Rating Maintenance Phase Program NCSC-TG-013-89 Library No. S-232,468 Version - 1 FOREWORD The National Computer Security Center has established an aggressive program to study and implement computer security technology, and to encourage the widespread availability of trusted computer products for use by any organization desiring better protection of their important data. The Trusted Product Evaluation Program, and the open and cooperative business relationship being forged with the computer and telecommunications industries, will result in the fulfillment of our country's computer security requirement. We are resolved to meet the challenge of identifying trusted computer products suitable for use in protecting information. "Rating Maintenance Phase Program Document" is the latest in the series of technical guidelines published by the National Computer Security Center. The Rating Maintenance Phase (RAMP) of the Trusted Product Evaluation Program provides for the maintenance of computer security ratings across product revisions. This document describes RAMP for current and prospective vendors of trusted systems. The primary objectives are to provide formal statements of program requirements and to provide guidance on addressing them. As the Director, National Computer Security Center, I invite your recommendations for revising this technical guideline. We plan to review this document as the need arises. ________________ Patrick R. Gallagher, Jr. 23 June 1989 Director, National Computer Security Center ACKNOWLEDGMENTS The National Computer Security Center extends special recognition and acknowledgment to Tommy Hammer, Ph.D., as principal author of this document and to LT Patricia R. Toth (USN) as project manager for the publication of this document. We wish to thank the following for their contributions in developing the concepts and procedures of rating maintenance characterized by this document: Blaine Burnham, Ph.D., David M. Chizmadia, Donald Crossman, Major Doug Hardie, Howard Israel, Shawn P. O'Brien, Michael J. Oehler, Mary D. Schanken, Dana Nell Stigdon, John W. Taylor, and W. Stan Wisseman. 1. OVERVIEW OF THE RATING MAINTENANCE PHASE 1.1 BACKGROUND AND CHARACTERISTICS OF RAMP The National Computer Security Center (the Center) evaluates commercially marketed products against the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) classes D through A1. Each evaluation by the Center yields a TCSEC class designation, or rating, for the given product. The Center publishes these ratings in the Evaluated Products List (EPL), which is widely cited in computer system procurements. The Center thus works in partnership with private industry to establish product trust. The purpose of the Rating Maintenance Phase (RAMP) is to provide currently available trusted products. RAMP is essential for this purpose because of the frequency with which many vendors revise their offerings. Vendors often market new releases of a product every few months and keep multiple versions under development at all times. Without RAMP, only the initial evaluated version is a trusted system with a TCSEC rating. RAMP allows the Center to establish a rating and an EPL listing for each product release following an evaluated release. RAMP is intended to yield an EPL listing for a revised product shortly after its release date. This outcome is possible because RAMP builds cumulatively upon the evidence and assurance established by a product evaluation, and because the vendor bears primary responsibility in RAMP for maintaining product trust as the system evolves. The vendor follows strict procedures that integrate security analysis, configuration management, and evidence accumulation into the development process. The Center then extends the product rating to each successive release by ascertaining that the vendor has executed all rating maintenance responsibilities fully and correctly. RAMP always builds upon a product evaluation; it provides no opportunity to avoid an evaluation. The program does not diminish the role of evaluations in any sense other than reducing vendor motivation to seek product reevaluations. RAMP provides no opportunity for a product release to obtain a different rating from the one held by the original evaluated version (other than a D rating, which terminates RAMP for the given product). 1.2 RAMP BENEFITS AND COSTS The following are potential benefits of RAMP for system vendors: 1) Vendors participating in RAMP can offer their latest products in response to procurements that favor or require systems rated under the Trusted Product Evaluation Program. 2) RAMP makes it easier for vendors to discontinue support of previously rated products that have become outdated. 3) RAMP can reduce a vendor's long-term need for reevaluations while increasing the vendor's rated product offerings. 4) RAMP can clarify a vendor's representation of a new product version as a trusted system. 5) RAMP creates a learning process for vendors that can yield valuable knowledge for trusted system development and marketing. RAMP participation creates four general types of cost for vendors: 1) Initial expenses of personnel training and program planning. 2) Net vendor costs of establishing RAMP and undergoing a product evaluation with RAMP. 3) Net costs of complying with RAMP procedural requirements when developing product revisions. 4) Costs of producing the Rating Maintenance Report and conducting related tasks to obtain rating approval. Costs in the second and third categories largely involve the establishment of a rigorous configuration management system for product changes. These net costs are highly dependent upon company policies and procedures in the absence of RAMP, and must be judged on a case - by - case basis from the description of the program in the following sections. 1.3 RAMP COVERAGE RAMP is currently available only for the maintenance of C1, C2, and B1 ratings. At present, a product cannot hold a B2, B3, or A1 rating without an evaluation of the precise version in question. RAMP is currently directed toward operating systems. Layered products are also eligible if their sponsors can meet the same requirements that apply to operating systems. RAMP does not cover subsystems. The Center can accommodate the evolution of subsystem products more appropriately through reevaluations. Networks and network components are not eligible for RAMP at this time, pending resolution of relevant issues for these products. Vendor participation in RAMP is required for all products under evaluation for a C1, C2, or B1 rating. A vendor must establish an intent to participate in RAMP prior to the vendor assistance phase of an evaluation for the original product, and must then pursue the process continuously so that successive versions of the product are rated at the same level as the preceding version. (Previously evaluated products can remain on the EPL, without RAMP involvement.) The Center reserves the right to determine at any point in an application of RAMP that further rating maintenance is not viable under the program because of the nature of product changes. As described in Section 6, the Center provides advance notice of such determinations whenever possible. 1.4 RAMP APPROACH Figure 1 shows the aspects of a typical product life cycle that create the need for RAMP. Figure 1 does not cover participation in RAMP (or the first two evaluation steps listed below). The uppermost time line depicts a vendor's development of a new product, and the second time line describes the Center evaluation of this release. The sequence of events for a product evaluation without RAMP is as follows. 1) The vendor submits an evaluation proposal package to the Center for the given product. 2) The Center assesses the company, the marketability of the product, and the feasibility of evaluating the product under the TCSEC. 3) The Center prepares a Preliminary Technical Report (PTR) describing the condition of the product, its development schedule and requirements, and its candidate rating level. 4) The vendor develops the product according to the schedule identified in the PTR. The Center provides assistance in meeting the intended rating level. 5) The vendor declares a code freeze (CF) on the given release of the product. The code freeze is the end of substantive product changes (as opposed to testing and fix activities). 6) The Center prepares an Initial Product Assessment Report (IPAR) for review by the Center's Technical Review Board (TRB). In contrast to the PTR, the IPAR is an intensive analysis yielding an estimation of whether or not the product is able to sustain an evaluation at the targeted level of trust. 7) The Center conducts an evaluation wherein product trust must be demonstrated and defended to the satisfaction of the TRB. 8) The TRB makes a rating recommendation. 9) Upon ratification by the Chief of the Product Evaluation Division, the rating is forwarded for publication on the EPL. 10) The Center publishes a Final Evaluation Report (FER) at roughly the same time that the product appears on the EPL. The FER is a summary, intended to be publicly releasable, of evidence on product trust. The central portion of Figure 1 describes the vendor's evolution of the hypothetical product over time. Long-range planning of the product's development typically yields a prioritized list of desirable system modifications for inclusion in releases following the original product. The revision process works progressively down this list, with the number of modifications in each revision determined by technical, financial, and marketing factors. Figure 1 depicts a fast revision cycle in which the development of each successive product version begins before the code freeze for the previous release. A slower cycle might involve the development of each new version after the previous version is released. As already stated, without RAMP only the specific product version evaluated by the Center is a trusted system with a TCSEC rating and a listing on the EPL. This holds regardless of the nature of system changes, because evaluation and RAMP are the only acceptable mechanisms for verifying the performance and assurance of the security features of the product. All new releases without RAMP continue to be unrated until such time as the product is reevaluated, i.e., some version undergoes evaluation by the Center and thereby receives a rating. A goal of RAMP is life-cycle product assurance, meaning production of evidence that the security features functionality and assurance established in an evaluation are maintained across every system revision. Figure 1 shows the need for several key aspects of RAMP. First, life-cycle product assurance clearly requires vendor involvement and willingness to integrate security concerns into the system development process. Security analysis and the assembly of product evidence cannot be treated as intermittent or external functions. Second, rating maintenance activities obviously must be established very early in the product life cycle, before the original product is completed and work has begun on subsequent releases. Third, the manner in which the Center achieves rapid turnaround of rating maintenance requests is reliance upon ongoing procedural controls. These controls include program planning requirements, training of vendor personnel to perform security analysis, and Center reviews of the rating maintenance process. The key elements of RAMP are security analysis and configuration management. Security analysis is the intellectual process of designing, analyzing, and testing product changes to assure that they do not compromise the security characteristics of the product. Configuration management*defined as a process of systematically managing changes across an entire system*is the overall procedural framework for implementing and documenting the directives and conclusions from security analysis. Configuration management provides the fundamental linkage of product evidence between the evaluated product and each new release under RAMP. A rigorous configuration management system should be established prior to the evaluation phase and applied to every product change throughout the duration of rating maintenance. This requirement holds for any product in RAMP. (Product evaluations without RAMP require configuration management only for rating levels B2 and above.) Figure 2 describes the general structure of RAMP. This diagram provides a brief overview of the topics discussed in the following sections, and is superseded in Section 8 by a more detailed graphic depiction of RAMP activities. The boxes in Figure 2 are task groupings arranged on a time scale from left to right. The arrows denote flows of information and program directives. Ramp Approach - Continued Box 1 depicts the Center evaluation of the original product. (This document commonly refers to the evaluated product that starts a RAMP process as the "original" product, even though it may in fact be a reevaluated version of some earlier product.) The vendor has already established an intent to participate in RAMP in the evaluation proposal package for the given product. While the product is still under development, one or more vendor representatives undertake a Center training program in computer security and RAMP requirements (box 2 in Figure 2). A person completing this program can serve as a Center-recognized Vendor Security Analyst (VSA) in representing the vendor's product to the Center. The VSA role is a key source of product assurance in RAMP. (See Section 2 for a discussion of Center recognition of VSAs.) The vendor specifies every aspect of the vendor's RAMP process in a Rating Maintenance Plan (RM-Plan). The RM-Plan establishes all procedures for maintaining product trust, including control of changes to the RM-Plan itself. The RM-Plan can be tailored to the vendor's preexisting business practices, but it must be followed precisely throughout the product life under RAMP. Preparation of the RM-Plan (box 3 in Figure 2) begins as soon as the vendor has gained a sufficient understanding of rating maintenance. The RM-Plan must be approved by the Center before the Center's issuance of an IPAR for the original product. The RM-Plan must be in force before development begins on the version that will supersede the evaluated version. The activities depicted by boxes 4 through 6 in Figure 2 recur for each product revision. (Box 3 recurs whenever the RM-Plan is changed.) Rating maintenance actions*box 4*are configuration management tasks conducted entirely by the vendor. These actions include: examining proposed system changes for security relevance; analyzing the direct and indirect impacts of changes; giving instructions for the implementation of changes; monitoring the implementation process; testing the revised system; modifying the tests as necessary; and updating all documentation to reflect each change. A VSA conducts, supervises, or monitors each of these tasks. The vendor's RAMP process is subject to two types of reviews by the Center (box 5). The Center conducts an interim review after the start of rating maintenance for each new product revision. These interim reviews may or may not involve site visits after RAMP has operated for one or more releases. The Center also conducts aperiodic on-site reviews. Both types of program review have the purpose of assuring that security features functionality and assurance are being maintained by adherence to all the procedures established in the RM-Plan. Both reviews serve the mutual interest of the vendor and the Center in identifying problems quickly so that the vendor can initiate corrective actions in a timely manner. The Center assigns a Technical Point of Contact (TPOC) to advise and coordinate the use of RAMP for the given product. A Center Business Point of Contact (BPOC) handles administrative and programmatic aspects of the process. A Responsible Corporate Officer represents the vendor in administrative matters. The Responsible Corporate Officer is a person empowered to commit the company financially to the program and support the technical role of the VSA. Sections 2 and 5 describe these persons and their interactions in greater detail. Box 6 in Figure 2 covers the submission and review of evidence for a completed revision. The vendor submits to the Center a Rating Maintenance Report (RMR) containing a summary of product evidence. Following an initial review for completeness and general adequacy, the RMR is forwarded to the Center's Technical Review Board (TRB). The VSA or VSAs associated with the product then defend the RMR and other evidence before the TRB. The remaining steps in a successful application of RAMP include a recommendation by the TRB, a rating approval by the Chief of the Product Evaluation Division, and a product listing on the EPL. The process is designed so that, if all the vendor's preparations are complete and accurate, only a short time should elapse between the end of the initial RMR review and the listing of the product on the EPL. 1.5 LINKAGES BETWEEN RAMP AND EVALUATION The establishment of RAMP is tied to the evaluation process at four points. First, the vendor must include an intent to participate in RAMP as part of the evaluation proposal package that starts the evaluation process. Second, the Preliminary Technical Report (PTR) prepared by the Center establishes the ability of the vendor to conduct RAMP activities. The PTR examines the vendor's understanding of configuration management; explains the implications of the TCSEC for the given product; and advises the vendor about the contents of the RM-Plan. Third, the Center does not complete an Initial Product Assessment Report (IPAR) for a product covered by RAMP until an RM-Plan is approved. A section of the IPAR confirms the adequacy of the RM-Plan and the vendor's ability to comply with all provisions of the plan. Fourth, the vendor of a product in RAMP prepares a RAMP audit to support the evaluation by the Center. The RAMP audit is discussed in Section 3. The Center conducts three TRB sessions. During the first session, at the end of the Design Analysis Phase, the IPAR is reviewed. The second and third TRB sessions occur during the Evaluation Phase. The second session covers product testing. The third is a final, comprehensive session. The initial RAMP audit must be evaluated and approved at the second TRB session. (The program assessment performed at this time constitutes the first RAMP interim review. See Section 5 for further discussion of interim reviews.) The RAMP audit is treated at that time as an integral part of the functional testing requirement (test suite) for the product. This is one of several respects in which RAMP participation increases the evaluation effort for both the vendor and the Center. 