as the
following. What source code changes were made on a given date? Was a given
change security relevant? Why or why not? What were all the changes in a
given CI between releases N and N+1? By whom were they made, and why? What
other TCB modifications were required by the changes to this CI? Were
modifications required in the test set or documentation to accommodate any
of these changes? What were all the changes made to support a given change
request?
The accounting function is able to locate all possible versions of a
configuration item and all of the incremental changes involved, thereby
deriving the status of that CI at any point in time. The associated
records include commentary about the reason for each change and its
implications for the TCB. Configuration accounting provides convenient
access to such records for use as evidence in the rating maintenance
process. In general, the effectiveness of configuration accounting depends
upon the quality of system identification and control efforts.
3.6 CONFIGURATION AUDIT
Configuration audit is the quality assurance component of configuration
management. It involves periodic checks by the vendor to determine the
consistency and completeness of accounting information and to verify that
all configuration management policies are being followed. (The following
subsection identifies when configuration audits occur.) A vendor's
configuration management program must be able to sustain a complete
configuration audit by a Center aperiodic review team.
A configuration auditor should be able to trace a system change from start
to finish. The auditor should check that only approved changes have been
implemented and that all tests and documentation have been updated
concurrently with each implementation to reflect the current status of the
system. A configuration audit in RAMP must be conducted by a VSA.
3.7 RAMP AUDIT
The RAMP audit process addresses both security analysis and configuration
management procedures. The two components of a RAMP audit are a
configuration audit as described above and a detailed review of security
analysis records for a selection of product changes. The security analysis
component involves drawing a random sample of past Service Improvement
Requests (SIRs, as described in Section 4) and assessing all the security
analysis activities undertaken to meet each request. The objective is to
confirm in each case both the adequacy of the analysis and the
completeness of the stored records.
As already indicated, the RAMP audit is part of the functional testing
requirement for a product in RAMP, and the results of the initial audit
are reviewed by the Center evaluation team during the product evaluation.
This review ensures that the vendor's RAMP process follows the procedures
outlined in the vendor's RM-Plan. A vendor's audit program is established
clearly in the RM-Plan. The plan describes the frequency of audits and the
procedures for assessing configuration management and security analysis
practices. The results of all subsequent RAMP audits are reviewed by the
Center's TPOC. (See Section 7.)
4. PROCEDURAL ASPECTS OF RAMP
4.1 INTRODUCTION
RAMP uses strong procedural controls to assure that rating maintenance
actions by vendors do not compromise the product trust established in
Center evaluations. On the other hand, overly rigid requirements would be
costly and inefficient for some vendors and thus could limit program
involvement. The Center reconciles these concerns in RAMP by allowing
considerable vendor discretion in the design of configuration management
procedures, but requiring meticulous adherence to plans once developed.
Rating maintenance procedures are described here using a generic business
model. The Center developed this generic model by interviewing numerous
vendors and identifying common elements in their business practices.
Discussing RAMP in this context serves to:
1) provide a specific illustration of acceptable procedures;
2) establish common names for certain activities and functions;
3) clarify the elements essential for RAMP; and
4) provide a baseline against which alternative approaches can be
evaluated.
The discussion does not imply that each vendor's product revision
process must conform to the generic model. What RAMP requires is that
the chosen procedures be no less effective than the generic model in
maintaining continuity of assurance and providing evidence of product
trust.
The following text assigns standard names to various procedural
elements and functions (summarized in the glossary). This does not
imply that a vendor must create new entities corresponding to the
names, if equivalents already exist. The Center requests vendors to
utilize the standard names in their RM-Plans and other formal
communications as an assistance to the Center in dealing with diverse
products and business plans. Vendors should feel no need to alter
their internal language, since the VSAs interacting with the Center
can readily translate the few terms at issue.
4.2 GENERIC MODEL
Figure 3 depicts the generic model of rating maintenance actions in RAMP.
The diagram emphasizes configuration control, although configuration
identification, accounting, and auditing tasks are no less important. All
of the boxes and arrows represent configuration management procedures
identified in the Center survey of business practices prior to RAMP. The
diagram has been converted to a RAMP description by highlighting two
control and approval functions (using dotted lines and decision nodes),
and by including commentary on the VSA role.
The generic model can be summarized as follows, ignoring momentarily the
elements specific to RAMP. Proposed system changes are drawn from a
prioritized list of desirable system modifications as described in Section
1. Requests for changes reach the system design group through some
mechanism that we call a Service Improvement Request (SIR). Each proposed
change receives a preliminary screening for effects on the TCB. A change
that clearly does not affect the TCB directly or indirectly enters a
design analysis phase addressing product characteristics other than
security. (Code-level design of the change may occur in varying
proportions at this stage and at the implementation stage.) The design
analysis ends with some form of review. A change that affects the TCB, or
may affect the TCB, undergoes security analysis in conjunction with design
analysis.
The analysis and review tasks yield an Engineering Change Order (ECO),
which directs the implementation of an approved change. The ECO covers
modifications of tests and documentation as well as the system software.
Code is written for the change and entered into a working copy of the
system for testing. Existing and modified tests are applied as
appropriate. The change is then subjected to a final review. Any change
that fails to gain acceptance in this final review is removed from the
system. If rejection has been caused by an implementation problem, the
change may recycle back to the ECO stage. Other changes rejected in the
design review or final review are sent back to the beginning of the
configuration management process or discarded altogether. Implemented
changes that gain final approval are incorporated into the product, and
all documentation is updated accordingly.
4.3 ORIGIN OF PRODUCT CHANGES
This and the following subsections describe the requirements of RAMP in
the context of the generic model. For convenience, the text often
references the VSA role as if played by a single person even though
multiple VSAs are likely.
The system revision process in RAMP starts with an evaluated product
(although the first changes may occur while the evaluation is still in
progress, or even before the code freeze for the evaluated product). The
full configuration management process should be operative as soon as a
system is identified, so that all changes relative to the original product
can be managed uniformly.
The vendor selects changes from the prioritized list of desirable system
modifications established during the product development. Financial and
marketing factors affect the choice of changes, since these factors
influence the revision cycle and the feasible number of modifications per
cycle. RAMP requires some equivalent of the Service Improvement Request
(SIR) to provide a formal record of all proposed changes entering the
analysis and implementation process.
4.4 CONFIGURATION CONTROL BOARD
All analytical and design tasks in RAMP should be conducted under the
direction of a corporate entity called the Configuration Control Board
(CCB). The upper dashed line in Figure 3 encompasses the activities in the
generic model that the CCB should supervise. These include: 1) screening
of proposed changes for impact on the TCB; 2) security analysis of changes
that affect the TCB; 3) associated design analysis and review tasks; 4)
approval and disapproval of changes on the basis of product trust; and 5)
issuance of instructions for change implementation (ECOs).
Central direction by a CCB does not necessarily mean that a vendor must
discard other ways of administering configuration management in order to
participate in RAMP. The vendor can base the CCB on an existing design
supervision group, perhaps joined by other persons when it sits as the
CCB, or the vendor can establish the CCB as a forum of representatives
from multiple groups involved in product development.
The membership of the CCB must include at all times a Center-recognized
VSA for the given product. Furthermore, the responsible corporate officer
must have the power to veto any CCB approval of a product change. This
veto power can derive from inclusion of the responsible corporate officer
as a CCB member with special voting rights; from some other explicit
provision of the CCB rules, or from the authority vested in the
responsible corporate officer by his or her corporate position. The
responsible corporate officer is not required to participate in CCB
deliberations or decision-making on a routine basis. This arrangement
gives the VSA two ways of influencing product changes (over and above
contributing to analysis and design tasks). The VSA can influence changes
by participating as a full member in the CCB function, and also by
notifying the responsible corporate officer that a given change approved
by the CCB is unacceptable in terms of RAMP assurance. In essence, the VSA
represents security concerns to the CCB, and the responsible corporate
officer enforces the dominance of these concerns. The Center holds the
vendor accountable for change control through the responsible corporate
officer.
RAMP requirements for the CCB are summarized as follows:
1) The CCB operates at all times in accordance with the vendor's
RM-Plan.
2) No product change can be implemented without approval by the CCB.
3) The CCB has authority over all analysis, design, and review tasks from
the receipt of SIRs through the issuance of ECOs.
4) The CCB has access to all information used in, and generated by, the
activities under its purview.
5) The VSA (or a VSA) is a CCB member with all of the rights, powers, and
information access possessed by other members.
6) The responsible corporate officer has the power to veto any CCB
approval of a product change. Changes vetoed by the responsible corporate
officer are disposed in the same fashion as changes disapproved by the
CCB.
There are no restrictions upon CCB procedures for reaching decisions,
but the Center encourages using the CCB as a forum for deliberations
that can be recorded as RAMP evidence. The CCB ideally functions as a
central source of "security wisdom" as well as program oversight.
