CTAS Principles & Methodology 1 - NCSC.GOV.UK

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or [email protected]

of 21

October 2019

CTAS PRINCIPLES & METHODOLOGY

Version 1.2

© Crown Copyright 2019 – All Rights Reserved


of 21

FOREWORD

This document defines the principles and methodologies that will be applied when conducting a NCSC Tailored Assurance Scheme (CTAS) evaluation.

Document History

Version Date Description

1.0 26 July 2012 First published version

1.1 October 2018 Amended to reflect formation of NCSC

1.2 October 2019 Amendment to Security Target (ST) information - Page 9, Reference 42, Bullet Point 1

This document is issued by NCSC

For additional copies of this document or for general CTAS queries please contact:

CTAS Administration Team NCSC Room A2i Hubble Road Cheltenham GL51 0EX Email: [email protected]

mailto:[email protected]


of 21

CONTENTS

I. INTRODUCTION .................................................................................................... 4

Purpose of Document .......................................................................................... 4

Background ......................................................................................................... 4

Intended Readership ........................................................................................... 4

Changes from previous CTAS methodology ........................................................ 4

II. CTAS PRINCIPLES ............................................................................................... 6

Introducing CTAS Principles ................................................................................ 6

III. CTAS EVALUATION PHASES .............................................................................. 7

Summary of CTAS Evaluation Phases ................................................................ 7

Phase transition and signoff requirements ........................................................... 7

IV. PREPARATION PHASE – DEFINITION AND PLANNING .................................... 8

Introduction & Relationship with CTAS Principles ................................................ 8

Definition Stage: Definition of a CTAS Evaluation ................................................ 8

Questionnaire ...................................................................................................... 8

Security Target (ST) ............................................................................................ 9

Planning Stage: Planning a CTAS Evaluation .................................................... 10

Evaluation Work Programme (EWP) .................................................................. 10

Preparation Phase Completion .......................................................................... 11

V. EVALUATION PHASE – CTAS EVALUATION ACTIVITIES ............................... 12

Introduction & Relationship with CTAS Principles .............................................. 12

Activity Stage: Analysis and Testing of the Target of Evaluation ........................ 12

Evaluation Activities ........................................................................................... 13

Reporting Stage: Publication of Results ............................................................. 14

Reporting Principles .......................................................................................... 14

Evaluation Reports ............................................................................................ 14

Assurance Maintenance Plan (AMP) ................................................................. 14

Assessment Statements .................................................................................... 15

Evaluation Phase Completion ............................................................................ 15

VI. ASSURANCE MAINTENANCE ........................................................................... 17

APPENDIX A: CTAS STAKEHOLDERS – ROLES & RESPONSIBILITIES ................. 18

Introduction ........................................................................................................ 18

APPENDIX B: OVERVIEW OF CTAS EVALUATION PROCESS ................................ 20


of 21

I. INTRODUCTION

Purpose of Document

1. This document defines the principles and methodologies that will be applied when conducting a CTAS evaluation and supersedes all previous CTAS methodologies.

Background

2. The NCSC Tailored Assurance Service (CTAS) has been in operation since 2007 and is run by NCSC. Its primary purpose is to provide a tailored approach to gaining assurance in the specific implementation of an IA object (Product/System/Service) so that the Senior Information Risk Owner/Accreditor is able to make a balanced risk decision.

3. Since its inception CTAS has completed 50+ evaluations for many diverse areas of HMG, MoD and the wider public sector. It has also been used as a test bed for other assurance approaches developed by NCSC.

4. During 2011 NCSC conducted an analysis of the scheme’s Strength, Weaknesses, Opportunities and Threats (SWOT) based upon a series of email interviews and internal/external conversations.

5. As a result of this analysis NCSC has decided to redesign the scheme to ensure its continuing relevance in the UK information assurance landscape.

Intended Readership

6. This document is intended to be read by all stakeholders involved in the delivery and eventual use of a CTAS evaluation and its resulting reports and statements.

7. A full list of stakeholders and their associated roles and responsibilities can be found in Appendix A.

Changes from previous CTAS methodology

8. As a result of an internal NCSC review a number of changes to the methodology have been introduced and a set of CTAS principles have been defined.