1.6 APPLICABILITY OF RAMP The following table summarizes RAMP eligibility in terms of product type. RAMP ELIGIBILITY BY TYPE OF PRODUCT Eligible Products Ineligible Products Operating Systems Subsystems Layered products, if vendor Networks demonstrates knowledge of base product consistent with RAMP requirements* *See Sections 3 and 7 A vendor must satisfy the RAMP requirements summarized in the Appendix. These requirements are linked to the timing of the product evaluation and are determined as the evaluation proceeds. A vendor failing to satisfy these requirements loses the opportunity to participate in RAMP until such time as the product in question is reevaluated. 1.7 DOCUMENT CONTENTS The organization of material in the remainder of this document generally follows the numbering of boxes in Figure 2. The one exception is that description of the RM-Plan is deferred until all subjects covered by the plan have been discussed. Section 2 addresses the training of vendor personnel as VSAs. (Description of the VSA role continues in Sections 4 through 6.) Rating maintenance actions are the subject of Sections 3 and 4. Section 3 discusses the conceptual aspects of configuration management in RAMP, and Section 4 addresses procedural issues. Section 5 deals with program reviews and the structure of RAMP in terms of communication and accountability. Section 6 covers the presentation of evidence for a product revision and the steps leading to a rating determination. Section 7 describes the contents of the RM-Plan. Section 8 provides an overview of the RAMP process. The Appendix summarizes the vendor's and the Center's requirements for RAMP. 2. VENDOR PERSONNEL 2.1 INTRODUCTION RAMP defines two roles for vendor personnel: the Vendor Security Analyst (VSA) and the responsible corporate officer. At least one Center-recognized VSA, and a responsible corporate officer, must be maintained while rating maintenance actions are underway. The use of multiple persons in the VSA role is a practical necessity for some products. Vendors choosing to use multiple VSAs must designate one of these persons as the lead VSA and must maintain clearly defined areas of VSA responsibility. VSAs are responsible for the execution of all technical tasks in RAMP including the presentation and defense of product evidence. Other persons can participate in RAMP tasks at the discretion of the vendor, but only VSAs can represent the RAMP process technically to the Center. The ability of RAMP to yield timely rating approvals for an evolving product depends heavily upon the credibility and expertise of the responsible VSA or VSAs. These VSA characteristics are acquired and demonstrated through the VSA training program and the operation of the RAMP process. The responsible corporate officer provides overall management of the vendor's RAMP effort and serves as the point of corporate responsibility for RAMP to the Center. The responsible corporate officer designates persons as VSAs; oversees the nonresident phase of VSA training; establishes VSA responsibilities; communicates with the Center on administrative and programmatic issues; and provides corporate assurance that the RM-Plan and submissions of evidence accurately describe the vendor's RAMP process. Any misrepresentation of the process places the product rating at risk, reflecting upon both the responsible corporate officer and the VSAs involved. The responsible corporate officer must occupy a sufficiently prominent position in the corporate structure to bear this responsibility and to commit the necessary company resources to RAMP. This subsection addresses the VSA training program, the establishment of VSA credibility, and the program requirements pertaining to multiple VSAs. The next four subsections describe VSA duties and responsibilities in more specific terms. Section 7 then discusses the establishment of the VSA role in the RM-Plan, and Section 8 covers Center and vendor responses to failures in this role. 2.2 SELECTION AND RECOGNITION OF VSAS While the vendor will probably employ numerous technical personnel in support of product development and maintenance, the Center only recognizes as RAMP representatives those individuals who have completed the VSA training program and are named by the vendor's RM-Plan as VSAs. Only these Center-recognized VSAs and the responsible corporate officer can interact with the Center on behalf of the product. The remainder of this subsection discusses criteria that should be considered by the responsible corporate officer when selecting personnel who will support the technical development or maintenance of a product (to include both VSAs and other technical personnel). Additional criteria, applying only to VSAs, are discussed in the next subsection, Admission To Training Program. Recommended Criteria for Vendor Selection of Technical Personnel: 1) Knowledge of the product on which the person will work. 2) Knowledge of computer science and computer security. 3) Corporate position and expected longevity of association with the vendor and the given product. 4) Time availability for involvement in RAMP tasks. 5) Contribution to multiple-VSA strategy (if used). Regarding the first two criteria, the emphasis of RAMP upon VSA capability provides strong motivation for vendors to staff this function with the most knowledgeable persons available. The third and fourth criteria are practical considerations of obvious significance and are particularly relevant to personnel serving as VSAs. Problems can result from relying upon persons at either end of the corporate hierarchy. Low-ranking persons may lack sufficient authority and influence to fill the VSA role effectively, whereas high-ranking persons may not have enough time for day-to-day participation in rating maintenance tasks. Ideally, a VSA should be devoted full-time to the security analysis and rating maintenance of the given product. Continuity of involvement is critical because smooth operation of RAMP depends upon the progressive establishment of VSA credibility with the Center. The last criterion covers such possibilities as using backup VSAs, establishing mentoring relationships among VSAs, and selecting VSAs to fill specialized roles within the RAMP process. 2.3 ADMISSION TO TRAINING PROGRAM Vendors should submit VSAs for training by the Center as soon as possible when planning to use RAMP. The Center views timely involvement in the training program as an indicator of vendor commitment to the RAMP process. The responsible corporate officer sends a written request for vendor training with a statement of qualification for each potential trainee. (Ideally, the responsible corporate officer also undergoes training.) The Center strongly urges vendors to submit candidates with the following qualifications: General: 1) Participants in the Center training program should have sufficient background in computer science to analyze all aspects of system design including functional hardware logic and software code. 2) A trainee should be knowledgeable about the specific product for which he or she will serve as VSA. (A person can possibly serve as a Center-recognized VSA for multiple products, but at any given time the Center only deals with a VSA as a representative of a specific product.) Specific: 3) A trainee should have obtained a degree from a four- or five-year college program with a major in computer science, engineering , or other technical field that emphasizes computer science; OR, a trainee should have at least five years of professional experience working with computers in a design or analytical capacity. 4) A trainee should have at least one year of experience with the specific product for which she or he will serve as VSA. 2.4 CENTER TRAINING PROGRAM The VSA training program addresses the following subject areas: general principles of computer security; requirements and Center interpretations of the TCSEC; security issues in the system development process; and all aspects of RAMP. The calendar time required for a trainee to complete the course depends upon scheduling factors but should not exceed two months given an adequate time commitment. It is not possible in such a period to train persons as security evaluators capable of conducting an unsupervised product evaluation; but the course does impart sufficient capability to establish product trust when working from an evaluated system. The Center assumes no responsibility for the selection of a VSA and, in particular, the consequences of an inappropriate selection of a VSA by a vendor. The Center training program is provided as an additional measure to help the vendor prepare and select appropriate personnel to serve as VSAs who will, in turn, increase the likelihood that the vendor will be able to maintain a given product's level of trust. The Center's principal concern is, and will remain, the maintenance of a product's rating, not the certification of a VSA. For this reason, the Center will assist in the training of, but will not formally certify, VSAs. The training program currently consists of a three-week program of study conducted at facilities in the Baltimore/Washington, D.C., area. Beginning in 1990 the Center plans to implement a dual-phase program, which will include a nonresident (correspondence) phase and a resident phase (with the former always occurring first). The remaining description of the Center training program describes the planned implementation of the dual-phase program. The current Center residence program incorporates all resident testing and assessment of VSAs. The nonresident portion of the training program does not require a classroom setting and can take place at any location convenient to the vendor and the trainees. The flexibility of this phase with regard to location and scheduling allows the training program to be driven by vendor demand. However, the course requires a significant block of time and cannot simply be scheduled around an employee's normal workload. The responsible corporate officer must take responsibility for assuring that each trainee has adequate time for the program. In addition, the nonresident phase will not begin until the vendor has provided for VSA utilization of the Center's Dockmaster information system (described in Section 5). The materials utilized in the nonresident phase of the training program include: 1) documents prepared by the Center for use in the course; 2) additional required and recommended readings; and 3) tests covering the course documents and required readings. A vendor representative serves as proctor for the nonresident coursework. The proctor monitors the progress of each trainee and administers tests and written assignments. The responsible corporate officer designates the proctor, monitors the conduct of the course, and provides assurance to the Center that all aspects of the nonresident phase are executed conscientiously. A Center training point of contact is available to answer technical and administrative questions about the program. Trainee performance in the nonresident phase is evaluated on the basis of tests, written assignments, and open-book group projects. The tests cover the course documents and required readings. These materials are forwarded to the vendor with guidelines for interpreting results, such as the scores that constitute satisfactory performance on each test. The vendor has responsibility for determining that a trainee has mastered the nonresident coursework sufficiently to enter the resident phase. Trainees then undertake approximately one week of resident classwork at the Center facility in Maryland. The resident phase focuses upon a worked example of a Trusted Computing Base (TCB), designed to provide practical experience in security analysis. The related course materials include a sample RM-Plan and a sample Rating Maintenance Report. Trainees are evaluated in this phase by written assignments and an oral examination that takes the form of a product defense before a mock Technical Review Board (TRB). The Center will notify the vendor of each trainee's performance in the resident phase and offer a recommendation as to whether or not the given person should be used as a VSA. The assessment provided will note the VSA's performance using both an absolute scale of reference (i.e., raw scores on tests) as well as a relative scale (i.e., the VSA's performance as compared to other VSA candidates who have attended the training). These scores will be supplemented by a subjective assessment of the candidate VSA's performance. In the case of a weak candidate, the Center may indicate that using the given person as a VSA will jeopardize the vendor's RAMP process. The vendor makes the final decision in this regard. The only absolute requirements for Center recognition of a vendor representative as a VSA are: 1) completion of both phases of the training program, and 2) assignment of VSA responsibilities to the given person in the vendor's RM-Plan (discussed later). The VSA training program addresses general principles of computer security and system development, and is not product-specific. In the event a VSA becomes a vendor representative for some other product, the training program need not be repeated. 2.5 FURTHER ESTABLISHMENT OF VSA CREDIBILITY Smooth operation of the RAMP process requires a higher level of VSA credibility and expertise than can be established in classroom training alone. In each RAMP cycle, vendors must demonstrate to the satisfaction of the Technical Review Board (TRB) that security analysis has been conducted thoroughly and correctly according to the RM-Plan. This demonstration involves written evidence, VSA defense of the evidence, and VSA credibility based upon past performance in RAMP. The higher the level of demonstrated VSA capability, the less need for time-consuming examination and information requests, and the less risk of a negative rating determination. A practicing VSA builds credibility through program reviews and presentations to the TRB. The former includes interim reviews during every RAMP cycle and aperiodic reviews on a less frequent basis. The Center places major emphasis on a VSA's first interim review. (See Section 5.) In the first presentation of evidence by a VSA, the TRB examines the VSA's understanding of the product as well as the management of changes under RAMP. The topics of questioning include: 1) the product and its security features and assurances; 2) the procedures followed in applying RAMP on a day-to-day basis; and, 3) the substance and rationale of decisions regarding product changes. Section 6 provides further discussion of the evidence submission process. Vendors are made aware of any VSA credibility problems through TRB recommendations and other communications between the Center and the responsible corporate officer. A VSA who knowingly misrepresents any aspect of rating maintenance for a product will no longer be recognized by the Center as a RAMP participant for any product. Furthermore, when a vendor (responsible corporate officer) allows a misrepresentation to occur, the RAMP process is terminated with no rating approval for the product version that was misrepresented. The Center then reviews the previous cycles of rating maintenance to determine whether the rating should be rolled back across earlier releases. (See Section 8.) Lesser infractions consisting of inadvertent VSA errors and oversights can yield serious delays and uncertainties in rating approval. Overall, there is strong vendor self-interest in using VSAs who can establish and maintain a high level of credibility with the TRB. 2.6 MULTIPLE VSAS Vendors can often benefit from using more than one Center-recognized VSA for a given product. The multiple-VSA approach supports program continuity in the event that a VSA becomes unavailable for duty or proves to be deficient in some respect. For some products, multiple VSAs may be essential in order to assign separate responsibility for different production sites, different parts of a product, or different aspects of rating maintenance. A vendor may also employ some VSAs without assigning them any official responsibilities in the RM-Plan. The vendor can use such persons in backup, apprenticeship, or other supporting roles while limiting the number of product representatives. The Center encourages the use of multiple VSAs subject to the conditions stated in the following paragraphs. These conditions, and all further references to VSAs in the present document, pertain just to Center-recognized VSAs who have completed the training program and are assigned RAMP responsibilities in the RM-Plan. Other VSAs can be deployed freely by the vendor in the same fashion as regular employees but cannot interact directly with the Center. The Center must know at all times which VSAs are representing the product and precisely what their individual responsibilities are. At least one Center-recognized VSA must be representing the product at any time that rating maintenance actions are underway. The RM-Plan should describe the primary area of responsibility for each VSA in such a fashion that all RAMP activities are covered and there is no ambiguity as to who is answerable for any given aspect. Divisions of responsibility by production site or corporate department should be noted along with divisions of responsibility by RAMP task. VSA responsibilities cannot be altered without formally changing the RM-Plan to describe the new assignments. As described in Section 7, the vendor must obtain approval for any change in the RM-Plan from the Center Technical Point of Contact. The RM-Plan approval constitutes the Center's recognition of any VSAs named for the first time as responsible representatives of the RAMP process. Vendors are urged to make any changes in VSA responsibilities at the beginning of a rating maintenance cycle, i.e., within a month after the previous rating approval. Every recognized VSA must sign the Rating Maintenance Report and be prepared to defend product evidence for the given cycle before the TRB. Ultimate responsibility for the RMR rests with the responsible corporate officer. Other VSA duties can be conducted by one rather than all VSAs. For example, only one VSA need be a member of the Configuration Control Board. (See Section 4.) Vendors should nevertheless be aware that the use of multiple VSAs does not lessen the degree to which each is accountable. An application of RAMP is only as strong as its weakest link in terms of VSA credibility. A vendor using multiple VSAs must designate one person as the lead VSA. Most technical communication between the vendor and the Center involves the lead VSA. The Center may require at its discretion that all technical communication be routed through the lead VSA during some or all of the RAMP cycle. It is logical but not necessary for the lead VSA to have supervisory powers over other VSAs. The RM-Plan should describe any supervisory or coordinating relationships among VSAs. These issues are discussed further in Sections 5 and 7. 