Maintenance


A Common.SECC certificate is specific to a POI at the time of its evaluation, including the hardware and software versions of its component parts.

Maintenance

If any aspect of the POI considered to be security-relevant changes following evaluation, the vendor must inform the CC laboratory. The laboratory should assess the modifications, and if they are confirmed to be security-relevant should perform a delta evaluation to ensure that the security requirements are maintained. Likewise, if any other aspects of the POI change (such as the introduction of a new development site) the laboratory should assess the changes and perform a delta evaluation. The resulting delta evaluation should then be submitted to the Common.SECC CCB. Patches, updates and security-affecting variations to a POI imply a new or modified POI, and the changes may be reflected on the Common.SECC web site. In some cases the changes may result in there being more than one variant of the POI being offered for sale and deployment concurrently.

A Common.SECC certificate is valid for six years.

Surveillance

a) A Common.SECC Certificate is valid for six years from its date of issuance. Three years after the date of issuance a re-assessment of the evaluator is required confirming that the TOE version certified three years ago still meets the Common.SECC security requirements. The re-assessment should preferably be delivered by the evaluator that carried out the original assessment of the TOE. If the re-assessment is delivered after three years this will be shown on the Common.SECC web page device library. If the re-assessment is not delivered after three years this will be indicated on the Common.SECC web page device library as “Re-assessment Missed”.

b) This applies to all TOE versions included in the originally issued certificate. If an already Common.SECC certified TOE is changed in a security relevant way it needs re-evaluation and a new certificate will be issued for this new version of the TOE. For this newly issued certificate the process described under a) applies accordingly. The three and six year validity dates of such a delta certificate will be the same as for the original certificate for the product.