9. The details and supporting processes of the new methodology, as well as the new principles, are explained within this document, but a summary now follows;

• Companies wishing to offer CTAS evaluation services are now permitted to apply at any time if they can fulfil the service requirements.

• The underlying contract for CTAS evaluations has been changed to increase scheme efficiency and follow a similar model to other NCSC schemes.

• The process to conduct an evaluation has been split into two distinct phases. Transition to the second phase will not be permitted until the first phase has been formally completed.

• An evaluation activity will not be permitted to start until the relevant detailed activity plan has been agreed by all relevant stakeholders.

• NCSC has defined a set of scheme templates to ensure that key information is captured during an evaluation.


of 21

• An Assurance Maintenance Plan (AMP), to assist ongoing assurance maintenance activities, will be drafted by the CTAS Company as one of the evaluation outputs.


of 21

II. CTAS PRINCIPLES

Introducing CTAS Principles

10. Each CTAS evaluation is tailored to provide the assurances required by the Accreditor to better understand the environment under evaluation.

11. Although this document will define the process and methodologies to be applied during an evaluation NCSC appreciates that in certain situations the methodology may be open to interpretation.

12. A stakeholder who is not sure how to interpret a section of methodology should refer to the following CTAS Principles prior to any discussion with the CTAS Company, who may refer to NCSC if further guidance is required.

“CTAS evaluations answer the Accreditor’s assurance questions.” 13. The aim of a CTAS evaluation is to answer any of the Accreditor’s remaining

assurance questions and/or concerns that have not been resolved by the implementation of assured products, use of assured services or other evaluations.

“CTAS evaluations provide assurance in a tailored fashion.” 14. CTAS evaluations must only include activities that are required to answer

assurance questions. There is not a defined set of CTAS activities that are required for all evaluations, but an understanding that any evaluation technique is permitted as long as it is relevant and results are repeatable.

“CTAS evaluations ensure that assurance activities meet HMG/MOD/Wider Public Sector (et al) sponsor requirements.” 15. By providing oversight to all CTAS evaluations, NCSC ensure that all assurance

activities relate to relevant policy and advice and are relevant to the evaluation in question. NCSC are also able to report on general assurance trends and offer advice to ensure that key assurance activities are not neglected.

“CTAS evaluations are carried out in an efficient manner.” 16. Care should be taken to ensure that only required activities are undertaken and

that these activities are completed in the most efficient manner. A CTAS evaluation should make good use of industry’s ability to provide a range of assurance activities, the ability to scale and to operate in a competitive market. When required, the use of NCSC supplied skills should be specific and appropriate.

“CTAS maintenance provides continued assurance to evaluated configurations by understanding and assessing changes in an efficient and tailored manner.” 17. The aim of CTAS maintenance activities is to answer any of the Accreditor’s

assurance questions and/or concerns related to changes in derivatives of an assured Target of Evaluation (TOE) using an efficient, tailored approach.


of 21

III. CTAS EVALUATION PHASES

Summary of CTAS Evaluation Phases

18. A CTAS evaluation is split into 2 phases, a “Preparation” phase and an “Evaluation” phase. The CTAS evaluation may be followed by an optional “Maintenance” phase.

19. Each phase is separated into distinct stages. The Preparation Phase has a Definition Stage and a Planning Stage, while the Evaluation Phase has an Activity Stage and a Reporting Stage. Phase and stage differentiation ensures that key tasks are not omitted and that all stakeholders have an opportunity to contribute to key decisions.

20. The clear definition of tasks and scheme actions also ensures that the status of a given CTAS evaluation is easier to ascertain.

21. A schematic diagram providing an overview of the CTAS evaluation phases and stages is provided in Appendix B.

Phase transition and signoff requirements

22. The transition between phases and stages requires the agreement of all stakeholders.

23. It is imperative that each phase and stage has the agreement of all stakeholders to ensure the smooth operation of an evaluation and also to ensure that the evaluation is meeting its primary function in answering the Accreditor’s assurance questions.

24. Although work on separate phases and stages can be initiated before formal agreement has been reached on earlier phases and stages, any and all work on future phases and stages is at the risk of the entity undertaking such work.