4.5 COMPLIANCE WITH THE TCSEC AND CRITERIA INTERPRETATIONS
The preliminary screening of proposed changes for effects on the TCB is an
optional feature of the generic model, although some arrangement of this
nature is probably necessary for efficiency. A nonoptional feature of the
model is that the changes that bypass preliminary screening are routed
through the subsequent phases of the change control process (i.e., EACH
CHANGE MODEL MUST CONTAIN SOME TYPE OF CONFIGURATION REVIEW). Retention of
these changes in the process allows the reviews by the CCB and
Configuration Review Board (CRB) to verify the absence of any direct or
indirect effects on the TCB.
Section 3 has already described the scope and responsibilities of security
analysis. This task must determine that a proposed change upholds the
security features and assurances of the product in compliance with the
TCSEC and the Criteria interpretations. The outcome for each change is
evidence that links with product evidence from the evaluation. Security
analysis may require intensive problem-solving efforts in establishing TCB
effects, designing changes, and developing appropriate tests. The
fundamental requirement of RAMP is dominance of security over other design
considerations.
The Center periodically issues Criteria interpretations to clarify the
application of the TCSEC. An important issue in RAMP is the time that is
allowed to elapse between the issuance of an interpretation and the
compliance of a product release (and all subsequent releases) with this
interpretation. The reasonable maximum time is related to the length of a
product's revision cycle (e.g., three months, six months), but it cannot
be linked rigidly to the revision cycle without creating excessive
difficulties for fast-cycling products and excessive slack for
slow-cycling products. The Center recommendation is that each product
release in RAMP should comply with all Criteria interpretations for which
at least one of the following conditions is true:
1) The interpretation was issued prior to the EPL listing for the
previous release of the given product.
2) The interpretation was issued at least one calendar year prior to the
submission of a Rating Maintenance Report (RMR) for the release in
question.
3) The interpretation is accompanied by an effective date, which precedes
the RMR submission date for the release in question.
This policy would give vendors a grace period of one revision cycle within
which to comply with an interpretation, unless the revision cycle is
longer than one year or unless the interpretation has an effective date
that overrides the grace period. The Center cites an effective date if
rapid compliance with an interpretation is considered especially critical.
Each vendor proposes a policy for complying with Criteria interpretations
when submitting an RM-Plan for Center approval. (See Section 7.) The
approved policy becomes a plan element that must be followed rigorously
throughout the RAMP process.
The need to comply with interpretations issued after the product
evaluation can mandate design analysis and even product changes that have
nothing to do with service improvements desired by the vendor. It is
unlikely but possible that an interpretation will terminate rating
maintenance for a product and necessitate a reevaluation. Because the
interpretations issued during one revision cycle for a product typically
do not apply until the next cycle, the Center can usually indicate in
advance whether or not a given interpretation will affect the continued
use of RAMP. The VSA has responsibility, however, for keeping abreast of
interpretations and assessing their impacts on the product. Criteria
interpretations do not apply retroactively, so that product ratings
established through RAMP are not withdrawn because of subsequent
interpretations.
4.6 ENGINEERING CHANGE ORDERS
An approved system change is implemented through an ECO or a set of ECOs.
An ECO tells the maintenance establishment what must be done to the code,
the documentation, and other elements of the system to implement the
change. The generic model shown in Figure 3 assumes that an ECO contains
instructions in relatively high-level language, but code-level directives
are also possible. Vendors can determine the format and content of ECOs
subject to the following general requirements. In the generic model:
1) The ECO provides an orderly mechanism to propagate change across
the system and assure synchronization, connectivity, and continuity
of alterations.
2) The preparation of ECOs is under CCB control.
3) No system change of any kind can occur without direction by an ECO.
4) Each ECO retains the identities of the initiating SIR and any other
SIRs or ECOs occasioned by the initiating SIR.
5) ECOs are retained as evidence for rating maintenance and should have a
form suitable for record-keeping purposes.
RAMP assigns considerable importance to the ECO as part of the trail of
product evidence. The vendor should establish the granularity of ECOs so
that they provide convenient reporting units throughout rating
maintenance. As discussed in Section 6, the RMR describes system changes
at the ECO level.
4.7 IMPLEMENTATION, TESTING, AND FINAL REVIEW
The lower portion of Figure 3 describes the general process of
implementing and testing a system change. The tests must verify that the
implemented change preserves the function of security features and the
assurance of correct feature operation. Testing and test development
should be conducted independently from the implementation of changes as a
check on the latter process. (Separation of functions as practiced by
accountants can provide a useful safeguard in other areas of rating
maintenance as well, subject to RAMP requirements for overall coordination
and control.) The reference to testing in Figure 3 covers both functional
security tests and performance tests, but only security tests contribute
to RAMP evidence.
The results of implementing and testing each change are assembled for a
final review before the change is incorporated into the product. An entity
called the Configuration Review Board (CRB) carries out this review. The
CRB membership should include a Center-recognized VSA (not necessarily the
same VSA belonging to the CCB). The VSA should have all of the information
access and influence over CRB decisions possessed by any other CRB member.
The CRB can have the same overall membership as the CCB or can be an
independent quality assurance group.
The final review by the CRB provides closure on each ECO by verifying that
every aspect of the approved change was implemented correctly and that no
other alterations were made. There should also be a reassessment of test
results and system assurances to confirm that system trust has been
upheld. The CRB then decides whether or not to accept a given change as
part of the product. Rejected changes are removed from the system and
disposed in the manner discussed above. The process ends for an accepted
change with final incorporation and documentation tasks.
4.8 COLLECTION OF RAMP EVIDENCE
General suggestions of configuration accounting and auditing have been
indicated in the previous section. The configuration management system
should include numerous checks to assure that all relevant information is
recorded and that documentation is updated fully to reflect each product
change. As the custodian of RAMP evidence, the VSA must remain in close
touch with all documentation tasks and should be able to influence the
execution of these tasks.
A vendor with a functioning configuration management system prior to RAMP
may choose to record some RAMP evidence externally in order to avoid
overloading the system. For each product change, RAMP evidence will
include the following commentary: the SIR from which the change
originated; the procedures and arguments used in establishing TCB effects;
the issues and conclusions of the security analysis; the ECOs generated
for the change; and the completion status of ECOs. The vendor must be able
to perform line-by-line code comparisons with pointers back to the ECOs
causing specific modifications. The commentary on tests should include
descriptions of new and modified tests, with stated reasons for the
alterations and pointers to the test results.
4.9 VSA ROLE
The required duties of a VSA are suggested by the items on the right-hand
side of Figure 3. The VSA is the focus of security wisdom in RAMP. The VSA
(or VSAs) tracks the entire rating maintenance process and understands
product changes in sufficient depth to verify the adequacy of security
analysis and configuration control procedures. The VSA represents the
Center concerns to the CCB and CRB, and assures that these functions are
operating effectively to maintain product trust.
The VSA is custodian of all RAMP evidence, meaning that the VSA monitors
the accumulation of evidence and has sufficient resources to assure its
accuracy, completeness, and accessibility. The VSA has direct
responsibility for proposing and managing revisions to the RM-Plan. The
VSA performs or supervises the RAMP audit function and the preparation of
all materials for submission to the Center. Lastly, the VSA is the vendor
contact for all technical communication with the Center.
Section 2 has addressed the subjects of VSA training, VSA recognition by
the Center, establishment of VSA credibility, and multiple-VSA approaches.
At least one Center-recognized VSA must be representing the product at any
time that rating maintenance actions are underway. A vendor using multiple
VSAs must designate a lead VSA and must maintain an accurate description
of VSA responsibilities in the RM-Plan at all times. Communications
between VSAs and the Center are discussed in the next section.
PROGRAM REVIEWS, COORDINATION, AND ADMINISTRATION
5. PROGRAM REVIEWS, COORDINATION, AND
ADMINISTRATION
5.1 PROGRAM REVIEWS
Two types of program review occur during the RAMP cycle between
submissions of product evidence. An interim review takes place following
each vendor RAMP audit. Aperiodic reviews occur irregularly throughout an
application of RAMP on an average of less than one review per cycle. An
aperiodic review is always conducted by a Center review team at the
vendor's site (or multiple sites if applicable). Interim reviews may or
may not occur on-site. As noted in Section 1, the first interim review for
a product in RAMP occurs following the vendor's RAMP audit performed in
preparation for the product testing TRB session.
Both types of review have the general purpose of establishing VSA
credibility and confirming process assurance in RAMP. The reviews serve
the common interest of vendors and the Center in identifying problems as
early as possible so that the vendor can make corrections with minimum
impact upon rating maintenance and product evolution.
Review teams examine the evidence accumulation process and scrutinize
records such as SIRs, ECOs, test results, and reports on CCB and CRB
proceedings. VSAs are questioned about RAMP procedures and may be required
to trace the course of events for specific product changes. The vendor
must have the ability to perform a line-by-line code comparison for any
two points in time and to sustain a RAMP audit by a Center review team.
Program reviews are also an occasion for assessing the adequacy of the
vendor's RM-Plan, and may lead to RM-Plan modifications.
5.2 INTERIM REVIEWS
Interim reviews and aperiodic reviews differ somewhat in emphasis.