3. SECURITY ANALYSIS AND CONFIGURATION MANAGEMENT 3.1 SECURITY ANALYSIS Security analysis is the intellectual core of rating maintenance. Configuration management is the supporting framework that assures an accurate translation of security analysis findings into implemented product changes and evidence of product trust. Security analysis can be viewed as an aspect of configuration management (or configuration control). The present document maintains a distinction between these concepts because for many persons configuration management connotes a set of mechanical procedures rather than a thought process. Security analysis is closely associated with design tasks that would be needed to effect product changes whether or not a product was a trusted system. RAMP not only introduces security as a design consideration but also requires security to be the dominant consideration. RAMP does not permit any compromise of security for the sake of other product design criteria such as performance, cost, and marketability. There can be negotiation among possible ways of implementing security for a given change, but no tradeoff of security features and assurances against other objectives. The dominance of security is always an integral part of security analysis as referenced here. Security analysis draws upon the vendor's full understanding of the function and interrelationships of security features in the product. This understanding is applied in diverse ways that do not permit description of security analysis as a standardized set of procedures. The following paragraphs indicate briefly the activities, issues, and outcomes of security analysis for a typical product. Security analysis starts by establishing the precise nature of all effects of a product change upon the Trusted Computing Base (TCB). (There may or may not be a separate, preliminary screening for the existence of TCB effects; see Section 4.) As defined by the TCSEC, the TCB is the totality of protection mechanisms *including hardware, firmware, and software*that together enforce a security policy. The present document uses a somewhat different definition covering all system elements that support protection mechanisms. The TCB addressed by security analysis and configuration management in RAMP includes system code, tests, associated software tools, test plan documentation, test results, the trusted facility manual, the security features user's guide, and design documentation. (For hardware, the program relies upon functional testing rather than configuration management.) A product change affects the TCB if it: alters code or documentation within the identified TCB boundary; augments the contents of the TCB; or indirectly affects the function of TCB elements. The determination of indirect effects on the TCB is a critical aspect of security analysis. The analysis considers any possibility of effects due to interrelationships among the product's security features. The analysis also acknowledges and assesses cumulative effects involving multiple product changes. (For example, two otherwise acceptable changes may conflict in terms of security because one change assumes conditions that no longer hold, given the other change.) Security analysis can potentially identify many different TCB effects resulting from a proposed change to a single configuration item. Security analysis enters a design mode once all TCB effects are identified and understood. The requirement is then to verify that a proposed change can be implemented without compromising the security features and assurances of the product, or else to remove the change from consideration. The security analysis assures that any change is consistent with approved architectures and does not circumvent defined security policy. The process of addressing these criteria is usually integrated or coordinated with the pursuit of other design objectives, but security is always the paramount concern. Depending upon the nature of the change and the vendor's business practices, this phase of security analysis may or may not extend into code-level product development tasks. (See Section 4.) Security analysis includes checking the adequacy of existing system tests as affected by each proposed change. The analysis modifies existing tests or creates new tests as necessary to maintain the effectiveness of the test suite. The outputs of security analysis include: instructions for implementing changes; recommendations for rejecting other changes; new tests and test documentation; and descriptions of all identified TCB effects, related analytical findings, and design decisions. The RAMP process subjects the conclusions of security analysis to two stages of review and retains all of the above outputs in the configuration management system. Security analysis is also addressed by the RAMP audit function described at the end of this section. 3.2 OVERVIEW OF CONFIGURATION MANAGEMENT Configuration management is a discipline applying technical and administrative direction to: 1) identify and document the functional and physical characteristics of each configuration item for a product; 2) manage all changes to these characteristics; and 3) record and report the status of change processing and implementation. Configuration management involves process monitoring, information capture, quality control, bookkeeping, and an organizational framework to support these activities. The "configuration" being managed is the TCB plus all tools and documentation related to the configuration management process. The overall objectives of configuration management in RAMP are to assure that the findings of security analysis are implemented correctly, and to generate product evidence linking with the evidence established in the evaluation. Configuration management records the "footprint" of the security analysis and controls and documents all subsequent rating maintenance tasks. This involves the central direction of system changes to: 1) maintain the integrity of system information and the standards affecting its accuracy, timeliness, and reliability; 2) ensure that documentation and tests remain congruous with the rest of the system; 3) ensure adequate testing of changes prior to incorporation; 4) maintain the integrity of all system interfaces; and 5) support the objective of security analysis. Many vendors of products rated C1 through B1 already use some form of configuration management before participating in RAMP. The existing procedures can often meet RAMP requirements with few modifications, although fundamental changes are sometimes needed. The RAMP requirements are sufficiently flexible to accommodate substantial variations in vendor business practices. Typically, the greatest deficiencies of existing practices relative to RAMP standards involve security analysis rather than the record-keeping aspects of configuration management. The four major aspects of configuration management are configuration identification, configuration control, configuration status accounting, and configuration auditing. The present section summarizes these activities in conceptual terms. Section 4 then addresses procedural issues in rating maintenance using a representative business model to discuss specific functions needed for RAMP. 3.3 CONFIGURATION IDENTIFICATION Configuration management entails decomposing the TCB into identifiable, understandable, manageable, trackable units known as configuration items (CIs). The decomposition process is called configuration identification. To support RAMP, this process must occur before the initial RM-Plan is completed so that the plan can include the CIs for the original product. The configuration of the evaluated system is thereby established as a baseline for assessing future changes. CIs can vary widely in size, type, and complexity. Although there are no hard-and-fast rules for system decomposition, the granularity of CIs can have great practical importance. Selecting CIs that are too small can impede the audit process by yielding an unmanageable volume of identifying data. Overly large CIs can hinder configuration management by obscuring product changes and interrelationships among changes. A potentially favorable strategy is to designate relatively large CIs for system elements that are not expected to change over the life of the product, and small CIs for elements likely to change. System identification ideally should begin early in the design stage for a product when CIs are most readily established on a logical basis. For example, each CI might be a module of code designed to meet one requirement. Regardless of the strategy for establishing CIs, the granularity of control is defined to be the module level. The process must allow for the possibility that system changes will convert non-CI components into CIs. Vendors in RAMP decompose at least the following system components into CIs and assign a unique identifier to each. 1) Software and firmware components of the baseline (evaluated) TCB. 2) Design and user documentation. 3) Software tests including functional and system integrity tests and associated documentation. 4) Development tools including any configuration management tools. 5) Any tools used for generating current configuration items. 6) Any audit trail reduction tools used in the configuration management context. 7) Any other components of the TCB as broadly defined. Throughout the application of RAMP to product revisions, each change in a configuration item is uniquely identified. The changes of significance for RAMP are any alterations to the TCB since the product evaluation. The date of a CI change is identifiable along with any changes to the related documentation, tests, or development tools. Each change in software source code is separately identifiable, although changes need not be separately stored. 3.4 CONFIGURATION CONTROL Configuration control is a means of assuring that system changes are approved before being implemented, that only the proposed and approved changes are implemented, and that the implementation is complete and correct. This involves strict procedures for proposing, monitoring, and approving system changes and their implementation. Configuration control entails central direction of the change process by corporate functions that coordinate analytical tasks, approve system changes, review the implementation of changes, and supervise other tasks such as documentation. These procedural requirements of RAMP are the primary subject of Section 4. Configuration control involves not only the approval of changes and their implementation but also the updating of all related material to reflect each change. There should be guidelines for creating and maintaining functional test software and documentation throughout the life of the system. The change process should include a phase for test creation and maintenance, with associated updating of documentation. Relevant tests should be performed and evaluated whenever system changes are implemented and/or tests are updated. The vendor must rerun the entire test suite before submitting RAMP evidence to the Center. A vendor's production arrangements may hinder or complicate the process of controlling system change. Hardware and software may be developed by separate groups within the vendor organization, perhaps located at different sites. Code development and integration may occur in different cities, with testing conducted at both locations. Also, a vendor may propose RAMP for a system (layered product) that incorporates another vendor's products. Vendors faced with these difficulties acknowledge the resulting limitations on security analysis and configuration control in their RM-Plans, and establish alternative procedures of equal effectiveness for upholding product trust. A vendor applying RAMP to a layered product demonstrates configuration management cognizance over all parts of the product, including parts manufactured by other vendors. This means that the vendor understands the base product and its changes since evaluation and conducts security analysis of these changes, to the same extent as required by RAMP for an in-house product. (See Section 7.) Some form of collaboration among vendors is thus virtually essential for RAMP coverage of a layered product. A vendor's configuration management system includes policies and procedures for correcting any security bugs identified in the product. Responses to flaws, bugs, and breakdowns of RAMP assurance are discussed in Section 8. 3.5 CONFIGURATION ACCOUNTING Configuration accounting documents the status of configuration control activities and in general provides the information needed to manage a configuration effectively. It allows managers to trace system changes and establish the history of any developmental problems and associated fixes. Configuration accounting also tracks the status of current changes as they move through the configuration control process. Configuration accounting establishes the granularity of recorded information and thus shapes the accuracy and usefulness of the audit function. Configuration accounting should yield answers to questions such as the following. What source code changes were made on a given date? Was a given change security relevant? Why or why not? What were all the changes in a given CI between releases N and N+1? By whom were they made, and why? What other TCB modifications were required by the changes to this CI? Were modifications required in the test set or documentation to accommodate any of these changes? What were all the changes made to support a given change request? The accounting function is able to locate all possible versions of a configuration item and all of the incremental changes involved, thereby deriving the status of that CI at any point in time. The associated records include commentary about the reason for each change and its implications for the TCB. Configuration accounting provides convenient access to such records for use as evidence in the rating maintenance process. In general, the effectiveness of configuration accounting depends upon the quality of system identification and control efforts. 3.6 CONFIGURATION AUDIT Configuration audit is the quality assurance component of configuration management. It involves periodic checks by the vendor to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed. (The following subsection identifies when configuration audits occur.) A vendor's configuration management program must be able to sustain a complete configuration audit by a Center aperiodic review team. A configuration auditor should be able to trace a system change from start to finish. The auditor should check that only approved changes have been implemented and that all tests and documentation have been updated concurrently with each implementation to reflect the current status of the system. A configuration audit in RAMP must be conducted by a VSA. 3.7 RAMP AUDIT The RAMP audit process addresses both security analysis and configuration management procedures. The two components of a RAMP audit are a configuration audit as described above and a detailed review of security analysis records for a selection of product changes. The security analysis component involves drawing a random sample of past Service Improvement Requests (SIRs, as described in Section 4) and assessing all the security analysis activities undertaken to meet each request. The objective is to confirm in each case both the adequacy of the analysis and the completeness of the stored records. As already indicated, the RAMP audit is part of the functional testing requirement for a product in RAMP, and the results of the initial audit are reviewed by the Center evaluation team during the product evaluation. This review ensures that the vendor's RAMP process follows the procedures outlined in the vendor's RM-Plan. A vendor's audit program is established clearly in the RM-Plan. The plan describes the frequency of audits and the procedures for assessing configuration management and security analysis practices. The results of all subsequent RAMP audits are reviewed by the Center's TPOC. (See Section 7.) 