25. The agreement and transition for each phase must be formally documented and recorded.


of 21

IV. PREPARATION PHASE – DEFINITION AND PLANNING

Introduction & Relationship with CTAS Principles

26. The primary aim of the Preparation Phase is to ensure that the CTAS evaluation is appropriately scoped and that it fulfils all the requirements of the CTAS Principles.

27. The focus of this phase is to ensure that the evaluation is properly scoped to answer the Accreditor’s assurance questions and that the evaluation activities will meet HMG (et al) sponsor requirements.

28. Each stage of the Preparation Phase is designed to better understand the requirements of the evaluation and clearly define what is being evaluated and why.

29. Only activities that will directly contribute to answering the Accreditor’s questions should be within the scope of the evaluation. Delivery of these activities should be undertaken by the CTAS Company unless there is a clear operational or security related issue for NCSC or another entity to perform certain tasks.

30. When completing the Preparation Phase, stakeholders should refer to the CTAS Principles and confirm that the all Preparation Phase outputs follow the principles and that they are happy to transition into the Evaluation Phase.

Definition Stage: Definition of a CTAS Evaluation

Questionnaire

31. NCSC will be notified of a potential CTAS evaluation by way of a CTAS questionnaire.

32. The questionnaire will provide enough information for NCSC to understand the scope of the evaluation and to ensure that the correct NCSC resources are assigned to assess the suitability of the evaluation for the CTAS approach.

33. The questionnaire will be supplied by CTAS Company, having received suitable input from the CTAS sponsor in its completion.

34. The questionnaire template will be available from the CTAS Company.

35. The questionnaire template defines all the information that NCSC require at this time. The following points provide a summary of the template’s function:

• Provide clear points of contact for all known stakeholders.

• Identify the scope of the CTAS evaluation as it is currently understood.

• Summarise the known requirements of the Accreditor and specific concerns.

• Present the anticipated scope/depth/type of testing and evaluation.

• State all previous NCSC interaction including relevant assurance activities and consultancy.

• Allow for additional information that is believed relevant to the proposed CTAS evaluation.


of 21

36. Upon receiving a CTAS questionnaire from the CTAS Company, NCSC will review the request and inform the CTAS Company as to the suitability of the proposal, requesting further information if required.

37. NCSC will also state the cost of NCSC effort in the Preparation Phase, and an estimate of cost for the Evaluation Phase. These costs will typically be a standard fixed charge, although NCSC reserve the right to amend the standard charge for specific evaluations based on complexity and resources required.

Security Target (ST)

38. The output of this stage is to clearly define what is being evaluated and why it is being evaluated. It is VITAL that the output, the Security Target (ST), is agreed and signed off by ALL stakeholders before progressing to the next phase.

39. The ST will clearly state the questions being asked of the TOE by the Accreditor to ensure that the CTAS is correctly focussed and the evaluation requirements are defined. The scope of the evaluation is guided by the Security Functional Requirements (SFR) and risk levels derived from an IS1 calculation (or equivalent) and any identified Accreditor concerns. The scope may be influenced by the risk tolerance level acceptable to the Accreditor.

40. Although the content of the ST can be drafted by any of the stakeholders, the final authoring and distribution should be conducted by the CTAS Company to ensure consistency of evaluation documentation and a definitive point of reference.

41. The ST template will be available from the CTAS Company.

42. The ST template defines all the information that NCSC requires at this time. The following points provide a summary of the templates function:

• Where applicable the ST should reference back to relevant supporting documentation, such as the risk assessment report. For example, RMADS or IS1 documents or known threats/issues related to the Target of Evaluation (TOE).

• The ST must specify the security environment, including hardware, software and firmware, and explicitly what is included and excluded in the TOE Scope, including all permitted interfaces.

• All stakeholders must be clearly identified and documented. • The ST must contain a clear definition & explanation of all aspects of the Target

of Evaluation. It must be possible for any of the stakeholders to review the ST and understand exactly how the Target of Evaluation is intended to function. Ambiguity would indicate that the ST is not ready for signoff.

• The ST must clearly include the boundaries (logical/technical/physical) of the Target of Evaluation.

• The ST must contain an in-depth description of the technical aspects of the Target of Evaluation including;

o Multilevel design that defines the requirements for security such as the security boundaries and other key components.

o Location (logical & physical), function and desired operation of SFRs.