An interim review has a procedural focus, addressing the credibility of
the configuration management process and its adherence to the RM-Plan. An
aperiodic review covers much of the same ground but includes an in-depth
examination of the vendor's ability to conduct security analysis.
The subjects of investigation include the procedures for generating SIRs
and ECOs, the adherence to established security analysis and design
analysis policies, the exercise of central control by the CCB, the
effectiveness of the CCB and CRB review functions, the adequacy of test
development and documentation procedures, and all aspects of the
configuration accounting system. The interim review team verifies that all
product changes are controlled uniformly, that security concerns have
precedence over other development objectives, and that sufficient evidence
is accumulating to support process assurance.
Interim reviews focus strongly upon the credibility of each VSA as a
representative of the vendor's RAMP process. The first interim review for
a VSA is a critical milestone in the establishment of VSA credibility. All
VSAs demonstrate to the interim review team a broad knowledge of
security-related policies, issues, and practices for the given product,
and an ability to apply the TCSEC in concrete situations. The interim
review verifies that the VSA (or group of VSAs) is tracking every aspect
of the configuration management process and is participating sufficiently
in each task to understand the major issues and decisions for every
product change.
5.3 APERIODIC REVIEWS
An aperiodic review constitutes an assurance checkpoint in a vendor's RAMP
program. Vendors receive no information about the timing of aperiodic
reviews other than sufficient advance notice to allow an orderly review
process (i.e., a few days). Vendors designate one point of contact per
RAMP activity site to be notified in case of an aperiodic review.
An aperiodic review examines in detail the soundness of a vendor's
decisions and the adequacy of product evidence to support the assertions
of product trust contained in Rating Maintenance Reports and other VSA
statements. An objective in some cases is to determine the reasons for
problems already identified. The review team may select several recent
product changes and trace the entire sequence of events leading to the
implementation of each, with particular emphasis upon the thoroughness and
accuracy of security analysis. This process examines the vendor's
analytical competence and sensitivity to security issues as well as the
effectiveness of configuration control and configuration accounting
procedures.
The aperiodic review team looks for trust violations consisting of:
insufficient understanding and application of computer security
principles; failure to give top priority to security concerns; errors in
security analysis and product testing; failure to follow the RM-Plan; and
failure to report all relevant actions and circumstances as product
evidence. If an aperiodic review identifies a security flaw in the product
or a breakdown of process assurance, the Center reserves the option of
withdrawing EPL status from the affected version of the product and all
subsequent versions. (See Section 8.)
5.4 PROGRAM COMMUNICATION AND COORDINATION
There is a designated Center Technical Point of Contact (TPOC) for each
product in RAMP. The TPOC tracks the rating maintenance process from the
planning phase onward and coordinates all technical interchange between
the vendor and the Center. The TPOC is the vendor's entry into the Center
for the resolution of computer security issues and concerns. The TPOC
assesses VSA performance and other aspects of the program, particularly
during the first RAMP cycle but does not directly supervise vendor
activities.
There is also a Center Business Point of Contact (BPOC). The BPOC carries
out administrative functions in RAMP such as: making programmatic
decisions; planning the use of Center resources; providing a conduit for
official documentation; and notifying the vendor of rating determinations.
Section 2 has discussed the general duties and responsibilities of the
vendor's responsible corporate officer. The responsible corporate officer
administers the RAMP program and is the vendor's point of accountability
to the Center. The responsible corporate officer is a person empowered to
make financial commitments on behalf of the program; maintain a favorable
corporate context for its execution; and limit product changes as
necessary for protection of RAMP assurance. The responsible corporate
officer assumes full responsibility for the contents of each Rating
Maintenance Report.
Figure 4 shows the lines of communication in RAMP between the TPOC, BPOC,
responsible corporate officer and VSA(s). All interactions on
administrative matters are routed between the BPOC and the responsible
corporate officer. All technical communication passes through the TPOC,
with two exceptions. These exceptions are on-site reviews and VSA
interactions with the TRB when defending an RMR.
The Center requires the vendor to designate a lead VSA in multiple-VSA
situations primarily to facilitate orderly communications. The lead VSA
should conduct most technical interactions with the Center (possibly
excluding on-site reviews and RMR presentations), and should receive
copies of any written documents passing between the vendor and the Center.
In some cases the TPOC may require that all technical communication be
routed through the lead VSA.
The lead VSA will provide quarterly, informal status reports to the TPOC
(via the Dockmaster system mentioned below). These reports are intended to
keep the Center apprised of the vendor's rating maintenance activities.
The Center discourages excessive vendor reliance upon the TPOC as a
program advisor. The TPOC apprises the vendor of important developments in
the computer security field and is available for consultation on major
issues. This does not relieve the vendor of responsibility for keeping
abreast of developments through other means (such as the Dockmaster system
mentioned below) and exercising security wisdom independently of the
Center. Vendors are discouraged from attempting to pass program
responsibility back to the Center by submitting routine decisions to the
TPOC. The success of RAMP depends upon a vendor's own security analysis
capability and willingness to be held accountable for actions affecting
the product.
All vendors participating in RAMP must provide for VSA access to the
Center's Dockmaster information system by the time VSA training begins.
Dockmaster is a Honeywell MULTICS system used by the evaluation community
for electronic mail, electronic meetings, forums, queries, and other
functions. A RAMP vendor must be prepared to communicate with the TPOC via
Dockmaster and to use the system as a general information source.
6. PRESENTATION AND REVIEW OF EVIDENCE
6.1 INTRODUCTION
A vendor in RAMP preserves security features and assurances of a product
through security analysis and configuration management. The documentation
of this process in a body of evidence linking to the evaluation yields
RAMP assurance of product trust. Because the process is subject to strong
procedural controls*the RM-Plan, on-site reviews, and VSA training*the
Center can extend the product rating to each new release without
performing a full reevaluation or a lengthy assessment of all product
evidence. Rating approvals are based upon a moderately detailed summary of
evidence and a face-to-face presentation of this material by the vendor to
the Center. The Center reserves the right to request additional evidence
as necessary.
The vendor prepares the summary of evidence in the form of a Rating
Maintenance Report (RMR). The vendor can submit the RMR to the Center at
any time after all changes have ended for the product version in question.
Delays can be minimized by preparing much of the RMR while the product is
being revised, i.e., by summarizing the evidence as it accumulates.
The following are the major steps leading to a rating approval and EPL
listing for a revised product. These steps are discussed at greater length
following the description of the RMR.
1) Vendor submits RMR and other materials to TPOC.
2) TPOC circulates RMR to Center evaluators for review.
3) TPOC forwards RMR and supporting materials to Technical Review Board
(TRB).
4) TRB reviews RMR and issues comments to vendor (through TPOC).
5) VSA or VSAs defend RMR before TRB.
6) TRB makes recommendations on rating maintenance to Chief of Center
Product Evaluation Division.
7) Chief of Product Evaluation Division approves or disapproves product
rating.
8) Revised approved product receives EPL listing.
Steps 1 and 2 may iterate until the TPOC is satisfied with the level of
detail of the RMR. Only a short time should elapse between steps 3 and 8
if the vendor has properly satisfied the RAMP requirements (summarized in
Appendix A) and has a well-executed RAMP process (defined by the vendor's
RM-Plan) with adequate VSA credibility. Thus, efficient preparation of the
RMR and supporting materials can lead to an EPL listing at roughly the
same time that the new product version is released.
6.2 RATING MAINTENANCE REPORT
The RMR summarizes product evidence at a level of detail intermediate
between the information that would be required to conduct an evaluation
and the information typically contained in a Final Evaluation Report. The
RMR asserts that product trust has been upheld and includes sufficient
commentary to allow an understanding of individual product changes. Figure
5 presents a suggested outline for an RMR. The Center does not impose a
standard format on these documents but requires coverage of all the listed
items.
The major components are a cover letter, a description of the system
configuration, a section on Criteria interpretations, a discussion of each
product change at the ECO level, and a future change analysis. The cover
letter identifies the product and describes its history of rating
maintenance. The cover letter must be signed by the responsible corporate
officer and all recognized VSAs. It affirms that the responsible corporate
officer: 1) has reviewed the RMR; 2) assumes full responsibility for the
RMR contents; and 3) acknowledges responsibility for the sincere and
conscientious execution of all rating maintenance actions.
The first report section gives a complete overview of the system
configuration and its changes since the product evaluation. Much of this
material can often be carried forward from earlier documents. General
discussion of RAMP policies and procedures can appear either here or in a
separate section. The second section discusses the significance of all
Criteria interpretations applying to the given product release. (The
vendor's policy with regard to interpretations is discussed in Section 4
and Section 7.)
The items in the third section of the suggested RMR outline are repeated
for each product change. RAMP defines an individual change in this context
as an Engineering Change Order (ECO) that has been implemented. Figure 5
assumes a classification of ECOs according to product module and
configuration item. (The classification may vary if ECOs overlap
configuration items.) Discussions can be pooled and cross-referenced in
cases where several ECOs have been used to achieve a common purpose, but
the RMR should list each ECO individually.
The last lines in the third section of the RMR outline suggest the topics
requiring mention in the evidence summary for an ECO affecting the TCB.