4. PROCEDURAL ASPECTS OF RAMP 4.1 INTRODUCTION RAMP uses strong procedural controls to assure that rating maintenance actions by vendors do not compromise the product trust established in Center evaluations. On the other hand, overly rigid requirements would be costly and inefficient for some vendors and thus could limit program involvement. The Center reconciles these concerns in RAMP by allowing considerable vendor discretion in the design of configuration management procedures, but requiring meticulous adherence to plans once developed. Rating maintenance procedures are described here using a generic business model. The Center developed this generic model by interviewing numerous vendors and identifying common elements in their business practices. Discussing RAMP in this context serves to: 1) provide a specific illustration of acceptable procedures; 2) establish common names for certain activities and functions; 3) clarify the elements essential for RAMP; and 4) provide a baseline against which alternative approaches can be evaluated. The discussion does not imply that each vendor's product revision process must conform to the generic model. What RAMP requires is that the chosen procedures be no less effective than the generic model in maintaining continuity of assurance and providing evidence of product trust. The following text assigns standard names to various procedural elements and functions (summarized in the glossary). This does not imply that a vendor must create new entities corresponding to the names, if equivalents already exist. The Center requests vendors to utilize the standard names in their RM-Plans and other formal communications as an assistance to the Center in dealing with diverse products and business plans. Vendors should feel no need to alter their internal language, since the VSAs interacting with the Center can readily translate the few terms at issue. 4.2 GENERIC MODEL Figure 3 depicts the generic model of rating maintenance actions in RAMP. The diagram emphasizes configuration control, although configuration identification, accounting, and auditing tasks are no less important. All of the boxes and arrows represent configuration management procedures identified in the Center survey of business practices prior to RAMP. The diagram has been converted to a RAMP description by highlighting two control and approval functions (using dotted lines and decision nodes), and by including commentary on the VSA role. The generic model can be summarized as follows, ignoring momentarily the elements specific to RAMP. Proposed system changes are drawn from a prioritized list of desirable system modifications as described in Section 1. Requests for changes reach the system design group through some mechanism that we call a Service Improvement Request (SIR). Each proposed change receives a preliminary screening for effects on the TCB. A change that clearly does not affect the TCB directly or indirectly enters a design analysis phase addressing product characteristics other than security. (Code-level design of the change may occur in varying proportions at this stage and at the implementation stage.) The design analysis ends with some form of review. A change that affects the TCB, or may affect the TCB, undergoes security analysis in conjunction with design analysis. The analysis and review tasks yield an Engineering Change Order (ECO), which directs the implementation of an approved change. The ECO covers modifications of tests and documentation as well as the system software. Code is written for the change and entered into a working copy of the system for testing. Existing and modified tests are applied as appropriate. The change is then subjected to a final review. Any change that fails to gain acceptance in this final review is removed from the system. If rejection has been caused by an implementation problem, the change may recycle back to the ECO stage. Other changes rejected in the design review or final review are sent back to the beginning of the configuration management process or discarded altogether. Implemented changes that gain final approval are incorporated into the product, and all documentation is updated accordingly. 4.3 ORIGIN OF PRODUCT CHANGES This and the following subsections describe the requirements of RAMP in the context of the generic model. For convenience, the text often references the VSA role as if played by a single person even though multiple VSAs are likely. The system revision process in RAMP starts with an evaluated product (although the first changes may occur while the evaluation is still in progress, or even before the code freeze for the evaluated product). The full configuration management process should be operative as soon as a system is identified, so that all changes relative to the original product can be managed uniformly. The vendor selects changes from the prioritized list of desirable system modifications established during the product development. Financial and marketing factors affect the choice of changes, since these factors influence the revision cycle and the feasible number of modifications per cycle. RAMP requires some equivalent of the Service Improvement Request (SIR) to provide a formal record of all proposed changes entering the analysis and implementation process. 4.4 CONFIGURATION CONTROL BOARD All analytical and design tasks in RAMP should be conducted under the direction of a corporate entity called the Configuration Control Board (CCB). The upper dashed line in Figure 3 encompasses the activities in the generic model that the CCB should supervise. These include: 1) screening of proposed changes for impact on the TCB; 2) security analysis of changes that affect the TCB; 3) associated design analysis and review tasks; 4) approval and disapproval of changes on the basis of product trust; and 5) issuance of instructions for change implementation (ECOs). Central direction by a CCB does not necessarily mean that a vendor must discard other ways of administering configuration management in order to participate in RAMP. The vendor can base the CCB on an existing design supervision group, perhaps joined by other persons when it sits as the CCB, or the vendor can establish the CCB as a forum of representatives from multiple groups involved in product development. The membership of the CCB must include at all times a Center-recognized VSA for the given product. Furthermore, the responsible corporate officer must have the power to veto any CCB approval of a product change. This veto power can derive from inclusion of the responsible corporate officer as a CCB member with special voting rights; from some other explicit provision of the CCB rules, or from the authority vested in the responsible corporate officer by his or her corporate position. The responsible corporate officer is not required to participate in CCB deliberations or decision-making on a routine basis. This arrangement gives the VSA two ways of influencing product changes (over and above contributing to analysis and design tasks). The VSA can influence changes by participating as a full member in the CCB function, and also by notifying the responsible corporate officer that a given change approved by the CCB is unacceptable in terms of RAMP assurance. In essence, the VSA represents security concerns to the CCB, and the responsible corporate officer enforces the dominance of these concerns. The Center holds the vendor accountable for change control through the responsible corporate officer. RAMP requirements for the CCB are summarized as follows: 1) The CCB operates at all times in accordance with the vendor's RM-Plan. 2) No product change can be implemented without approval by the CCB. 3) The CCB has authority over all analysis, design, and review tasks from the receipt of SIRs through the issuance of ECOs. 4) The CCB has access to all information used in, and generated by, the activities under its purview. 5) The VSA (or a VSA) is a CCB member with all of the rights, powers, and information access possessed by other members. 6) The responsible corporate officer has the power to veto any CCB approval of a product change. Changes vetoed by the responsible corporate officer are disposed in the same fashion as changes disapproved by the CCB. There are no restrictions upon CCB procedures for reaching decisions, but the Center encourages using the CCB as a forum for deliberations that can be recorded as RAMP evidence. The CCB ideally functions as a central source of "security wisdom" as well as program oversight. 4.5 COMPLIANCE WITH THE TCSEC AND CRITERIA INTERPRETATIONS The preliminary screening of proposed changes for effects on the TCB is an optional feature of the generic model, although some arrangement of this nature is probably necessary for efficiency. A nonoptional feature of the model is that the changes that bypass preliminary screening are routed through the subsequent phases of the change control process (i.e., EACH CHANGE MODEL MUST CONTAIN SOME TYPE OF CONFIGURATION REVIEW). Retention of these changes in the process allows the reviews by the CCB and Configuration Review Board (CRB) to verify the absence of any direct or indirect effects on the TCB. Section 3 has already described the scope and responsibilities of security analysis. This task must determine that a proposed change upholds the security features and assurances of the product in compliance with the TCSEC and the Criteria interpretations. The outcome for each change is evidence that links with product evidence from the evaluation. Security analysis may require intensive problem-solving efforts in establishing TCB effects, designing changes, and developing appropriate tests. The fundamental requirement of RAMP is dominance of security over other design considerations. The Center periodically issues Criteria interpretations to clarify the application of the TCSEC. An important issue in RAMP is the time that is allowed to elapse between the issuance of an interpretation and the compliance of a product release (and all subsequent releases) with this interpretation. The reasonable maximum time is related to the length of a product's revision cycle (e.g., three months, six months), but it cannot be linked rigidly to the revision cycle without creating excessive difficulties for fast-cycling products and excessive slack for slow-cycling products. The Center recommendation is that each product release in RAMP should comply with all Criteria interpretations for which at least one of the following conditions is true: 1) The interpretation was issued prior to the EPL listing for the previous release of the given product. 2) The interpretation was issued at least one calendar year prior to the submission of a Rating Maintenance Report (RMR) for the release in question. 3) The interpretation is accompanied by an effective date, which precedes the RMR submission date for the release in question. This policy would give vendors a grace period of one revision cycle within which to comply with an interpretation, unless the revision cycle is longer than one year or unless the interpretation has an effective date that overrides the grace period. The Center cites an effective date if rapid compliance with an interpretation is considered especially critical. Each vendor proposes a policy for complying with Criteria interpretations when submitting an RM-Plan for Center approval. (See Section 7.) The approved policy becomes a plan element that must be followed rigorously throughout the RAMP process. The need to comply with interpretations issued after the product evaluation can mandate design analysis and even product changes that have nothing to do with service improvements desired by the vendor. It is unlikely but possible that an interpretation will terminate rating maintenance for a product and necessitate a reevaluation. Because the interpretations issued during one revision cycle for a product typically do not apply until the next cycle, the Center can usually indicate in advance whether or not a given interpretation will affect the continued use of RAMP. The VSA has responsibility, however, for keeping abreast of interpretations and assessing their impacts on the product. Criteria interpretations do not apply retroactively, so that product ratings established through RAMP are not withdrawn because of subsequent interpretations. 4.6 ENGINEERING CHANGE ORDERS An approved system change is implemented through an ECO or a set of ECOs. An ECO tells the maintenance establishment what must be done to the code, the documentation, and other elements of the system to implement the change. The generic model shown in Figure 3 assumes that an ECO contains instructions in relatively high-level language, but code-level directives are also possible. Vendors can determine the format and content of ECOs subject to the following general requirements. In the generic model: 1) The ECO provides an orderly mechanism to propagate change across the system and assure synchronization, connectivity, and continuity of alterations. 2) The preparation of ECOs is under CCB control. 3) No system change of any kind can occur without direction by an ECO. 4) Each ECO retains the identities of the initiating SIR and any other SIRs or ECOs occasioned by the initiating SIR. 5) ECOs are retained as evidence for rating maintenance and should have a form suitable for record-keeping purposes. RAMP assigns considerable importance to the ECO as part of the trail of product evidence. The vendor should establish the granularity of ECOs so that they provide convenient reporting units throughout rating maintenance. As discussed in Section 6, the RMR describes system changes at the ECO level. 4.7 IMPLEMENTATION, TESTING, AND FINAL REVIEW The lower portion of Figure 3 describes the general process of implementing and testing a system change. The tests must verify that the implemented change preserves the function of security features and the assurance of correct feature operation. Testing and test development should be conducted independently from the implementation of changes as a check on the latter process. (Separation of functions as practiced by accountants can provide a useful safeguard in other areas of rating maintenance as well, subject to RAMP requirements for overall coordination and control.) The reference to testing in Figure 3 covers both functional security tests and performance tests, but only security tests contribute to RAMP evidence. The results of implementing and testing each change are assembled for a final review before the change is incorporated into the product. An entity called the Configuration Review Board (CRB) carries out this review. The CRB membership should include a Center-recognized VSA (not necessarily the same VSA belonging to the CCB). The VSA should have all of the information access and influence over CRB decisions possessed by any other CRB member. The CRB can have the same overall membership as the CCB or can be an independent quality assurance group. The final review by the CRB provides closure on each ECO by verifying that every aspect of the approved change was implemented correctly and that no other alterations were made. There should also be a reassessment of test results and system assurances to confirm that system trust has been upheld. The CRB then decides whether or not to accept a given change as part of the product. Rejected changes are removed from the system and disposed in the manner discussed above. The process ends for an accepted change with final incorporation and documentation tasks. 4.8 COLLECTION OF RAMP EVIDENCE General suggestions of configuration accounting and auditing have been indicated in the previous section. The configuration management system should include numerous checks to assure that all relevant information is recorded and that documentation is updated fully to reflect each product change. As the custodian of RAMP evidence, the VSA must remain in close touch with all documentation tasks and should be able to influence the execution of these tasks. A vendor with a functioning configuration management system prior to RAMP may choose to record some RAMP evidence externally in order to avoid overloading the system. For each product change, RAMP evidence will include the following commentary: the SIR from which the change originated; the procedures and arguments used in establishing TCB effects; the issues and conclusions of the security analysis; the ECOs generated for the change; and the completion status of ECOs. The vendor must be able to perform line-by-line code comparisons with pointers back to the ECOs causing specific modifications. The commentary on tests should include descriptions of new and modified tests, with stated reasons for the alterations and pointers to the test results. 