• The ST must contain an in-depth description of the procedural and operational aspects that support the Target of Evaluation including;

o Who performs operational functions within the Target of Evaluation?


of 21

o Project and operational timescales related to the evaluation. o Project and operational responsibilities related to the evaluation. o Assumptions & Dependencies (supporting certifications (& related

assurance activities), relationship to other projects, availability of resources)

• The ST must define the use of key terms and project specific acronyms, and ensure that it is clearly titled with the official NCSC assigned CTAS number.

• Once a draft ST has been completed by the CTAS Company, it MUST be discussed by all other stakeholders and signed off by all prior to commencement of the next stage of the evaluation.

43. The signoff of the ST must be recorded by the CTAS Company and passed to NCSC.

44. If there is disagreement about the scope, the Accreditor will have the final decision in accepting the ST.

Planning Stage: Planning a CTAS Evaluation

Evaluation Work Programme (EWP)

45. The output of this stage is to clearly define how the Target of Evaluation will be evaluated, and to ensure that all of the Accreditor’s requirements will be adequately met by suitably qualified parties in line with NCSC and Industry best practice methods and requirements. It is VITAL that the output, the Evaluation Work Programme, is agreed and signed off by ALL stakeholders before progressing to the next phase.

46. The EWP must clearly define, by way of activity plans, the range of evaluation activities that will be conducted in order to answer the Accreditor’s questions as defined by the ST. It will be possible for any of the stakeholders to review the EWP and establish what evaluation activities have been planned and who is responsible for each activity, including proposed timescales.

47. Although the content of the EWP can be drafted by any of the stakeholders, the final authoring and distribution should be conducted by the CTAS Company to ensure consistency of evaluation documentation and a definitive point of reference.

48. The EWP template will be available from the CTAS Company.

49. The EWP template defines all the information that NCSC require at this phase. The following points provide a summary of the template’s function:

• The EWP will provide clear connections back to the various decisions and definitions made in the ST. It must be possible for stakeholders to understand why a specific activity is being undertaken.

• The EWP MUST clearly identify who will be leading/conducting each evaluation activity and what the scope, pre-requisites and deliverable of that activity is. In most cases the activity will be undertaken by the CTAS Company (or on behalf of the CTAS Company by the Target of Evaluation developer), but in some specific cases the work will be carried out by NCSC (e.g. cryptographic testing, other specialist technical testing, or specific classified


of 21

ITSHC work). All evaluation work needs to be clearly defined and assigned in the EWP before signoff by all stakeholders.

• The EWP MUST (wherever possible and clearly state when it is believed to be impossible) identify the pre-requisites & owner for each EWP activity, including the proposed evaluation tool set. Typical pre-requisites include the provision of TOE configuration information, physical access, availability of personnel, TOE access, test configurations, knowledge of release contents and/other key dates etc.

• A detailed activity plan MUST be completed and agreed by stakeholders before an evaluation activity is permitted to start.

• A test plan MUST be produced by the CTAS Company and made available to the stakeholders. The test plan should include the test strategy, details of the tests proposed, test schedule aspects, etc. Tests Scripts should also be included where relevant. The test plan must be referenced from the EWP. This will ensure that all parties are aware of the timescales being worked within. It will also ensure that all stakeholders understand when key pre-requisites are required, and by whom and in what context they will be used. The plan MUST also include any specialist NCSC testing activities.

• The EWP will also identify all planned meetings and on-site testing requirements to enable the best possible resource planning.

• Once a draft EWP has been developed by the CTAS company, it MUST be discussed by all other stakeholders and signed off by all (or agreed delegates) before any evaluation activity takes place.

50. The signoff of the EWP must be recorded by the CTAS Company and passed to NCSC.

51. In the event of a disagreement in EWP scope, NCSC will have the final decision in accepting the EWP.

Preparation Phase Completion

52. Once both the ST and the EWP have been completed and signed off, the evaluation may proceed to the Evaluation Phase.

53. However before initiating any evaluation activities, the CTAS Company will need to agree the Evaluation Phase of the NCSC tasking contract that defines NCSC activity. This ensures that both the CTAS Company and NCSC understand what is required of them in the Evaluation Phase.


of 21

V. EVALUATION PHASE – CTAS EVALUATION ACTIVITIES

Introduction & Relationship with CTAS Principles

54. The primary aim of the Evaluation Phase is to complete the evaluation activities defined in the Preparation Phase then to compile and act on the results.