Very little discussion is necessary for other ECOs*one or two sentences as
compared with at least a paragraph for each ECO having TCB impact. (These
two categories of ECOs may be segregated in the RMR.) The appropriate
depth of discussion for an ECO affecting the TCB depends upon the
sensitivity of relevant security mechanisms and assurances and upon the
complexity of the security analysis.
The fourth section of the RMR as outlined in Figure 5 is a discussion of
probable changes in the product beyond the current version. The Center
uses this future change analysis to assess the future applicability of
RAMP to the product (as discussed below). The Center requests vendors to
describe the major product changes anticipated for the next two release
cycles or the next 18 months, whichever period is greater. A failure to
provide this information increases the vendor's risk of discovering
suddenly that RAMP is no longer feasible and the product is no longer
eligible to participate in RAMP. In order to be placed on the EPL, the
product must then be reevaluated.
Figure 5. Suggested Rating Maintenance Report Outline
COVER LETTER
Identification of the new product version, the evaluated product, and any
intervening product releases.
Identification of the product rating established in the evaluation and
maintained through the previous release.
Serial numbers of the Final Evaluation Report (FER), any revised versions
of the FER, and the RMR for the most recently maintained release.
Assertion that the new release maintains the product rating. Responsible
corporate officer warranty of document contents.
Signatures of the responsible corporate officer and all Center-recognized
VSAs.
SECTION 1: SYSTEM CONFIGURATION
Listing of the hardware/software configuration for the
evaluated product
(original TCB by module).
Rationale for system decomposition into configuration items. Updated
listing of the configuration, noting changes: List of hardware contained
in the secure configuration. List of TCB software modules, noting any
modules that have been changed and the file length (lines of code) of each
module. Rationale for determining effects on the TCB of product changes,
with pointers to specific changes itemized in Section 3.
SECTION 2: CRITERIA INTERPRETATIONS
List of all Criteria interpretations applying to this product release.
Comments on the significance of each interpretation for the product as
revised.
Pointers to discussions in Section 3 of product changes
made because of specific Criteria interpretations.
SECTION 3: PRODUCT CHANGES AND EVIDENCE OF SYSTEM TRUST
Name of module or document changed.
ID number(s) of configuration item(s) changed.
Engineering Change Order (ECO) number.
Description of change:
Functional description.
Description of user-visible effects.
Classification of change according to effects on the TCB (yes or no).
Evidence of product trust (if change affects the TCB):
Explanation of relevant Criteria and interpretations.
Relevant TCB mechanisms and assurances. Design issues, alternatives, and
solutions. Tests and test modifications if any. Summary of test results.
Pointers to system and test documentation. Pointers to specific code-level
changes.
SECTION 4: FUTURE CHANGE ANALYSIS
Expected product changes in next revision cycle.
Expected product changes in second revision cycle.
Later evolution of product.]
6.3 OTHER SUBMISSION MATERIALS
The materials submitted concurrently by the vendor to achieve rating
maintenance include several items in addition to the RMR. The overall
package is as follows.
₧ RATING MAINTENANCE REPORT (RMR)
₧
₧ RM-PLAN(S) WITH CHANGE BARS
₧
₧ FINAL EVALUATION REPORT (FER) WITH CHANGE BARS
₧
₧ FINAL EVALUATION REPORT WITH INTEGRATED CHANGES
₧
₧ PROPOSED PRODUCT DESCRIPTION FOR EPL
₧
As discussed elsewhere, RM-Plans often change during a rating maintenance
cycle because of procedural refinements and changes in VSA
responsibilities. The Center is always aware of changes and always
possesses a current version of the RM-Plan, because changes cannot be
effected without Center approval. The vendor's submission package at the
end of a rating maintenance cycle includes an additional copy of the
RM-Plan with change bars showing every alteration relative to the plan
that was in force at the end of the previous cycle (i.e., when the
previous RMR was submitted). This document must show the date on which
each RM-Plan change was approved by the Center. Its purpose is to assist
review of the vendor's program by the TRB. (A general principle of the
rating approval process is that the vendor should not assume a TRB
"memory.") The vendor may also choose to include a separate document
consisting of a proposed RM-Plan for the next revision cycle. Submitting
proposed RM-Plan changes at this time facilitates Center approval and
serves the Center objective of confining most plan alterations to the
beginning of a cycle.
The submission package includes a copy of the Final Evaluation Report
(FER) for the initial evaluated product, with change bars converting the
FER to a description of the current release. The vendor also provides a
copy of the FER with these changes integrated into the text. The latter
document is called a RAMP FER to distinguish it from the direct output of
a Center evaluation.
The remaining document submitted with the RMR is a brief description of
the revised product for use by the Center in publishing an EPL listing if
the new version maintains the product rating. This and the RAMP FER are
the only program documents intended for public release.
6.4 REVIEW AND DEFENSE OF RMR
The TPOC receives the RMR and associated materials from the vendor and
forwards these documents to Center evaluators for review. A primary
objective is to prepare the VSAs for examination by the TRB. The reviewers
point out areas of the RMR that are deficient or likely to receive special
TRB attention. The VSAs respond by revising the RMR and/or assembling
supplementary evidence for the product defense. The TPOC then submits the
RMR and related materials to the TRB. After examining the RMR, the TRB may
transmit written comments to the VSAs (through the TPOC), which establish
a partial agenda for the VSAs' oral presentation and defense.
All Center-recognized VSAs should be prepared to meet face-to-face with
the TRB and discuss the aspects of RAMP for which they have been
responsible. The TRB will expect the VSAs to present a thorough technical
overview of changes to the product TCB and the security analysis of those
changes, thus demonstrating continuity of function and retention of
assurance. When new VSAs are involved, the face-to-face examination is
strongly concerned with establishing VSA credibility. The TRB questions
each new VSA in depth about the nature of the product as well as about
rating maintenance procedures and individual changes.
The TRB will focus upon changes which raise complex security questions, or
which are not fully understandable from the RMR description, or which
provide a good context for detailed examination of procedures. The
responsible VSA first describes the change and answers questions on the
basis of memory and supplementary information brought to the session. If
these responses are inadequate, the TRB requests additional evidence.
The TRB subsequently issues a recommendation to the Chief of the Product
Evaluation Division stating that product trust has or has not been
maintained by the current product version at the level established by
evaluation. If the product does not sustain its rating, the vendor may or
may not be given the option of reconstructing the RAMP process in some
fashion and returning for another TRB review. The given RAMP cycle ends
with a rating determination by the Chief of the Product Evaluation
Division and, if the determination is favorable, a listing of the new
release in the EPL.
6.5 FUTURE APPLICABILITY OF RAMP
RAMP applicability is limited. If product revisions fundamentally alter
security mechanisms and assurances, the result from a security standpoint
is a new product requiring evaluation to qualify as a trusted system. At
the start of RAMP, the Center verifies the potential applicability of the
program to the initial revisions of the product before approving the
vendor's RM-Plan. The RMR review at the end of each cycle is the occasion
for later forecasts of RAMP applicability. These forecasts of future RAMP
applicability are an integral part of the trusted products partnership
established between the Center and the vendor.
The Center uses the information in the vendor's future change analysis to
estimate (if possible) the point at which RAMP will no longer be viable
and the product cannot be placed on the EPL without a reevaluation. This
point can result from cumulative changes as well as from especially
significant changes in any one revision cycle. The Center criteria for
RAMP applicability cannot be summarized conveniently here. The extremes
are that most changes in system architecture are not coverable by RAMP,
whereas product changes that do not affect the identified TCB directly or
indirectly can always be covered.
The Center has designed RAMP with the intention of giving vendors at least
one cycle's advance notice of the need for a product reevaluation. (Hence
the request for information in the future change analysis describing at
least two cycles.) The degree of certainty expressible by a RAMP forecast
is governed, in large measure, by the level of detail, completeness, and
the schedule provided in the future change analysis by the vendor.
Notifying the vendor that RAMP can proceed for another revision cycle does
not commit the Center to approve rating maintenance for that cycle when
completed, and a forecast of RAMP applicability for a later cycle may be
changed as that cycle approaches. The Center reserves the right to deny a
rating and/or discontinue a RAMP process at any time.
When forecasting RAMP applicability for a product, the Center addresses
any expected difficulty in complying with recent or prospective Criteria
interpretations that do not apply to the current product version.
As discussed in Section 4, Criteria interpretations can affect the use of
RAMP irrespective of the nature of product changes.
7. RATING MAINTENANCE PLAN
7.1 INTRODUCTION
Strict adherence to a comprehensive RM-Plan is one of the most important
program controls in RAMP. The RM-Plan is the vendor's document, tailored
to the product in question and to the company's business practices and
personnel. The plan and any proposed changes must be approved by the
Center and must describe accurately throughout product maintenance what
the vendor is doing to the product and what evidence is being recorded.