4.9 VSA ROLE The required duties of a VSA are suggested by the items on the right-hand side of Figure 3. The VSA is the focus of security wisdom in RAMP. The VSA (or VSAs) tracks the entire rating maintenance process and understands product changes in sufficient depth to verify the adequacy of security analysis and configuration control procedures. The VSA represents the Center concerns to the CCB and CRB, and assures that these functions are operating effectively to maintain product trust. The VSA is custodian of all RAMP evidence, meaning that the VSA monitors the accumulation of evidence and has sufficient resources to assure its accuracy, completeness, and accessibility. The VSA has direct responsibility for proposing and managing revisions to the RM-Plan. The VSA performs or supervises the RAMP audit function and the preparation of all materials for submission to the Center. Lastly, the VSA is the vendor contact for all technical communication with the Center. Section 2 has addressed the subjects of VSA training, VSA recognition by the Center, establishment of VSA credibility, and multiple-VSA approaches. At least one Center-recognized VSA must be representing the product at any time that rating maintenance actions are underway. A vendor using multiple VSAs must designate a lead VSA and must maintain an accurate description of VSA responsibilities in the RM-Plan at all times. Communications between VSAs and the Center are discussed in the next section. PROGRAM REVIEWS, COORDINATION, AND ADMINISTRATION 5. PROGRAM REVIEWS, COORDINATION, AND ADMINISTRATION 5.1 PROGRAM REVIEWS Two types of program review occur during the RAMP cycle between submissions of product evidence. An interim review takes place following each vendor RAMP audit. Aperiodic reviews occur irregularly throughout an application of RAMP on an average of less than one review per cycle. An aperiodic review is always conducted by a Center review team at the vendor's site (or multiple sites if applicable). Interim reviews may or may not occur on-site. As noted in Section 1, the first interim review for a product in RAMP occurs following the vendor's RAMP audit performed in preparation for the product testing TRB session. Both types of review have the general purpose of establishing VSA credibility and confirming process assurance in RAMP. The reviews serve the common interest of vendors and the Center in identifying problems as early as possible so that the vendor can make corrections with minimum impact upon rating maintenance and product evolution. Review teams examine the evidence accumulation process and scrutinize records such as SIRs, ECOs, test results, and reports on CCB and CRB proceedings. VSAs are questioned about RAMP procedures and may be required to trace the course of events for specific product changes. The vendor must have the ability to perform a line-by-line code comparison for any two points in time and to sustain a RAMP audit by a Center review team. Program reviews are also an occasion for assessing the adequacy of the vendor's RM-Plan, and may lead to RM-Plan modifications. 5.2 INTERIM REVIEWS Interim reviews and aperiodic reviews differ somewhat in emphasis. An interim review has a procedural focus, addressing the credibility of the configuration management process and its adherence to the RM-Plan. An aperiodic review covers much of the same ground but includes an in-depth examination of the vendor's ability to conduct security analysis. The subjects of investigation include the procedures for generating SIRs and ECOs, the adherence to established security analysis and design analysis policies, the exercise of central control by the CCB, the effectiveness of the CCB and CRB review functions, the adequacy of test development and documentation procedures, and all aspects of the configuration accounting system. The interim review team verifies that all product changes are controlled uniformly, that security concerns have precedence over other development objectives, and that sufficient evidence is accumulating to support process assurance. Interim reviews focus strongly upon the credibility of each VSA as a representative of the vendor's RAMP process. The first interim review for a VSA is a critical milestone in the establishment of VSA credibility. All VSAs demonstrate to the interim review team a broad knowledge of security-related policies, issues, and practices for the given product, and an ability to apply the TCSEC in concrete situations. The interim review verifies that the VSA (or group of VSAs) is tracking every aspect of the configuration management process and is participating sufficiently in each task to understand the major issues and decisions for every product change. 5.3 APERIODIC REVIEWS An aperiodic review constitutes an assurance checkpoint in a vendor's RAMP program. Vendors receive no information about the timing of aperiodic reviews other than sufficient advance notice to allow an orderly review process (i.e., a few days). Vendors designate one point of contact per RAMP activity site to be notified in case of an aperiodic review. An aperiodic review examines in detail the soundness of a vendor's decisions and the adequacy of product evidence to support the assertions of product trust contained in Rating Maintenance Reports and other VSA statements. An objective in some cases is to determine the reasons for problems already identified. The review team may select several recent product changes and trace the entire sequence of events leading to the implementation of each, with particular emphasis upon the thoroughness and accuracy of security analysis. This process examines the vendor's analytical competence and sensitivity to security issues as well as the effectiveness of configuration control and configuration accounting procedures. The aperiodic review team looks for trust violations consisting of: insufficient understanding and application of computer security principles; failure to give top priority to security concerns; errors in security analysis and product testing; failure to follow the RM-Plan; and failure to report all relevant actions and circumstances as product evidence. If an aperiodic review identifies a security flaw in the product or a breakdown of process assurance, the Center reserves the option of withdrawing EPL status from the affected version of the product and all subsequent versions. (See Section 8.) 5.4 PROGRAM COMMUNICATION AND COORDINATION There is a designated Center Technical Point of Contact (TPOC) for each product in RAMP. The TPOC tracks the rating maintenance process from the planning phase onward and coordinates all technical interchange between the vendor and the Center. The TPOC is the vendor's entry into the Center for the resolution of computer security issues and concerns. The TPOC assesses VSA performance and other aspects of the program, particularly during the first RAMP cycle but does not directly supervise vendor activities. There is also a Center Business Point of Contact (BPOC). The BPOC carries out administrative functions in RAMP such as: making programmatic decisions; planning the use of Center resources; providing a conduit for official documentation; and notifying the vendor of rating determinations. Section 2 has discussed the general duties and responsibilities of the vendor's responsible corporate officer. The responsible corporate officer administers the RAMP program and is the vendor's point of accountability to the Center. The responsible corporate officer is a person empowered to make financial commitments on behalf of the program; maintain a favorable corporate context for its execution; and limit product changes as necessary for protection of RAMP assurance. The responsible corporate officer assumes full responsibility for the contents of each Rating Maintenance Report. Figure 4 shows the lines of communication in RAMP between the TPOC, BPOC, responsible corporate officer and VSA(s). All interactions on administrative matters are routed between the BPOC and the responsible corporate officer. All technical communication passes through the TPOC, with two exceptions. These exceptions are on-site reviews and VSA interactions with the TRB when defending an RMR. The Center requires the vendor to designate a lead VSA in multiple-VSA situations primarily to facilitate orderly communications. The lead VSA should conduct most technical interactions with the Center (possibly excluding on-site reviews and RMR presentations), and should receive copies of any written documents passing between the vendor and the Center. In some cases the TPOC may require that all technical communication be routed through the lead VSA. The lead VSA will provide quarterly, informal status reports to the TPOC (via the Dockmaster system mentioned below). These reports are intended to keep the Center apprised of the vendor's rating maintenance activities. The Center discourages excessive vendor reliance upon the TPOC as a program advisor. The TPOC apprises the vendor of important developments in the computer security field and is available for consultation on major issues. This does not relieve the vendor of responsibility for keeping abreast of developments through other means (such as the Dockmaster system mentioned below) and exercising security wisdom independently of the Center. Vendors are discouraged from attempting to pass program responsibility back to the Center by submitting routine decisions to the TPOC. The success of RAMP depends upon a vendor's own security analysis capability and willingness to be held accountable for actions affecting the product. All vendors participating in RAMP must provide for VSA access to the Center's Dockmaster information system by the time VSA training begins. Dockmaster is a Honeywell MULTICS system used by the evaluation community for electronic mail, electronic meetings, forums, queries, and other functions. A RAMP vendor must be prepared to communicate with the TPOC via Dockmaster and to use the system as a general information source. 6. PRESENTATION AND REVIEW OF EVIDENCE 6.1 INTRODUCTION A vendor in RAMP preserves security features and assurances of a product through security analysis and configuration management. The documentation of this process in a body of evidence linking to the evaluation yields RAMP assurance of product trust. Because the process is subject to strong procedural controls*the RM-Plan, on-site reviews, and VSA training*the Center can extend the product rating to each new release without performing a full reevaluation or a lengthy assessment of all product evidence. Rating approvals are based upon a moderately detailed summary of evidence and a face-to-face presentation of this material by the vendor to the Center. The Center reserves the right to request additional evidence as necessary. The vendor prepares the summary of evidence in the form of a Rating Maintenance Report (RMR). The vendor can submit the RMR to the Center at any time after all changes have ended for the product version in question. Delays can be minimized by preparing much of the RMR while the product is being revised, i.e., by summarizing the evidence as it accumulates. The following are the major steps leading to a rating approval and EPL listing for a revised product. These steps are discussed at greater length following the description of the RMR. 1) Vendor submits RMR and other materials to TPOC. 2) TPOC circulates RMR to Center evaluators for review. 3) TPOC forwards RMR and supporting materials to Technical Review Board (TRB). 4) TRB reviews RMR and issues comments to vendor (through TPOC). 5) VSA or VSAs defend RMR before TRB. 6) TRB makes recommendations on rating maintenance to Chief of Center Product Evaluation Division. 7) Chief of Product Evaluation Division approves or disapproves product rating. 8) Revised approved product receives EPL listing. Steps 1 and 2 may iterate until the TPOC is satisfied with the level of detail of the RMR. Only a short time should elapse between steps 3 and 8 if the vendor has properly satisfied the RAMP requirements (summarized in Appendix A) and has a well-executed RAMP process (defined by the vendor's RM-Plan) with adequate VSA credibility. Thus, efficient preparation of the RMR and supporting materials can lead to an EPL listing at roughly the same time that the new product version is released. 6.2 RATING MAINTENANCE REPORT The RMR summarizes product evidence at a level of detail intermediate between the information that would be required to conduct an evaluation and the information typically contained in a Final Evaluation Report. The RMR asserts that product trust has been upheld and includes sufficient commentary to allow an understanding of individual product changes. Figure 5 presents a suggested outline for an RMR. The Center does not impose a standard format on these documents but requires coverage of all the listed items. The major components are a cover letter, a description of the system configuration, a section on Criteria interpretations, a discussion of each product change at the ECO level, and a future change analysis. The cover letter identifies the product and describes its history of rating maintenance. The cover letter must be signed by the responsible corporate officer and all recognized VSAs. It affirms that the responsible corporate officer: 1) has reviewed the RMR; 2) assumes full responsibility for the RMR contents; and 3) acknowledges responsibility for the sincere and conscientious execution of all rating maintenance actions. The first report section gives a complete overview of the system configuration and its changes since the product evaluation. Much of this material can often be carried forward from earlier documents. General discussion of RAMP policies and procedures can appear either here or in a separate section. The second section discusses the significance of all Criteria interpretations applying to the given product release. (The vendor's policy with regard to interpretations is discussed in Section 4 and Section 7.) The items in the third section of the suggested RMR outline are repeated for each product change. RAMP defines an individual change in this context as an Engineering Change Order (ECO) that has been implemented. Figure 5 assumes a classification of ECOs according to product module and configuration item. (The classification may vary if ECOs overlap configuration items.) Discussions can be pooled and cross-referenced in cases where several ECOs have been used to achieve a common purpose, but the RMR should list each ECO individually. The last lines in the third section of the RMR outline suggest the topics requiring mention in the evidence summary for an ECO affecting the TCB. Very little discussion is necessary for other ECOs*one or two sentences as compared with at least a paragraph for each ECO having TCB impact. (These two categories of ECOs may be segregated in the RMR.) The appropriate depth of discussion for an ECO affecting the TCB depends upon the sensitivity of relevant security mechanisms and assurances and upon the complexity of the security analysis. The fourth section of the RMR as outlined in Figure 5 is a discussion of probable changes in the product beyond the current version. The Center uses this future change analysis to assess the future applicability of RAMP to the product (as discussed below). The Center requests vendors to describe the major product changes anticipated for the next two release cycles or the next 18 months, whichever period is greater. A failure to provide this information increases the vendor's risk of discovering suddenly that RAMP is no longer feasible and the product is no longer eligible to participate in RAMP. In order to be placed on the EPL, the product must then be reevaluated. Figure 5. Suggested Rating Maintenance Report Outline COVER LETTER Identification of the new product version, the evaluated product, and any intervening product releases. Identification of the product rating established in the evaluation and maintained through the previous release. Serial numbers of the Final Evaluation Report (FER), any revised versions of the FER, and the RMR for the most recently maintained release. Assertion that the new release maintains the product rating. Responsible corporate officer warranty of document contents. Signatures of the responsible corporate officer and all Center-recognized VSAs. SECTION 1: SYSTEM CONFIGURATION Listing of the hardware/software configuration for the evaluated product (original TCB by module). Rationale for system decomposition into configuration items. Updated listing of the configuration, noting changes: List of hardware contained in the secure configuration. List of TCB software modules, noting any modules that have been changed and the file length (lines of code) of each module. Rationale for determining effects on the TCB of product changes, with pointers to specific changes itemized in Section 3. SECTION 2: CRITERIA INTERPRETATIONS List of all Criteria interpretations applying to this product release. Comments on the significance of each interpretation for the product as revised. Pointers to discussions in Section 3 of product changes made because of specific Criteria interpretations. SECTION 3: PRODUCT CHANGES AND EVIDENCE OF SYSTEM TRUST Name of module or document changed. ID number(s) of configuration item(s) changed. Engineering Change Order (ECO) number. Description of change: Functional description. Description of user-visible effects. Classification of change according to effects on the TCB (yes or no). Evidence of product trust (if change affects the TCB): Explanation of relevant Criteria and interpretations. Relevant TCB mechanisms and assurances. Design issues, alternatives, and solutions. Tests and test modifications if any. Summary of test results. Pointers to system and test documentation. Pointers to specific code-level changes. SECTION 4: FUTURE CHANGE ANALYSIS Expected product changes in next revision cycle. Expected product changes in second revision cycle. Later evolution of product.] 