55. The 2 stages that make up the Evaluation Phase are designed to provide answers to the questions defined in the Definition Stage. Additional assurance requirements should not be created in this phase without agreement from all stakeholders.

56. The primary focus of this phase is to ensure that the evaluation activities are completed correctly and that the Accreditor’s questions are answered in an efficient and tailored manner.

57. When completing the Evaluation Phase, stakeholders should refer to the CTAS Principles and ensure that all the Evaluation Phase outputs follow these principles, and that the overall CTAS evaluation fulfilled its primary aims.

58. As stated in the principles, the primary aim of a CTAS evaluation is to answer the Accreditor’s assurance questions. CTAS Target of Evaluations cannot ‘pass’ a CTAS evaluation, or receive a CTAS certificate.

Activity Stage: Analysis and Testing of the Target of Evaluation

59. The output of this section is the documented answers and related observations and recommendations related to the various evaluation activities defined in the EWP and as conducted by the CTAS Company and NCSC (where applicable).

60. Due to the nature of tailored assurance, and the variable techniques and methods that could be utilised within a given evaluation, it is impossible to generically define how a given element of evaluation activity should be conducted.

61. Timescales and predicted dates concerning the evaluation activities should be made available to all stakeholders. Stakeholders should also be made aware of any changes to these timescales and the EWP updated accordingly.

62. Although specific testing methodology will not be defined, the following aspects must be considered during this part of the evaluation;

• All testing MUST be undertaken in line with the agreed EWP and associated Test Plan - any deviations must be recorded, and any changes reported to NCSC as soon as possible and before testing.

• NCSC MUST be given the opportunity to oversee any element of the testing, and must also have the opportunity to send NCSC technology specialists as required.

• Any interim reports produced MUST be made available to all stakeholders as required (unless there are classification issues). Typically this would be when the evaluation has many independent aspects or significant changes will be implemented during the evaluation (possibly as a result of earlier testing/implementation). Any interim NCSC/Accreditor statements must be referenced in any final reporting and their implications fully recorded (such as a change of scope etc).


of 21

• It MUST be possible for stakeholders to understand the tools and general techniques (where applicable/classification restrictions allowing) used for each element of the evaluation activities. It should also be possible for stakeholders to understand key decision points in the evaluation activities.

• It MUST be possible to link all the evaluation results back to a defined planned activity in the ST/EWP. If additional testing has taken place, it should still be possible to understand why the new testing has taken place, what initiated the work, its justification, method etc - e.g. a small appendix (1 or 2 paragraphs) should be added to the ST/EWP for context, as well as other updates to the main body of the ST/EWP.

• All penetration testing MUST meet the ITSHC requirements as defined for a CHECK evaluation and any other related guidance produced by NCSC (defined online and part of the CHECK T&C) – All ITSHC reports need to be submitted to NCSC in line with current CHECK requirements and can be used as part of their CHECK reports/evidence.

63. Upon completion of the various evaluation activities, or if a specific milestone/date has been reached, the CTAS Company must make all stakeholders aware of this fact via a statement conforming completion of all evaluation activities detailed within the EWP.

64. If any evaluation activities detailed within the EWP have not been completed an explanation must be provided in the Evaluation Report.

65. If the incomplete activities are critical to the evaluation (as decided by the Accreditor), the next stage of the evaluation (Reporting Stage: Publication of Results) may be delayed until the Accreditor agrees that enough evaluation results are available for analysis.

Evaluation Activities

66. For planning convenience, the selected evaluation activities are grouped under appropriate generic activity headings of Document Review, Audit, Analysis and Test, each generic activity being described in a detailed activity plan referenced from or included in the EWP. Examples of these activities might include:

• Document Review: Review of evaluation deliverables (e.g. security architecture, design, test evidence, development procedures, operational guidance and operational procedures)

• Audit: Audit of development, delivery, installation and/or operational procedures

• Analysis: Cryptographic analysis and/or source code review; vulnerability analysis

• Test: Security functional and penetration tests against agreed Test Plan

67. Note that these examples do not comprise a definitive list and that other evaluation activities may be included as required by the Accreditor.


of 21

Reporting Stage: Publication of Results

Reporting Principles

68. The output of this section is the main CTAS Company Evaluation Report(s), specialist NCSC reports, draft Assurance Maintenance Plan (AMP) and the NCSC Assessment Statement.