A vendor starting a new RAMP process should commence preparation of an
RM-Plan during or immediately after VSA training. No rating maintenance
actions on the product can occur until an approved RM-Plan is in place,
which means that delays in program planning can slow the startup of
product revisions. Vendors should develop a new RM-Plan by building upon
rather than rejecting previous practices. The Center encourages this
approach in order to minimize the chances of conflict and inefficiency in
RAMP. Also, the vendor should not attempt to resolve every issue and
establish an ideal plan before submitting a draft to the Center for
review. A period of consultation between the vendor and the Center is
usually necessary to arrive at a mutually acceptable RM-Plan. In plan
development as in later phases of RAMP, the Center is eager to help
vendors who approach the process constructively.
A vendor initiates the RM-Plan approval process by submitting a new or
revised plan to the TPOC. The TPOC coordinates the Center review and
issues an approval when the plan is judged to comply with RAMP
requirements. The TPOC will document approvals of new or revised RM-Plans
and changes to existing plans via the Center's Dockmaster system.
A vendor may wish to change an existing RM-Plan in order to improve the
rating maintenance process or alter VSA responsibilities. There are no
fixed limitations on changing an RM-Plan, but the Center urges vendors to
minimize the total number of changes and to confine change requests to the
beginning of each rating maintenance cycle. A change request includes a
copy of relevant sections of the RM-Plan with all proposed changes shown
by change bars, plus a copy of the entire plan with the changes integrated
into the text. The latter becomes the operative RM-Plan when approval is
granted.
All RM-Plan changes must receive Center approval regardless of their
nature. On receiving a change request, the TPOC determines the scope of
the Center review based upon the magnitude and implications of the
proposed change(s). The TPOC can grant immediate approval of a change that
is very minor or unavoidable (such as a reassignment of program
responsibilities due to loss of a VSA). In all cases, however, the old
RM-Plan remains in force until the change is approved and documented on
the Center's Dockmaster system.
RM-Plans are intended to be current but not release-specific.
This distinction becomes relevant when successive product releases overlap
in terms of development, i.e., when work starts on version N+1 before the
code freeze for version N. In such cases, a single RM-Plan describes the
vendor's RAMP process for all work on the product. The RM-Plan may
reference specific product versions when describing VSA responsibilities,
thus creating a need to update the plan periodically; but this is similar
to cases in which VSA assignments are based upon specific product changes
or other transient factors. The single-plan format applies unless there is
a branching of the product, i.e., a situation in which version N includes
changes that are not contained in version N+1, as well as vice versa. If
the Center allows RAMP coverage of both branches, the vendor must maintain
a separate RM-Plan for each.
7.2 OVERVIEW OF RM-PLAN CONTENTS
The RM-Plan tells how the vendor will accomplish all the tasks and achieve
all the results described previously in sections 3, 4, and 6. The RM-Plan
cannot state exhaustively how security analysis will be conducted and
cannot guarantee that errors will never occur. However, the plan describes
the vendor's procedures and safeguards in sufficient detail to constitute
an essential part of RAMP assurance.
While the format of individual RM-Plans may vary, a vendor's RM-Plan must
address the following topics. Each of these topics is discussed in the
subsections that follow.
A. The product and its configuration.
B. Security analysis.
C. Configuration control.
D. Collection and verification of evidence (configuration accounting and
RAMP auditing).
E. Compliance with Criteria interpretations.
F. Presentation and defense of security analysis and product evidence.
G. VSA responsibilities and program administration.
H. Vendor response to failures.
I. Numbering and retirement of product versions.
J. Management of the RM-Plan.
7.3 THE PRODUCT AND ITS CONFIGURATION
An RM-Plan must begin with a description of the rated product and all its
components. This description should address all elements of the TCB in
specific terms. It should also cover business aspects of the product such
as control over the distribution of documentation.
The RM-Plan describes how configuration identification has been performed.
The plan should discuss the vendor's approach and objectives in
decomposing the system, and should describe system elements in sufficient
detail to show compliance with the configuration identification
requirements listed in Section 3.
There should be commentary on any special implications of the system
identification for configuration control. The plan specifies the naming
conventions used for configuration items (CIs) and for changes to CIs.
Policies regarding the creation of new CIs for revised products should
also be discussed.
A startup RM-Plan includes a development process timetable, indicating
when submissions of evidence are anticipated, and a future change analysis
discussing the expected evolution of the product. As in the RMR for a
completed RAMP cycle, the future change analysis should cover at least the
first two cycles or 18 months of RAMP, whichever is longer. The Center
assesses the expected changes and expresses a judgment by way of the
RM-Plan approval that the product rating can probably be maintained
through the initial revisions.
7.4 SECURITY ANALYSIS
The RM-Plan states the vendor's policies and procedures for security
analysis in as much detail as possible. It describes security analysis and
related design activity on a task-by-task basis, from identifying TCB
effects through developing new tests and reporting on the acceptability of
changes. The plan should demonstrate clearly that the vendor understands
and adheres to the concept of security dominance in product development.
This part of the RM-Plan may or may not be integrated with discussion of
the vendor's configuration control system, which covers the overall
structure of change control and the participation of corporate groups in
this process.
The RM-Plan must describe the steps taken by the vendor in assessing the
effects of product changes on the TCB. This description covers methods of
establishing indirect TCB effects as well as effects due to
interrelationships among security features. The plan should reference any
generic procedures used such as regression testing. There should be
clearly stated arrangements for identifying any cumulative effects due to
multiple product changes and/or collateral modifications entailed by
changes. These arrangements are especially critical when security analysis
and system design tasks are spread among several operating groups.
The RM-Plan then describes the principles and procedures followed by the
vendor in establishing acceptable designs for product changes and
determining when changes cannot be implemented for security reasons. If no
single description of this process is adequate, the plan can reference
various categories of product changes and show how the process operates
for each. There should be explicit discussion of the relationships between
security analysis and the pursuit of other design objectives.
A section of the RM-Plan must address the development and application of
system tests as an element of security analysis. This discussion covers:
the vendor's general testing policies; the determination of test adequacy
as affected by product changes; the guidelines followed when modifying or
creating tests; and the vendor's procedures for updating the test plan on
the basis of security analysis findings.
The RM-Plan summarizes the vendor's criteria and methods for concluding
that a change is or is not acceptable under the TCSEC and describes how
these conclusions are documented and forwarded for Configuration Control
Board (CCB) review. The plan must demonstrate that the security analysis
yields adequate RAMP evidence in the form of recorded analytical findings
and support for all decisions affecting the product.
7.5 CONFIGURATION CONTROL
As established in Section 3, configuration management is the framework for
reviewing, implementing, and documenting the conclusions of security
analysis. The portion of the RM-Plan on configuration control presents the
vendor's business plan for accomplishing these objectives.
A vendor developing a startup RM-Plan may find it convenient to work
incrementally from existing practices. First, the vendor's existing
configuration management system is modeled and evaluated against the
conceptual requirements of RAMP discussed here in Section 3. The vendor
revises the model by identifying needed elements and finding the most
harmonious ways of including these elements within the present business
context. The vendor then evaluates the revised model against the
procedural requirements and VSA responsibilities outlined in Section 4.
Functional equivalents of the SIR, ECO, CCB, and CRB are identified. If
there is no full equivalent for one of these entities*e.g., no central
authority that can be designated as the CCB*the vendor overcomes the
deficiency by building upon present functions with as little disruption as
possible. Similarly, the vendor seeks to identify persons who can serve
effectively as VSAs in their present corporate positions (and who are
qualified and available for VSA training). Only if such persons are
unavailable does the vendor consider restructuring groups and reassigning
personnel to achieve adequate VSA involvement.
The RM-Plan must present a unified discussion of configuration control
centering upon the vendor's business model as revised. The discussion
should trace the course of events for a product change from its entry into
the RAMP process as a SIR through its final approval and incorporation.
The plan should explain the preliminary screening of changes for TCB
effects, if conducted as a separate task, and describe the vendor's
safeguards against incorrect categorization of changes. The plan shows how
product changes that lack TCB effects are routed through the various
design and implementation steps and change reviews. The RM-Plan then
presents the detailed discussion of security analysis for changes
affecting the TCB, if this discussion has not already been provided. The
vendor indicates which operating groups conduct the security analysis and
to what extent the VSA or VSAs participate in each aspect. (Coverage of
the VSA role by the RM-Plan is discussed further below.)
The RM-Plan should describe in specific terms how the CCB will coordinate
the security and design analyses and will review system changes. The
discussion addresses the composition of the CCB, the lines of authority
among its members, the nature of its deliberations, and the manner in
which the CCB assures security dominance in the product development
process. Other topics are the power of the CCB to influence security
analysis, the quality control steps involved in CCB review, the ability of
the CCB to request additional information, and the disposition of product
changes that fail to receive CCB approval. The RM-Plan should describe VSA
membership and participation in the CCB, and the ability of the
responsible corporate officer to veto a CCB approval when requested by the
VSA.
The RM-Plan should discuss the manner in which ECOs are generated and what
they contain. The relevant data include: who prepares ECOs; the
granularity of ECOs; the conditions under which multiple ECOs are used to
effect a given change; the level of detail at which ECOs direct
implementation tasks; the instructions in ECOs for testing implemented
changes; any quality control procedures for ECOs; and the manner in which
the CCB controls the production of ECOs. The RM-Plan should also indicate
the role of ECOs in the vendor's record-keeping system.