6.3 OTHER SUBMISSION MATERIALS The materials submitted concurrently by the vendor to achieve rating maintenance include several items in addition to the RMR. The overall package is as follows. · RATING MAINTENANCE REPORT (RMR) · · RM-PLAN(S) WITH CHANGE BARS · · FINAL EVALUATION REPORT (FER) WITH CHANGE BARS · · FINAL EVALUATION REPORT WITH INTEGRATED CHANGES · · PROPOSED PRODUCT DESCRIPTION FOR EPL · As discussed elsewhere, RM-Plans often change during a rating maintenance cycle because of procedural refinements and changes in VSA responsibilities. The Center is always aware of changes and always possesses a current version of the RM-Plan, because changes cannot be effected without Center approval. The vendor's submission package at the end of a rating maintenance cycle includes an additional copy of the RM-Plan with change bars showing every alteration relative to the plan that was in force at the end of the previous cycle (i.e., when the previous RMR was submitted). This document must show the date on which each RM-Plan change was approved by the Center. Its purpose is to assist review of the vendor's program by the TRB. (A general principle of the rating approval process is that the vendor should not assume a TRB "memory.") The vendor may also choose to include a separate document consisting of a proposed RM-Plan for the next revision cycle. Submitting proposed RM-Plan changes at this time facilitates Center approval and serves the Center objective of confining most plan alterations to the beginning of a cycle. The submission package includes a copy of the Final Evaluation Report (FER) for the initial evaluated product, with change bars converting the FER to a description of the current release. The vendor also provides a copy of the FER with these changes integrated into the text. The latter document is called a RAMP FER to distinguish it from the direct output of a Center evaluation. The remaining document submitted with the RMR is a brief description of the revised product for use by the Center in publishing an EPL listing if the new version maintains the product rating. This and the RAMP FER are the only program documents intended for public release. 6.4 REVIEW AND DEFENSE OF RMR The TPOC receives the RMR and associated materials from the vendor and forwards these documents to Center evaluators for review. A primary objective is to prepare the VSAs for examination by the TRB. The reviewers point out areas of the RMR that are deficient or likely to receive special TRB attention. The VSAs respond by revising the RMR and/or assembling supplementary evidence for the product defense. The TPOC then submits the RMR and related materials to the TRB. After examining the RMR, the TRB may transmit written comments to the VSAs (through the TPOC), which establish a partial agenda for the VSAs' oral presentation and defense. All Center-recognized VSAs should be prepared to meet face-to-face with the TRB and discuss the aspects of RAMP for which they have been responsible. The TRB will expect the VSAs to present a thorough technical overview of changes to the product TCB and the security analysis of those changes, thus demonstrating continuity of function and retention of assurance. When new VSAs are involved, the face-to-face examination is strongly concerned with establishing VSA credibility. The TRB questions each new VSA in depth about the nature of the product as well as about rating maintenance procedures and individual changes. The TRB will focus upon changes which raise complex security questions, or which are not fully understandable from the RMR description, or which provide a good context for detailed examination of procedures. The responsible VSA first describes the change and answers questions on the basis of memory and supplementary information brought to the session. If these responses are inadequate, the TRB requests additional evidence. The TRB subsequently issues a recommendation to the Chief of the Product Evaluation Division stating that product trust has or has not been maintained by the current product version at the level established by evaluation. If the product does not sustain its rating, the vendor may or may not be given the option of reconstructing the RAMP process in some fashion and returning for another TRB review. The given RAMP cycle ends with a rating determination by the Chief of the Product Evaluation Division and, if the determination is favorable, a listing of the new release in the EPL. 6.5 FUTURE APPLICABILITY OF RAMP RAMP applicability is limited. If product revisions fundamentally alter security mechanisms and assurances, the result from a security standpoint is a new product requiring evaluation to qualify as a trusted system. At the start of RAMP, the Center verifies the potential applicability of the program to the initial revisions of the product before approving the vendor's RM-Plan. The RMR review at the end of each cycle is the occasion for later forecasts of RAMP applicability. These forecasts of future RAMP applicability are an integral part of the trusted products partnership established between the Center and the vendor. The Center uses the information in the vendor's future change analysis to estimate (if possible) the point at which RAMP will no longer be viable and the product cannot be placed on the EPL without a reevaluation. This point can result from cumulative changes as well as from especially significant changes in any one revision cycle. The Center criteria for RAMP applicability cannot be summarized conveniently here. The extremes are that most changes in system architecture are not coverable by RAMP, whereas product changes that do not affect the identified TCB directly or indirectly can always be covered. The Center has designed RAMP with the intention of giving vendors at least one cycle's advance notice of the need for a product reevaluation. (Hence the request for information in the future change analysis describing at least two cycles.) The degree of certainty expressible by a RAMP forecast is governed, in large measure, by the level of detail, completeness, and the schedule provided in the future change analysis by the vendor. Notifying the vendor that RAMP can proceed for another revision cycle does not commit the Center to approve rating maintenance for that cycle when completed, and a forecast of RAMP applicability for a later cycle may be changed as that cycle approaches. The Center reserves the right to deny a rating and/or discontinue a RAMP process at any time. When forecasting RAMP applicability for a product, the Center addresses any expected difficulty in complying with recent or prospective Criteria interpretations that do not apply to the current product version. As discussed in Section 4, Criteria interpretations can affect the use of RAMP irrespective of the nature of product changes. 7. RATING MAINTENANCE PLAN 7.1 INTRODUCTION Strict adherence to a comprehensive RM-Plan is one of the most important program controls in RAMP. The RM-Plan is the vendor's document, tailored to the product in question and to the company's business practices and personnel. The plan and any proposed changes must be approved by the Center and must describe accurately throughout product maintenance what the vendor is doing to the product and what evidence is being recorded. A vendor starting a new RAMP process should commence preparation of an RM-Plan during or immediately after VSA training. No rating maintenance actions on the product can occur until an approved RM-Plan is in place, which means that delays in program planning can slow the startup of product revisions. Vendors should develop a new RM-Plan by building upon rather than rejecting previous practices. The Center encourages this approach in order to minimize the chances of conflict and inefficiency in RAMP. Also, the vendor should not attempt to resolve every issue and establish an ideal plan before submitting a draft to the Center for review. A period of consultation between the vendor and the Center is usually necessary to arrive at a mutually acceptable RM-Plan. In plan development as in later phases of RAMP, the Center is eager to help vendors who approach the process constructively. A vendor initiates the RM-Plan approval process by submitting a new or revised plan to the TPOC. The TPOC coordinates the Center review and issues an approval when the plan is judged to comply with RAMP requirements. The TPOC will document approvals of new or revised RM-Plans and changes to existing plans via the Center's Dockmaster system. A vendor may wish to change an existing RM-Plan in order to improve the rating maintenance process or alter VSA responsibilities. There are no fixed limitations on changing an RM-Plan, but the Center urges vendors to minimize the total number of changes and to confine change requests to the beginning of each rating maintenance cycle. A change request includes a copy of relevant sections of the RM-Plan with all proposed changes shown by change bars, plus a copy of the entire plan with the changes integrated into the text. The latter becomes the operative RM-Plan when approval is granted. All RM-Plan changes must receive Center approval regardless of their nature. On receiving a change request, the TPOC determines the scope of the Center review based upon the magnitude and implications of the proposed change(s). The TPOC can grant immediate approval of a change that is very minor or unavoidable (such as a reassignment of program responsibilities due to loss of a VSA). In all cases, however, the old RM-Plan remains in force until the change is approved and documented on the Center's Dockmaster system. RM-Plans are intended to be current but not release-specific. This distinction becomes relevant when successive product releases overlap in terms of development, i.e., when work starts on version N+1 before the code freeze for version N. In such cases, a single RM-Plan describes the vendor's RAMP process for all work on the product. The RM-Plan may reference specific product versions when describing VSA responsibilities, thus creating a need to update the plan periodically; but this is similar to cases in which VSA assignments are based upon specific product changes or other transient factors. The single-plan format applies unless there is a branching of the product, i.e., a situation in which version N includes changes that are not contained in version N+1, as well as vice versa. If the Center allows RAMP coverage of both branches, the vendor must maintain a separate RM-Plan for each. 7.2 OVERVIEW OF RM-PLAN CONTENTS The RM-Plan tells how the vendor will accomplish all the tasks and achieve all the results described previously in sections 3, 4, and 6. The RM-Plan cannot state exhaustively how security analysis will be conducted and cannot guarantee that errors will never occur. However, the plan describes the vendor's procedures and safeguards in sufficient detail to constitute an essential part of RAMP assurance. While the format of individual RM-Plans may vary, a vendor's RM-Plan must address the following topics. Each of these topics is discussed in the subsections that follow. A. The product and its configuration. B. Security analysis. C. Configuration control. D. Collection and verification of evidence (configuration accounting and RAMP auditing). E. Compliance with Criteria interpretations. F. Presentation and defense of security analysis and product evidence. G. VSA responsibilities and program administration. H. Vendor response to failures. I. Numbering and retirement of product versions. J. Management of the RM-Plan. 7.3 THE PRODUCT AND ITS CONFIGURATION An RM-Plan must begin with a description of the rated product and all its components. This description should address all elements of the TCB in specific terms. It should also cover business aspects of the product such as control over the distribution of documentation. The RM-Plan describes how configuration identification has been performed. The plan should discuss the vendor's approach and objectives in decomposing the system, and should describe system elements in sufficient detail to show compliance with the configuration identification requirements listed in Section 3. There should be commentary on any special implications of the system identification for configuration control. The plan specifies the naming conventions used for configuration items (CIs) and for changes to CIs. Policies regarding the creation of new CIs for revised products should also be discussed. A startup RM-Plan includes a development process timetable, indicating when submissions of evidence are anticipated, and a future change analysis discussing the expected evolution of the product. As in the RMR for a completed RAMP cycle, the future change analysis should cover at least the first two cycles or 18 months of RAMP, whichever is longer. The Center assesses the expected changes and expresses a judgment by way of the RM-Plan approval that the product rating can probably be maintained through the initial revisions. 7.4 SECURITY ANALYSIS The RM-Plan states the vendor's policies and procedures for security analysis in as much detail as possible. It describes security analysis and related design activity on a task-by-task basis, from identifying TCB effects through developing new tests and reporting on the acceptability of changes. The plan should demonstrate clearly that the vendor understands and adheres to the concept of security dominance in product development. This part of the RM-Plan may or may not be integrated with discussion of the vendor's configuration control system, which covers the overall structure of change control and the participation of corporate groups in this process. The RM-Plan must describe the steps taken by the vendor in assessing the effects of product changes on the TCB. This description covers methods of establishing indirect TCB effects as well as effects due to interrelationships among security features. The plan should reference any generic procedures used such as regression testing. There should be clearly stated arrangements for identifying any cumulative effects due to multiple product changes and/or collateral modifications entailed by changes. These arrangements are especially critical when security analysis and system design tasks are spread among several operating groups. The RM-Plan then describes the principles and procedures followed by the vendor in establishing acceptable designs for product changes and determining when changes cannot be implemented for security reasons. If no single description of this process is adequate, the plan can reference various categories of product changes and show how the process operates for each. There should be explicit discussion of the relationships between security analysis and the pursuit of other design objectives. A section of the RM-Plan must address the development and application of system tests as an element of security analysis. This discussion covers: the vendor's general testing policies; the determination of test adequacy as affected by product changes; the guidelines followed when modifying or creating tests; and the vendor's procedures for updating the test plan on the basis of security analysis findings. The RM-Plan summarizes the vendor's criteria and methods for concluding that a change is or is not acceptable under the TCSEC and describes how these conclusions are documented and forwarded for Configuration Control Board (CCB) review. The plan must demonstrate that the security analysis yields adequate RAMP evidence in the form of recorded analytical findings and support for all decisions affecting the product. 