The RM-Plan describes the vendor's procedures for assuring that all
approved changes are implemented correctly and that only these changes are
made. The plan should discuss the structure of the implementation and
testing groups, indicating the degree to which the testing function is
conducted independently. The description of testing procedures should
mention interactions with the design group (outside the ECO process) on
the subjects of test adequacy, test development, and test results. The
plan should also summarize briefly the management of the system code,
e.g., the use of working copies to implement and test changes.
The RM-Plan must specify the nature and operation of the Configuration
Review Board (CRB) as described above for the CCB. The plan then discusses
the final review process in terms of: the information delivered to the CRB
on each implemented change; the quality control procedures utilized by the
CRB to assure that the implementation is correct; the means of verifying
that no system modifications have occurred other than the approved change;
and the CRB policies for granting final approval or disapproval. Any
exceptions to the review process should be noted. The RM-Plan describes
the removal of disapproved changes from the product and the policies for
returning such changes to an earlier stage of assessment.
The RM-Plan must acknowledge any special limits upon configuration
control. For example, if the vendor's product development activities take
place at more than one site, the RM-Plan states what aspects of RAMP occur
at each site and how central coordination is achieved.
RM-Plans for layered products must describe specifically how the vendor
will deal with the involvement of more than one company in producing the
product. There is no compromise in the required level of RAMP assurance to
accommodate layered products. The vendor demonstrates full configuration
management cognizance, meaning that the vendor has evidence on the base
product and its evolution comparable to the evidence required by RAMP for
an in-house product. The vendor's RM-Plan describes in detail how this
evidence is obtained, covering the nature of security analysis and the
existence of any cooperative arrangements among producers.
7.6 COLLECTION OF RAMP EVIDENCE
The RAMP process essentially yields three categories of product evidence:
1) the findings of security analysis, with support for all conclusions
from that analysis; 2) the records from configuration control of the
design phase, from SIR receipt through CCB review and ECO issuance; and 3)
the configuration control records for the implementation phase, covering
test results, test documentation, and verification of changes by the CRB.
Ideally, there should be a unified configuration accounting system that
embraces all of this information. Vendors entering RAMP may find, however,
that the first category of evidence overloads existing configuration
accounting systems because of the extensive commentary on security
analysis findings and decisions. An acceptable solution is to establish
supplementary information files with clear linkages to the configuration
management data via pointers and cross-references.
The RM-Plan must include an overall description of the vendor's
record-keeping system, covering basic facts such as where the master
version of the code is stored and how it is protected from unauthorized
modification or use. The discussion lists the major database elements and
notes any associated divisions of activity. (For example, the recording of
information for system changes might be distinguished from the management
of system documentation, tests, tools, test documentation, etc.) The plan
describes how the vendor can determine the status of proposed and approved
changes and can locate any supporting information.
The RM-Plan then revisits the entire configuration control process and
states the documentation requirements associated with each step (unless
documentation has already been covered in the section on configuration
control). There should be one or more reporting tasks associated with
almost every element of a rating maintenance model such as shown earlier
in Figure 3. In each case, the RM-Plan must describe: what information is
recorded; where it is recorded; who is authorized to store and retrieve
information; and what steps are taken to assure that information is
accurate and comprehensive. The plan also discusses the uses of this
information in the configuration control process for review and approval
purposes.
The Center recognizes that there may be a time granularity below which the
system code, documentation, tests, and test documentation cannot be
maintained on a synchronous basis because of lags in the updating process.
The RM-Plan should estimate the duration of configuration accounting lags
and describe any necessary steps to avoid problems from this source.
The RM-Plan must address the RAMP audit function and the VSA role in this
function. The plan must establish configuration audit procedures for
verifying compliance with every configuration control and configuration
accounting requirement, and for checking the adequacy of all associated
evidence. The plan should describe the security analysis portion of the
RAMP audit in terms of: the procedures for sampling SIRs; the number of
SIRs investigated; and the standards for assessing the adequacy of
security analysis and related documentation. The RM-Plan should also state
the vendor's intended schedule of RAMP audits. The Center does not impose
a uniform requirement in this regard because of the widely varying
circumstances encountered, with the exception that at least one RAMP audit
must occur per RAMP cycle.
7.7 COMPLIANCE WITH CRITERIA INTERPRETATIONS
The RM-Plan must explain in detail the vendor's policy for complying with
Criteria interpretations as they occur. The Center's recommended
guidelines for such a policy have been discussed in Section 4. The
objective is to provide the maximum compliance with interpretations
consistent with a vendor's unique ways of doing business. Center approval
of the RM-Plan is contingent upon attaining this objective. The policy
statement in the RM-Plan should refer to the product revision cycle (i.e.,
the maximum number of cycles that can elapse before compliance occurs) and
should also include calendar time as a factor if the revision schedule is
variable.
7.8 PRESENTATION OF EVIDENCE
Section 6 has described the contents of the Rating Maintenance Report
(RMR) and other documents submitted by the vendor to the Center at the end
of each RAMP cycle. The RM-Plan should discuss briefly how these documents
are prepared and how they will be used to defend the product, the security
analysis, and the configuration management process before the TRB.
The new material in any given RMR consists primarily of the evidence
summaries for product changes. (See Figure 5 in Section 6.) The RM-Plan
should describe the contents of these summaries for product changes that
do and do not affect the TCB. The summarization process should be
discussed with reference to the extent of VSA involvement, the
configuration accounting files used, and the vendor's ability to prepare
evidence summaries while other product changes are still under way. The
RM-Plan should estimate the time delay between the end of product changes
and the submission of an RMR to the Center for review.
Regarding the defense of evidence, the RM-Plan should indicate which VSA
or VSAs will represent the product at the next evidence submission and
what provisions will exist for supplying evidence not contained in the
RMR. Rough estimates should be given for the number of hours or days
needed to comply with various types of information requests by the TRB.
7.9 VSA AND RESPONSIBLE CORPORATE OFFICER RESPONSIBILITIES
The RM-Plan must establish the VSA and responsible corporate officer roles
in very specific terms. The required topics include: the qualifications
and corporate position of the responsible corporate officer and the VSA or
VSAs; the ability of the responsible corporate officer to support RAMP and
the VSA function; the division of technical responsibilities among
multiple VSAs, if used; and the extent of VSA involvement in every
individual RAMP activity. The plan normally presents the task-by-task
description of VSA duties as an integral part of the material on
configuration control and collection of evidence.
The RM-Plan names the person or persons occupying the VSA role and
summarizes briefly the qualifications and experience of each. Any person
representing the product as a VSA must have completed the Center training
program. (As noted earlier, the approval of an RM-Plan confers Center
recognition upon the VSAs referenced in the plan as product
representatives.) The description of each VSA's corporate position should
cover both line management and matrix management responsibilities. Any
intended use of contractors or part-time employees as VSAs should be noted
and explained.
There should be a general statement of the vendor's strategy for assuring
that the VSA or VSAs can: track all aspects of the revision process;
confirm the findings of security analysis; influence product changes;
assure the accuracy and completeness of evidence; and represent the
product effectively to the Center. If multiple VSAs are utilized, the
RM-Plan explains the reasons for this approach and describe the primary
areas of VSA responsibility in such a fashion that the Center can
associate one and only one VSA with each element of the RAMP process.
The task-by-task description of VSA duties must cover for each activity in
RAMP: 1) the share of work conducted personally by a VSA;
2) the extent of VSA supervisory authority over the given task; 3) the
ability of a VSA to influence how work is done and what outputs are
produced; 4) the arrangements whereby a VSA can evaluate the adequacy of
procedures and accuracy of data; and 5) the terms of VSA access to all
information used in and generated by the task.
The RM-Plan should emphasize VSA involvement in the CCB function, the CRB
function, the configuration audit, and the presentation and defense of
evidence. The plan should name the VSA who serves as a CCB member and show
how this function allows the VSA to control product changes through direct
input to CCB decisions and through the veto power of the responsible
corporate officer. VSA involvement with the CRB is discussed similarly.
The plan describes VSA responsibilities for producing the RMR and
representing the product to the TRB. It names the VSA or VSAs who serve as
configuration auditor(s) or audit supervisors. The RM-Plan must confirm
that VSAs have access to Dockmaster and are responsible for tracking
Criteria interpretation activity.
The RM-Plan must describe how the responsible corporate officer will
support the RAMP process and serve as the point of vendor accountability
to the Center. This description covers: the power of the responsible
corporate officer to make decisions and corporate commitments on behalf of
RAMP; the extent of responsible corporate officer supervisory authority
over the VSA(s) and over the operating groups involved in RAMP tasks; the
influence of the responsible corporate officer over product changes; the
role of the responsible corporate officer as the vendor's contact with the
BPOC; and the ability of the responsible corporate officer to influence
the corporate response to failures in the product or the RAMP process. As
described in Section 6, the responsible corporate officer must be in a
position to assume full responsibility for the content of RMR submissions.
The RM-Plan must name the lead VSA, if there are multiple VSAs, and
describe all lines of authority among the responsible corporate officer,
the lead VSA, and other VSAs. There should be an overview of RAMP program
administration showing how RAMP fits into the corporate management
structure. The RM-Plan should include a corporate organization chart and a
personnel directory listing the department and job title of all persons
who might contact the Center on the subject of RAMP. The organization
chart should be abbreviated horizontally by showing only the portion of
the corporate hierarchy that contains the responsible corporate officer,
the VSAs, all CCB and CRB members, and all operating groups with major
involvement in RAMP.
7.10 EXCEPTION HANDLING
The RM-Plan must describe any and all exception handling procedures that
may be used in the development of the product. Exception handling refers
here to actions outside the normal cycle of releases, not exceptions to
RAMP practices. Under no circumstances are interruptions in configuration
management allowable.
Specifically, the RM-Plan must address the vendor's response to product
and process failures. The failures that can occur for a product in RAMP
fall into three categories, as follows.
Bug: Improper execution of an acceptable design.
Flaw: Incorporation of an inadequate design decision.
Breakdown of process: Deficiency in the security analysis and/or
configuration management procedures that confer RAMP assurance.
These failures can have widely varying impacts upon the responsible
vendor, the user community, and the product rating. Bugs and flaws are of
greatest immediate concern to users. However, breakdowns of process tend
to have the greatest long-term impacts on product ratings and continued
RAMP applicability. Errors can usually be located and corrected if the
process remains pure, but RAMP assurance may not be recoverable if the
process fails. Section 8 discusses the response of the Center to these
types of failures.
The primary focus of exception handling is the management of system bugs.
The Center recognizes that at the C1 through B1 rating levels (which are
features-oriented rather than assurance-oriented), a product may contain
implementation errors that are undetected by evaluation and that may be
exploitable under some circumstances. It is not acceptable to pass
responsibility for vulnerability management on to system users. Vendors
should therefore plan ahead for the possibility of bugs and should develop
procedures for correcting bugs with minimum delay and risk to users.
The following are suggested steps to deal with a potentially exploitable
bug once identified. The vendor:
1) immediately deploys a repair and recovery team to analyze and
solve the problem
2) contains information regarding the bug in order to minimize risk to
operational systems
3) provides immediate notice to the TPOC so that the Center can take any
necessary steps to assure the protection of system users
4) undertakes the replacement or repair of all operational systems that
contain the bug
5) reports progress to the Center on a weekly basis
6) packages the repair or replacement in such a fashion that the
exploitable bug is not easily determinable from the repair distribution.
The RM-Plan must explain how these and related tasks will be accomplished
in case of product failure, and must state corporate policies for using
exception-fix procedures and for correcting bugs in subsequent scheduled
product releases.
The RM-Plan must also describe the vendor's internal procedures for
restoring the RAMP process if there is a process failure (and if the
Center determines that the process can potentially be restored). These
procedures include: establishing the precise nature of the error or
breakdown and the reasons for its occurrence; tracing the full
ramifications of the problem for all affected product versions; conducting
security analysis to establish corrective measures and verify product
trust; and reestablishing the unbroken trail of evidence linking to the
evaluated product.
7.11 NUMBERING AND RETIREMENT OF PRODUCT VERSIONS
A product release that includes any correction for a bug or flaw becomes a
different product from the standpoint of the Center and the user
community. The vendor must develop a product identification system that
reflects this fact. A favorable approach is an alphanumeric system in
which the numeric portion (typically involving decimals) denotes the
product version as released and the letter suffix denotes corrections. For
example, version 1.0 might be the original product subjected to
evaluation; versions 1.1, 1.2, and so on might be successive releases in
RAMP; and versions 1.0a and 1.1a might be the first two versions after a
correction has been added. This system yields a two-dimensional product
flow as illustrated in Figure 6.
In this example, a system bug is discovered after the second version (1.1)
has been released. The development of a correction for this bug yields two
new products, 1.0a and 1.1a. Then another bug is identified after version
1.2 has been released. This bug is corrected in
1.1 and 1.2, yielding products 1.1b and 1.2b, but is not corrected in
1.0 because the original product version has been retired (as defined
below). The two diagonal arrows in the diagram indicate that each bug
correction is incorporated in the next scheduled release. Every
RM-Plan should establish a product identification system that has
this degree of flexibility and comprehensiveness.
The RM-Plan should also indicate that the vendor will inform the Center
whenever a rated product version is retired. Retirement is defined in this
context as the point at which a vendor no longer offers a product version
for sale and no longer provides bug fixes and related services for that
version. The Center needs to be informed of retirement decisions so that
the affected products can be shifted to a separate section of the EPL.
7.12 MANAGEMENT OF RM-PLAN
Previous discussion has suggested why RM-Plans may change
occasionally and how changes are effected. Due to the possibility of
change, the RM-Plan must describe how the plan itself is managed. This
discussion should indicate how the vendor establishes a need to change the
RM-Plan; how the vendor formulates and proposes specific changes; and how
the vendor assures compliance with RM-Plan changes when in place.
8. RAMP TERMINATION, SANCTIONS, AND RISKS
8.1 OVERVIEW OF RAMP PROCESS
Figure 7 depicts graphically various processes from the initial evaluation
and VSA training to the establishment and application of RAMP for a
product. (Figure 7 is an expansion of Figure 2). The starting points for
establishing RAMP are the original product and the training of vendor
representatives as VSAs. The vendor develops an RM-Plan and obtains
approval for the plan before the Center starts the phase of product
evaluation. Figure 7 emphasizes that the RAMP process builds upon an
evaluated product and upon the evidence yielded by evaluation.
The RM-Plan establishes a configuration management framework for the
analysis, design, implementation, and approval of product changes. The
VSAs participate in these rating maintenance actions and assure that
security concerns dominate all decisions affecting the product. The
outputs of rating maintenance consist of approved product changes and
evidence supporting the changes. The VSAs summarize this evidence in an
RMR, which is submitted to the TPOC and reviewed by the Center community.
The TRB then receives and reviews the RMR, examines the VSAs on the
evidence, and recommends that the product rating be extended (or not
extended) to the new release. The cycle ends with approval or disapproval
of the rating by the Chief of the Product Evaluation Division and listing
of the new approved release on the EPL. The TPOC is the interface between
the vendor and the Center in all technical communications except the
interim and aperiodic reviews and the TRB examination. (The diagram omits
the responsible corporate officer and BPOC roles.)
There is no fixed limit on the number of revision cycles that can be
covered by an application of RAMP. The termination of a RAMP process can
be either voluntary or involuntary from the vendor's standpoint. A vendor
might choose to terminate RAMP because the product is being discontinued;
because no further revisions are planned; or because rating maintenance is
not considered essential for further releases.
Applications of RAMP tend to have a natural life span ending with the
vendor's introduction of a replacement product that requires evaluation
and a new RAMP process. Voluntary exits from RAMP are usually pre-arranged
to occur at the end of a rating maintenance cycle.
The intermediate cases are situations in which a vendor desires to
continue RAMP but needs to implement product changes that RAMP cannot
cover. Given a commitment to the changes, the vendor must decide whether
to terminate RAMP permanently or undergo reevaluation to start another
RAMP process. The requirement for such a choice might be established by
the VSAs when analyzing changes during a revision cycle; by the vendor
when planning future changes; or by the Center when reviewing the vendor's
future change analysis in an RMR. Advance notice of the decision point
obviously benefits the vendor by minimizing wasted effort and allowing
timely placement of the product in the queue for a reevaluation (if future
rating maintenance is intended). Consequently, the vendor should supply as
much information as possible to the Center in each future change analysis.
The Center attempts to provide an interval of at least one revision cycle
within which the vendor can seek reevaluation while rating maintenance is
still under way. However, the Center cannot guarantee that this outcome
will occur, or that any given rating maintenance cycle will be successful.
8.2 OVERVIEW OF RAMP PROCESS
Involuntary termination of RAMP is associated with failure in the product
or process. Failures can be identified through program reviews, TRB
examinations, or other mechanisms. The Center response to an identified
failure depends upon the nature of the problem and how it occurred.
The Center terminates permanently the use of RAMP for a product if the
vendor has knowingly misrepresented any aspect of the product or its RAMP
process. The VSA or VSAs responsible for the misrepresentation will no
longer be recognized by the Center as representatives of any product. The
Center permanently lifts the rating of the product release for which the
misrepresentation occurred and the ratings of any later versions dependent
upon that release for rating maintenance. Furthermore, the Center
activates the aperiodic review process to investigate the possibility of
misrepresentations or other errors in earlier releases. The product rating
is then rolled back at least to the earliest known breakdown of RAMP
assurance.
When an inadvertent failure is identified, the Center may or may not allow
the vendor to rebuild RAMP assurance and continue the rating maintenance
process. If a failure is identified during a TRB review, the vendor may or
may not be allowed to fix the failure and resubmit the product depending
on the nature of the failure. A vendor usually is permitted and able to
fix a bug (implementation error) while rating maintenance is under way.