7.5 CONFIGURATION CONTROL As established in Section 3, configuration management is the framework for reviewing, implementing, and documenting the conclusions of security analysis. The portion of the RM-Plan on configuration control presents the vendor's business plan for accomplishing these objectives. A vendor developing a startup RM-Plan may find it convenient to work incrementally from existing practices. First, the vendor's existing configuration management system is modeled and evaluated against the conceptual requirements of RAMP discussed here in Section 3. The vendor revises the model by identifying needed elements and finding the most harmonious ways of including these elements within the present business context. The vendor then evaluates the revised model against the procedural requirements and VSA responsibilities outlined in Section 4. Functional equivalents of the SIR, ECO, CCB, and CRB are identified. If there is no full equivalent for one of these entities*e.g., no central authority that can be designated as the CCB*the vendor overcomes the deficiency by building upon present functions with as little disruption as possible. Similarly, the vendor seeks to identify persons who can serve effectively as VSAs in their present corporate positions (and who are qualified and available for VSA training). Only if such persons are unavailable does the vendor consider restructuring groups and reassigning personnel to achieve adequate VSA involvement. The RM-Plan must present a unified discussion of configuration control centering upon the vendor's business model as revised. The discussion should trace the course of events for a product change from its entry into the RAMP process as a SIR through its final approval and incorporation. The plan should explain the preliminary screening of changes for TCB effects, if conducted as a separate task, and describe the vendor's safeguards against incorrect categorization of changes. The plan shows how product changes that lack TCB effects are routed through the various design and implementation steps and change reviews. The RM-Plan then presents the detailed discussion of security analysis for changes affecting the TCB, if this discussion has not already been provided. The vendor indicates which operating groups conduct the security analysis and to what extent the VSA or VSAs participate in each aspect. (Coverage of the VSA role by the RM-Plan is discussed further below.) The RM-Plan should describe in specific terms how the CCB will coordinate the security and design analyses and will review system changes. The discussion addresses the composition of the CCB, the lines of authority among its members, the nature of its deliberations, and the manner in which the CCB assures security dominance in the product development process. Other topics are the power of the CCB to influence security analysis, the quality control steps involved in CCB review, the ability of the CCB to request additional information, and the disposition of product changes that fail to receive CCB approval. The RM-Plan should describe VSA membership and participation in the CCB, and the ability of the responsible corporate officer to veto a CCB approval when requested by the VSA. The RM-Plan should discuss the manner in which ECOs are generated and what they contain. The relevant data include: who prepares ECOs; the granularity of ECOs; the conditions under which multiple ECOs are used to effect a given change; the level of detail at which ECOs direct implementation tasks; the instructions in ECOs for testing implemented changes; any quality control procedures for ECOs; and the manner in which the CCB controls the production of ECOs. The RM-Plan should also indicate the role of ECOs in the vendor's record-keeping system. The RM-Plan describes the vendor's procedures for assuring that all approved changes are implemented correctly and that only these changes are made. The plan should discuss the structure of the implementation and testing groups, indicating the degree to which the testing function is conducted independently. The description of testing procedures should mention interactions with the design group (outside the ECO process) on the subjects of test adequacy, test development, and test results. The plan should also summarize briefly the management of the system code, e.g., the use of working copies to implement and test changes. The RM-Plan must specify the nature and operation of the Configuration Review Board (CRB) as described above for the CCB. The plan then discusses the final review process in terms of: the information delivered to the CRB on each implemented change; the quality control procedures utilized by the CRB to assure that the implementation is correct; the means of verifying that no system modifications have occurred other than the approved change; and the CRB policies for granting final approval or disapproval. Any exceptions to the review process should be noted. The RM-Plan describes the removal of disapproved changes from the product and the policies for returning such changes to an earlier stage of assessment. The RM-Plan must acknowledge any special limits upon configuration control. For example, if the vendor's product development activities take place at more than one site, the RM-Plan states what aspects of RAMP occur at each site and how central coordination is achieved. RM-Plans for layered products must describe specifically how the vendor will deal with the involvement of more than one company in producing the product. There is no compromise in the required level of RAMP assurance to accommodate layered products. The vendor demonstrates full configuration management cognizance, meaning that the vendor has evidence on the base product and its evolution comparable to the evidence required by RAMP for an in-house product. The vendor's RM-Plan describes in detail how this evidence is obtained, covering the nature of security analysis and the existence of any cooperative arrangements among producers. 7.6 COLLECTION OF RAMP EVIDENCE The RAMP process essentially yields three categories of product evidence: 1) the findings of security analysis, with support for all conclusions from that analysis; 2) the records from configuration control of the design phase, from SIR receipt through CCB review and ECO issuance; and 3) the configuration control records for the implementation phase, covering test results, test documentation, and verification of changes by the CRB. Ideally, there should be a unified configuration accounting system that embraces all of this information. Vendors entering RAMP may find, however, that the first category of evidence overloads existing configuration accounting systems because of the extensive commentary on security analysis findings and decisions. An acceptable solution is to establish supplementary information files with clear linkages to the configuration management data via pointers and cross-references. The RM-Plan must include an overall description of the vendor's record-keeping system, covering basic facts such as where the master version of the code is stored and how it is protected from unauthorized modification or use. The discussion lists the major database elements and notes any associated divisions of activity. (For example, the recording of information for system changes might be distinguished from the management of system documentation, tests, tools, test documentation, etc.) The plan describes how the vendor can determine the status of proposed and approved changes and can locate any supporting information. The RM-Plan then revisits the entire configuration control process and states the documentation requirements associated with each step (unless documentation has already been covered in the section on configuration control). There should be one or more reporting tasks associated with almost every element of a rating maintenance model such as shown earlier in Figure 3. In each case, the RM-Plan must describe: what information is recorded; where it is recorded; who is authorized to store and retrieve information; and what steps are taken to assure that information is accurate and comprehensive. The plan also discusses the uses of this information in the configuration control process for review and approval purposes. The Center recognizes that there may be a time granularity below which the system code, documentation, tests, and test documentation cannot be maintained on a synchronous basis because of lags in the updating process. The RM-Plan should estimate the duration of configuration accounting lags and describe any necessary steps to avoid problems from this source. The RM-Plan must address the RAMP audit function and the VSA role in this function. The plan must establish configuration audit procedures for verifying compliance with every configuration control and configuration accounting requirement, and for checking the adequacy of all associated evidence. The plan should describe the security analysis portion of the RAMP audit in terms of: the procedures for sampling SIRs; the number of SIRs investigated; and the standards for assessing the adequacy of security analysis and related documentation. The RM-Plan should also state the vendor's intended schedule of RAMP audits. The Center does not impose a uniform requirement in this regard because of the widely varying circumstances encountered, with the exception that at least one RAMP audit must occur per RAMP cycle. 7.7 COMPLIANCE WITH CRITERIA INTERPRETATIONS The RM-Plan must explain in detail the vendor's policy for complying with Criteria interpretations as they occur. The Center's recommended guidelines for such a policy have been discussed in Section 4. The objective is to provide the maximum compliance with interpretations consistent with a vendor's unique ways of doing business. Center approval of the RM-Plan is contingent upon attaining this objective. The policy statement in the RM-Plan should refer to the product revision cycle (i.e., the maximum number of cycles that can elapse before compliance occurs) and should also include calendar time as a factor if the revision schedule is variable. 7.8 PRESENTATION OF EVIDENCE Section 6 has described the contents of the Rating Maintenance Report (RMR) and other documents submitted by the vendor to the Center at the end of each RAMP cycle. The RM-Plan should discuss briefly how these documents are prepared and how they will be used to defend the product, the security analysis, and the configuration management process before the TRB. The new material in any given RMR consists primarily of the evidence summaries for product changes. (See Figure 5 in Section 6.) The RM-Plan should describe the contents of these summaries for product changes that do and do not affect the TCB. The summarization process should be discussed with reference to the extent of VSA involvement, the configuration accounting files used, and the vendor's ability to prepare evidence summaries while other product changes are still under way. The RM-Plan should estimate the time delay between the end of product changes and the submission of an RMR to the Center for review. Regarding the defense of evidence, the RM-Plan should indicate which VSA or VSAs will represent the product at the next evidence submission and what provisions will exist for supplying evidence not contained in the RMR. Rough estimates should be given for the number of hours or days needed to comply with various types of information requests by the TRB. 7.9 VSA AND RESPONSIBLE CORPORATE OFFICER RESPONSIBILITIES The RM-Plan must establish the VSA and responsible corporate officer roles in very specific terms. The required topics include: the qualifications and corporate position of the responsible corporate officer and the VSA or VSAs; the ability of the responsible corporate officer to support RAMP and the VSA function; the division of technical responsibilities among multiple VSAs, if used; and the extent of VSA involvement in every individual RAMP activity. The plan normally presents the task-by-task description of VSA duties as an integral part of the material on configuration control and collection of evidence. The RM-Plan names the person or persons occupying the VSA role and summarizes briefly the qualifications and experience of each. Any person representing the product as a VSA must have completed the Center training program. (As noted earlier, the approval of an RM-Plan confers Center recognition upon the VSAs referenced in the plan as product representatives.) The description of each VSA's corporate position should cover both line management and matrix management responsibilities. Any intended use of contractors or part-time employees as VSAs should be noted and explained. There should be a general statement of the vendor's strategy for assuring that the VSA or VSAs can: track all aspects of the revision process; confirm the findings of security analysis; influence product changes; assure the accuracy and completeness of evidence; and represent the product effectively to the Center. If multiple VSAs are utilized, the RM-Plan explains the reasons for this approach and describe the primary areas of VSA responsibility in such a fashion that the Center can associate one and only one VSA with each element of the RAMP process. The task-by-task description of VSA duties must cover for each activity in RAMP: 1) the share of work conducted personally by a VSA; 2) the extent of VSA supervisory authority over the given task; 3) the ability of a VSA to influence how work is done and what outputs are produced; 4) the arrangements whereby a VSA can evaluate the adequacy of procedures and accuracy of data; and 5) the terms of VSA access to all information used in and generated by the task. The RM-Plan should emphasize VSA involvement in the CCB function, the CRB function, the configuration audit, and the presentation and defense of evidence. The plan should name the VSA who serves as a CCB member and show how this function allows the VSA to control product changes through direct input to CCB decisions and through the veto power of the responsible corporate officer. VSA involvement with the CRB is discussed similarly. The plan describes VSA responsibilities for producing the RMR and representing the product to the TRB. It names the VSA or VSAs who serve as configuration auditor(s) or audit supervisors. The RM-Plan must confirm that VSAs have access to Dockmaster and are responsible for tracking Criteria interpretation activity. The RM-Plan must describe how the responsible corporate officer will support the RAMP process and serve as the point of vendor accountability to the Center. This description covers: the power of the responsible corporate officer to make decisions and corporate commitments on behalf of RAMP; the extent of responsible corporate officer supervisory authority over the VSA(s) and over the operating groups involved in RAMP tasks; the influence of the responsible corporate officer over product changes; the role of the responsible corporate officer as the vendor's contact with the BPOC; and the ability of the responsible corporate officer to influence the corporate response to failures in the product or the RAMP process. As described in Section 6, the responsible corporate officer must be in a position to assume full responsibility for the content of RMR submissions. The RM-Plan must name the lead VSA, if there are multiple VSAs, and describe all lines of authority among the responsible corporate officer, the lead VSA, and other VSAs. There should be an overview of RAMP program administration showing how RAMP fits into the corporate management structure. The RM-Plan should include a corporate organization chart and a personnel directory listing the department and job title of all persons who might contact the Center on the subject of RAMP. The organization chart should be abbreviated horizontally by showing only the portion of the corporate hierarchy that contains the responsible corporate officer, the VSAs, all CCB and CRB members, and all operating groups with major involvement in RAMP. 7.10 EXCEPTION HANDLING The RM-Plan must describe any and all exception handling procedures that may be used in the development of the product. Exception handling refers here to actions outside the normal cycle of releases, not exceptions to RAMP practices. Under no circumstances are interruptions in configuration management allowable. Specifically, the RM-Plan must address the vendor's response to product and process failures. The failures that can occur for a product in RAMP fall into three categories, as follows. Bug: Improper execution of an acceptable design. Flaw: Incorporation of an inadequate design decision. Breakdown of process: Deficiency in the security analysis and/or configuration management procedures that confer RAMP assurance. These failures can have widely varying impacts upon the responsible vendor, the user community, and the product rating. Bugs and flaws are of greatest immediate concern to users. However, breakdowns of process tend to have the greatest long-term impacts on product ratings and continued RAMP applicability. Errors can usually be located and corrected if the process remains pure, but RAMP assurance may not be recoverable if the process fails. Section 8 discusses the response of the Center to these types of failures. The primary focus of exception handling is the management of system bugs. The Center recognizes that at the C1 through B1 rating levels (which are features-oriented rather than assurance-oriented), a product may contain implementation errors that are undetected by evaluation and that may be exploitable under some circumstances. It is not acceptable to pass responsibility for vulnerability management on to system users. Vendors should therefore plan ahead for the possibility of bugs and should develop procedures for correcting bugs with minimum delay and risk to users. The following are suggested steps to deal with a potentially exploitable bug once identified. The vendor: 1) immediately deploys a repair and recovery team to analyze and solve the problem 2) contains information regarding the bug in order to minimize risk to operational systems 3) provides immediate notice to the TPOC so that the Center can take any necessary steps to assure the protection of system users 4) undertakes the replacement or repair of all operational systems that contain the bug 5) reports progress to the Center on a weekly basis 6) packages the repair or replacement in such a fashion that the exploitable bug is not easily determinable from the repair distribution. The RM-Plan must explain how these and related tasks will be accomplished in case of product failure, and must state corporate policies for using exception-fix procedures and for correcting bugs in subsequent scheduled product releases. The RM-Plan must also describe the vendor's internal procedures for restoring the RAMP process if there is a process failure (and if the Center determines that the process can potentially be restored). These procedures include: establishing the precise nature of the error or breakdown and the reasons for its occurrence; tracing the full ramifications of the problem for all affected product versions; conducting security analysis to establish corrective measures and verify product trust; and reestablishing the unbroken trail of evidence linking to the evaluated product. 