The Center treats a system flaw (design error) similarly to a bug unless
its correction requires an architectural change that RAMP cannot
accommodate. The Center does not approve any new ratings until all
identified bugs and flaws have been eliminated, but normally does not
suspend past ratings so long as the RAMP process is unimpeached and the
vendor makes every reasonable effort to protect the user community. A
breakdown of process, such as a loss of product evidence, tends to have
the most serious consequences for rating maintenance even if no deliberate
malfeasance is involved. The Center usually lifts the ratings for all
affected releases at least temporarily, and determines on the basis of
individual circumstances whether and how the vendor can reconstruct the
RAMP process.
8.3 RISKS OF RAMP PARTICIPATION
There are no sanctions in RAMP that apply retroactively to products
evaluated by the Center. Choosing to participate in RAMP cannot place an
existing product rating in jeopardy. Thus, a vendor's decision to initiate
a RAMP process can only create the following risk. There is a chance that
the net costs incurred to participate in RAMP will not yield the desired
ratings for product revisions, and hence may be viewed as financial
losses.
Section 1 has suggested the ways in which RAMP participation can create
net monetary costs for a vendor. A major determinant is the extent to
which a vendor's business practices need to be altered to meet RAMP
requirements for security analysis and configuration management. When
evaluating whether these costs and adjustments are supportable, a vendor
should be aware of the following considerations.
1) The chance that an application of RAMP will be unsuccessful can be
greatly reduced by approaching the program constructively and
conscientiously. This means allocating the time of highly capable and
experienced personnel to the RAMP process; applying scrupulously the
RAMP principles of security dominance and configuration management;
and keeping the Center as well-informed as possible about upcoming
product changes.
2) The net costs of creating and pursuing a RAMP process can be viewed as
an investment with potential returns extending well beyond the given
product. The capabilities developed in one RAMP experience are valuable
not only for other applications of the program but also for the creation
of new trusted products from start to finish.
Regarding the second point, the value of in-house security wisdom is
increasing very rapidly for computer vendors. Various factors are making
access to the expanding market for trusted systems more and more dependent
upon the availability of this resource. RAMP is the appropriate context
and focus for developing security analysis capability.
APPENDIX
SUMMARY OF RAMP REQUIREMENTS
This appendix summarizes the vendor's and the Center's requirements for
RAMP. These requirements are linked to the timing of the product
evaluation and are listed in approximate order of occurrence, under the
phase of the evaluation process in which they occur. A vendor failing to
satisfy these requirements loses the opportunity to participate in RAMP
until such time as the product in question is reevaluated. The Center
reserves the right to deny a rating and/or discontinue the Rating
Maintenance Phase at any time.
PREEVALUATION PHASE
1. Vendor establishes an intent to participate in RAMP in the
evaluation package/proposal for a given product.
VENDOR ASSISTANCE PHASE/DESIGN ANALYSIS PHASE
1. The vendor must identify and maintain a responsible corporate
officer. The responsible corporate officer represents the vendor in
administrative matters, serves as the point of vendor accountability
to the Center, is able to make decisions and corporate commitments on
behalf of RAMP, and supports the technical role of the VSA.
2. The vendor must complete training of one or more Vendor Security
Analysts (VSAs) before implementation of the vendor's Rating Maintenance
Plan but not later than completion of the IPAR. The vendor must provide
for VSA access to the Center's Dockmaster computer system at the time VSA
training begins. Whenever a vendor uses more than one VSA, a lead VSA will
be identified by the vendor.
3. The Center will provide RAMP training for VSAs.
4. The vendor must develop, have approved, and implement a
Rating Maintenance Plan (RM-Plan). The RM-Plan must be approved by the
Center prior to its implementation but not later than completion of the
IPAR. The approved RM-Plan must be implemented before development begins
on the version that will supersede the evaluated version.
5. The Center will review the vendor's RM-Plan for purposes of
approving the RM-Plan.
EVALUATION PHASE
1. The vendor must maintain a responsible corporate officer.
2. The vendor must maintain one or more Center-trained Vendor
Security Analysts (VSAs) once the vendor's RM-Plan has been implemented.
The vendor must provide for VSA access to the Center's Dockmaster computer
system. Whenever a vendor utilizes more than one VSA, a lead VSA will be
identified by the vendor.
3. The Center will provide RAMP training for VSAs.
4. The vendor must complete implementation of the
Center-approved Rating Maintenance Plan (RM-Plan) and must follow the
business practices outlined in the RM-Plan. The RM-Plan must be
implemented before development begins on the version that will supersede
the evaluated version. Any changes to the RM-Plan must be approved by the
Center and must be made according to the provisions within the approved
RM-Plan.
5. The vendor must conduct, for his own purposes, an initial
RAMP audit to assure that security feature functionality and assurances
are being maintained by adherence to all the procedures established in the
vendor's approved RM-Plan.
6. The Center evaluation team will review the results of the vendor's
initial RAMP audit to ensure the vendor's RAMP process follows the
procedures outlined in the vendor's RM-Plan.
7. The Center assigns a Technical Point of Contact and a Business Point of
Contact before completion of the evaluation phase. The TPOC advises and
coordinates the use of RAMP for the given product. The BPOC handles
administrative and programmatic aspects of the process.
RATING MAINTENANCE PHASE
1. The vendor must maintain a responsible corporate officer.
2. The vendor must maintain one or more Center-trained Vendor Security
Analysts (VSAs) once the vendor's RM-Plan has been implemented. The vendor
must provide for VSA access to the Center's Dockmaster computer system.
Whenever a vendor uses more than one VSA, a lead VSA will be identified by
the vendor.
3. The Center will provide RAMP training for VSAs.
4. The Center maintains a Technical Point of Contact and a Business Point
of Contact.
5. The vendor must provide product instruction for the Center Technical
Point of Contact, as needed throughout the Rating Maintenance Phase. This
is to include product documentation, vendor provided classes, and hands-on
system access time.
6. The vendor will provide quarterly informal status reports to the
Technical Point of Contact via the Center's Dockmaster system throughout
the Rating Maintenance Phase.
7. The vendor must conduct, for each RAMP cycle, at least one RAMP audit
to assure that security feature functionality and assurances are being
maintained by adherence to all the procedures established in the vendor's
approved RM-Plan.
8. The Center Technical Point of Contact will review the results of
the vendor's RAMP audit to ensure the vendor's RAMP process follows
the procedures outlines in the vendor's RM-Plan.
9. The vendor will submit concurrently to the Center the following
documents for each version of an evaluated product for which the vendor
desires to have the rating maintained via RAMP:
a) Rating Maintenance Report (RMR)
b) Rating Maintenance Plan (RM-Plan) with change bars
c) Final Evaluation Report with change bars
d) Final Evaluation Report with integrated changes
e) Proposed product description for EPL
The documents intended for public release are the final evaluation report
with integrated changes and the proposed product description for EPL.
10. The Center will review the vendor's documents for purposes of
extending the rating to the specific release and for placement on the
Evaluated Products List.
11. The vendor's RAMP process is subject to two types of reviews (Interim
Reviews and Aperiodic Reviews) by the Center. Both types of program review
have the purpose of assuring that security feature functionality and
assurances are being maintained by adherence to all the procedures
established in the vendor's approved RM-Plan.
GLOSSARY
BPOC - Business Point of Contact (Center).
CCB - Configuration Control Board.
Center - National Computer Security Center.
CF - Code Freeze.
CI - Configuration Item.
COMPUSEC - Computer Security.
CRB - Configuration Review Board.
Criteria - Same as TCSEC.
Dockmaster - A Center computer system serving
the evaluation community.
ECO - Engineering Change Order.
EPL - Evaluated Products List.
Evaluated Product - A product version that has undergone evaluation by the
Center. (By convention, excludes products assigned D ratings. An evaluated
product is always a rated product, but the reverse is not always true for
products in RAMP.)
FER - Final Evaluation Report.
Interpretations - Published Center Interpretations of the TCSEC.
IPAR - Initial Product Assessment Report.
PTR - Preliminary Technical Report.
RAMP - Rating Maintenance Phase.
Rated Product - A product version with a TCSEC rating and a listing on the
EPL, obtained either through evaluation or RAMP. (By convention, excludes
products with D ratings.)
RM-Plan - Rating Maintenance Plan.
RMR - Rating Maintenance Report.
SIR - Service Improvement Request.
TCB - Trusted Computing Base.
TCSEC - Department of Defense Trusted Computer System Evaluation Criteria
(DoD 5200.28-STD); the Criteria against which products are evaluated to
establish security ratings.
TPOC - Technical Point of Contact (Center).
TRB - Technical Review Board (Center).
VSA - Vendor Security Analyst.
BIBLIOGRAPHY
Department of Defense Trusted Computer System Evaluation Criteria,
December 1985 (DOD 5200.28-STD).
Brown, Leonard, R. "Specification for a Canonical Configuration Accounting
Tool," Proceedings of the 10th National Computer Security Conference, 21
September 1987, p. 84.