7.11 NUMBERING AND RETIREMENT OF PRODUCT VERSIONS A product release that includes any correction for a bug or flaw becomes a different product from the standpoint of the Center and the user community. The vendor must develop a product identification system that reflects this fact. A favorable approach is an alphanumeric system in which the numeric portion (typically involving decimals) denotes the product version as released and the letter suffix denotes corrections. For example, version 1.0 might be the original product subjected to evaluation; versions 1.1, 1.2, and so on might be successive releases in RAMP; and versions 1.0a and 1.1a might be the first two versions after a correction has been added. This system yields a two-dimensional product flow as illustrated in Figure 6. In this example, a system bug is discovered after the second version (1.1) has been released. The development of a correction for this bug yields two new products, 1.0a and 1.1a. Then another bug is identified after version 1.2 has been released. This bug is corrected in 1.1 and 1.2, yielding products 1.1b and 1.2b, but is not corrected in 1.0 because the original product version has been retired (as defined below). The two diagonal arrows in the diagram indicate that each bug correction is incorporated in the next scheduled release. Every RM-Plan should establish a product identification system that has this degree of flexibility and comprehensiveness. The RM-Plan should also indicate that the vendor will inform the Center whenever a rated product version is retired. Retirement is defined in this context as the point at which a vendor no longer offers a product version for sale and no longer provides bug fixes and related services for that version. The Center needs to be informed of retirement decisions so that the affected products can be shifted to a separate section of the EPL. 7.12 MANAGEMENT OF RM-PLAN Previous discussion has suggested why RM-Plans may change occasionally and how changes are effected. Due to the possibility of change, the RM-Plan must describe how the plan itself is managed. This discussion should indicate how the vendor establishes a need to change the RM-Plan; how the vendor formulates and proposes specific changes; and how the vendor assures compliance with RM-Plan changes when in place. 8. RAMP TERMINATION, SANCTIONS, AND RISKS 8.1 OVERVIEW OF RAMP PROCESS Figure 7 depicts graphically various processes from the initial evaluation and VSA training to the establishment and application of RAMP for a product. (Figure 7 is an expansion of Figure 2). The starting points for establishing RAMP are the original product and the training of vendor representatives as VSAs. The vendor develops an RM-Plan and obtains approval for the plan before the Center starts the phase of product evaluation. Figure 7 emphasizes that the RAMP process builds upon an evaluated product and upon the evidence yielded by evaluation. The RM-Plan establishes a configuration management framework for the analysis, design, implementation, and approval of product changes. The VSAs participate in these rating maintenance actions and assure that security concerns dominate all decisions affecting the product. The outputs of rating maintenance consist of approved product changes and evidence supporting the changes. The VSAs summarize this evidence in an RMR, which is submitted to the TPOC and reviewed by the Center community. The TRB then receives and reviews the RMR, examines the VSAs on the evidence, and recommends that the product rating be extended (or not extended) to the new release. The cycle ends with approval or disapproval of the rating by the Chief of the Product Evaluation Division and listing of the new approved release on the EPL. The TPOC is the interface between the vendor and the Center in all technical communications except the interim and aperiodic reviews and the TRB examination. (The diagram omits the responsible corporate officer and BPOC roles.) There is no fixed limit on the number of revision cycles that can be covered by an application of RAMP. The termination of a RAMP process can be either voluntary or involuntary from the vendor's standpoint. A vendor might choose to terminate RAMP because the product is being discontinued; because no further revisions are planned; or because rating maintenance is not considered essential for further releases. Applications of RAMP tend to have a natural life span ending with the vendor's introduction of a replacement product that requires evaluation and a new RAMP process. Voluntary exits from RAMP are usually pre-arranged to occur at the end of a rating maintenance cycle. The intermediate cases are situations in which a vendor desires to continue RAMP but needs to implement product changes that RAMP cannot cover. Given a commitment to the changes, the vendor must decide whether to terminate RAMP permanently or undergo reevaluation to start another RAMP process. The requirement for such a choice might be established by the VSAs when analyzing changes during a revision cycle; by the vendor when planning future changes; or by the Center when reviewing the vendor's future change analysis in an RMR. Advance notice of the decision point obviously benefits the vendor by minimizing wasted effort and allowing timely placement of the product in the queue for a reevaluation (if future rating maintenance is intended). Consequently, the vendor should supply as much information as possible to the Center in each future change analysis. The Center attempts to provide an interval of at least one revision cycle within which the vendor can seek reevaluation while rating maintenance is still under way. However, the Center cannot guarantee that this outcome will occur, or that any given rating maintenance cycle will be successful. 8.2 OVERVIEW OF RAMP PROCESS Involuntary termination of RAMP is associated with failure in the product or process. Failures can be identified through program reviews, TRB examinations, or other mechanisms. The Center response to an identified failure depends upon the nature of the problem and how it occurred. The Center terminates permanently the use of RAMP for a product if the vendor has knowingly misrepresented any aspect of the product or its RAMP process. The VSA or VSAs responsible for the misrepresentation will no longer be recognized by the Center as representatives of any product. The Center permanently lifts the rating of the product release for which the misrepresentation occurred and the ratings of any later versions dependent upon that release for rating maintenance. Furthermore, the Center activates the aperiodic review process to investigate the possibility of misrepresentations or other errors in earlier releases. The product rating is then rolled back at least to the earliest known breakdown of RAMP assurance. When an inadvertent failure is identified, the Center may or may not allow the vendor to rebuild RAMP assurance and continue the rating maintenance process. If a failure is identified during a TRB review, the vendor may or may not be allowed to fix the failure and resubmit the product depending on the nature of the failure. A vendor usually is permitted and able to fix a bug (implementation error) while rating maintenance is under way. The Center treats a system flaw (design error) similarly to a bug unless its correction requires an architectural change that RAMP cannot accommodate. The Center does not approve any new ratings until all identified bugs and flaws have been eliminated, but normally does not suspend past ratings so long as the RAMP process is unimpeached and the vendor makes every reasonable effort to protect the user community. A breakdown of process, such as a loss of product evidence, tends to have the most serious consequences for rating maintenance even if no deliberate malfeasance is involved. The Center usually lifts the ratings for all affected releases at least temporarily, and determines on the basis of individual circumstances whether and how the vendor can reconstruct the RAMP process. 8.3 RISKS OF RAMP PARTICIPATION There are no sanctions in RAMP that apply retroactively to products evaluated by the Center. Choosing to participate in RAMP cannot place an existing product rating in jeopardy. Thus, a vendor's decision to initiate a RAMP process can only create the following risk. There is a chance that the net costs incurred to participate in RAMP will not yield the desired ratings for product revisions, and hence may be viewed as financial losses. Section 1 has suggested the ways in which RAMP participation can create net monetary costs for a vendor. A major determinant is the extent to which a vendor's business practices need to be altered to meet RAMP requirements for security analysis and configuration management. When evaluating whether these costs and adjustments are supportable, a vendor should be aware of the following considerations. 1) The chance that an application of RAMP will be unsuccessful can be greatly reduced by approaching the program constructively and conscientiously. This means allocating the time of highly capable and experienced personnel to the RAMP process; applying scrupulously the RAMP principles of security dominance and configuration management; and keeping the Center as well-informed as possible about upcoming product changes. 2) The net costs of creating and pursuing a RAMP process can be viewed as an investment with potential returns extending well beyond the given product. The capabilities developed in one RAMP experience are valuable not only for other applications of the program but also for the creation of new trusted products from start to finish. Regarding the second point, the value of in-house security wisdom is increasing very rapidly for computer vendors. Various factors are making access to the expanding market for trusted systems more and more dependent upon the availability of this resource. RAMP is the appropriate context and focus for developing security analysis capability. APPENDIX SUMMARY OF RAMP REQUIREMENTS This appendix summarizes the vendor's and the Center's requirements for RAMP. These requirements are linked to the timing of the product evaluation and are listed in approximate order of occurrence, under the phase of the evaluation process in which they occur. A vendor failing to satisfy these requirements loses the opportunity to participate in RAMP until such time as the product in question is reevaluated. The Center reserves the right to deny a rating and/or discontinue the Rating Maintenance Phase at any time. PREEVALUATION PHASE 1. Vendor establishes an intent to participate in RAMP in the evaluation package/proposal for a given product. VENDOR ASSISTANCE PHASE/DESIGN ANALYSIS PHASE 1. The vendor must identify and maintain a responsible corporate officer. The responsible corporate officer represents the vendor in administrative matters, serves as the point of vendor accountability to the Center, is able to make decisions and corporate commitments on behalf of RAMP, and supports the technical role of the VSA. 2. The vendor must complete training of one or more Vendor Security Analysts (VSAs) before implementation of the vendor's Rating Maintenance Plan but not later than completion of the IPAR. The vendor must provide for VSA access to the Center's Dockmaster computer system at the time VSA training begins. Whenever a vendor uses more than one VSA, a lead VSA will be identified by the vendor. 3. The Center will provide RAMP training for VSAs. 4. The vendor must develop, have approved, and implement a Rating Maintenance Plan (RM-Plan). The RM-Plan must be approved by the Center prior to its implementation but not later than completion of the IPAR. The approved RM-Plan must be implemented before development begins on the version that will supersede the evaluated version. 5. The Center will review the vendor's RM-Plan for purposes of approving the RM-Plan. EVALUATION PHASE 1. The vendor must maintain a responsible corporate officer. 2. The vendor must maintain one or more Center-trained Vendor Security Analysts (VSAs) once the vendor's RM-Plan has been implemented. The vendor must provide for VSA access to the Center's Dockmaster computer system. Whenever a vendor utilizes more than one VSA, a lead VSA will be identified by the vendor. 3. The Center will provide RAMP training for VSAs. 4. The vendor must complete implementation of the Center-approved Rating Maintenance Plan (RM-Plan) and must follow the business practices outlined in the RM-Plan. The RM-Plan must be implemented before development begins on the version that will supersede the evaluated version. Any changes to the RM-Plan must be approved by the Center and must be made according to the provisions within the approved RM-Plan. 5. The vendor must conduct, for his own purposes, an initial RAMP audit to assure that security feature functionality and assurances are being maintained by adherence to all the procedures established in the vendor's approved RM-Plan. 6. The Center evaluation team will review the results of the vendor's initial RAMP audit to ensure the vendor's RAMP process follows the procedures outlined in the vendor's RM-Plan. 7. The Center assigns a Technical Point of Contact and a Business Point of Contact before completion of the evaluation phase. The TPOC advises and coordinates the use of RAMP for the given product. The BPOC handles administrative and programmatic aspects of the process. RATING MAINTENANCE PHASE 1. The vendor must maintain a responsible corporate officer. 2. The vendor must maintain one or more Center-trained Vendor Security Analysts (VSAs) once the vendor's RM-Plan has been implemented. The vendor must provide for VSA access to the Center's Dockmaster computer system. Whenever a vendor uses more than one VSA, a lead VSA will be identified by the vendor. 3. The Center will provide RAMP training for VSAs. 4. The Center maintains a Technical Point of Contact and a Business Point of Contact. 5. The vendor must provide product instruction for the Center Technical Point of Contact, as needed throughout the Rating Maintenance Phase. This is to include product documentation, vendor provided classes, and hands-on system access time. 6. The vendor will provide quarterly informal status reports to the Technical Point of Contact via the Center's Dockmaster system throughout the Rating Maintenance Phase. 7. The vendor must conduct, for each RAMP cycle, at least one RAMP audit to assure that security feature functionality and assurances are being maintained by adherence to all the procedures established in the vendor's approved RM-Plan. 8. The Center Technical Point of Contact will review the results of the vendor's RAMP audit to ensure the vendor's RAMP process follows the procedures outlines in the vendor's RM-Plan. 9. The vendor will submit concurrently to the Center the following documents for each version of an evaluated product for which the vendor desires to have the rating maintained via RAMP: a) Rating Maintenance Report (RMR) b) Rating Maintenance Plan (RM-Plan) with change bars c) Final Evaluation Report with change bars d) Final Evaluation Report with integrated changes e) Proposed product description for EPL The documents intended for public release are the final evaluation report with integrated changes and the proposed product description for EPL. 10. The Center will review the vendor's documents for purposes of extending the rating to the specific release and for placement on the Evaluated Products List. 11. The vendor's RAMP process is subject to two types of reviews (Interim Reviews and Aperiodic Reviews) by the Center. Both types of program review have the purpose of assuring that security feature functionality and assurances are being maintained by adherence to all the procedures established in the vendor's approved RM-Plan. GLOSSARY BPOC - Business Point of Contact (Center). CCB - Configuration Control Board. Center - National Computer Security Center. CF - Code Freeze. CI - Configuration Item. COMPUSEC - Computer Security. CRB - Configuration Review Board. Criteria - Same as TCSEC. Dockmaster - A Center computer system serving the evaluation community. ECO - Engineering Change Order. EPL - Evaluated Products List. Evaluated Product - A product version that has undergone evaluation by the Center. (By convention, excludes products assigned D ratings. An evaluated product is always a rated product, but the reverse is not always true for products in RAMP.) FER - Final Evaluation Report. Interpretations - Published Center Interpretations of the TCSEC. IPAR - Initial Product Assessment Report. PTR - Preliminary Technical Report. RAMP - Rating Maintenance Phase. Rated Product - A product version with a TCSEC rating and a listing on the EPL, obtained either through evaluation or RAMP. (By convention, excludes products with D ratings.) RM-Plan - Rating Maintenance Plan. RMR - Rating Maintenance Report. SIR - Service Improvement Request. TCB - Trusted Computing Base. TCSEC - Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD); the Criteria against which products are evaluated to establish security ratings. TPOC - Technical Point of Contact (Center). TRB - Technical Review Board (Center). VSA - Vendor Security Analyst. BIBLIOGRAPHY Department of Defense Trusted Computer System Evaluation Criteria, December 1985 (DOD 5200.28-STD). Brown, Leonard, R. "Specification for a Canonical Configuration Accounting Tool," Proceedings of the 10th National Computer Security Conference, 21 September 1987, p. 84.