69. It should be possible for an external reader to understand the key elements of the CTAS evaluation without prior knowledge; however it should focus on the activities undertaken and the specific results with any justification for additional activities referring back to the ST & EWP wherever possible.

70. NCSC templates for reports, plans and statements should be used wherever possible, and will be made available to the relevant stakeholders.

71. The Evaluation Report(s), draft AMP and supporting evidence MUST be submitted by the CTAS Company for review by NCSC prior to completion of the Assessment Statement.

72. NCSC will also consider other sources of information when producing their Assessment Statement.

Evaluation Reports

73. Although the specific contents of any report or statement will be specific to a given evaluation, the CTAS Company produced report(s) MUST as a minimum include the following elements:

• Executive Summary • Overview of the TOE • Overview of the Evaluated Configuration • Traceability table summarising the results for each SFR or concern raised in

the ST. • Detailed recommendations for changes to the Target of Evaluation and for

future maintenance activities. • Detailed test result references • Glossary of terms/phrases (technical and project specific) • If specific results warrant a protective marking greater than that of the whole

report, then these should be placed in an appropriate annex or referenced document.

• Any specialist reporting MUST follow the principles defined for the main report, in that the scope, method and results must be well defined. This is especially important in relation to Penetration/ITSHC reporting that includes unplanned exploratory testing.

Assurance Maintenance Plan (AMP)

74. A further output of the Evaluation Phase is a draft Assurance Maintenance Plan (AMP) that will detail responsibilities, procedures and maintenance activities for the ongoing assurance of the Target of Evaluation.


of 21

75. This ongoing assurance may facilitate the continued use of the Target of Evaluation, or deal with issues raised in previous phases that will enable the initial use of the Target of Evaluation, or possibly an extension of the evaluation scope to subsequent TOE derivatives.

76. An AMP template will be made available to the required stakeholders.

77. The scope of the AMP is defined by the needs of the Accreditor.

78. The AMP MUST detail the trigger points for further assurance activities (e.g. re-evaluation) and when the AMP needs to be referenced or updated.

79. The AMP MUST reference or summarise all the recommendations documented as a result of the CTAS Company Report(s) and specialist NCSC reports and either detail the planned next steps/maintenance activities OR justify why the recommendations will not be met.

80. The AMP MUST be drafted by the CTAS Company, and then it MUST be discussed by all other stakeholders including NCSC.

81. If there is disagreement about the scope, the Accreditor will have the final say in accepting the AMP.

Assessment Statements

82. The NCSC Assessment Statement is intended to highlight key findings of the CTAS evaluation and add any NCSC awareness to a reported issue (or topic of issues). The statement MUST give NCSC's opinion as to the level of confidence that the Accreditor can have in the Target of Evaluation highlighting areas of residual risk. The statement MUST also highlight the key areas that NCSC believe need to be improved/re-tested/maintained.

83. It MUST also be made clear that CTAS does not issue ‘certificates’ or anything that could be construed as a ‘certificate’. Systems/Services/Products are never ‘approved’ by CTAS.

84. Upon completion of the NCSC Assessment Statement, NCSC will communicate the statement to the CTAS Company who will ensure onward distribution to the remaining stakeholders.

85. In the event that the NCSC Assessment Statement is at a protective marking higher than the CTAS Company can effectively pass on, NCSC will assist in the communication with relevant stakeholders.

Evaluation Phase Completion

86. Following their official reviews of the Evaluation Report and the draft AMP, including the signoff of the Evaluation Report, NCSC will issue an Assessment Statement. The CTAS evaluation will then be considered complete. NCSC recommends the AMP is followed and reserves the right to review it during the Maintenance Phase.

87. NCSC will initiate the project closure process and communicate this to the CTAS Company.


of 21

88. As part of this process NCSC and/or the CTAS Company may contact all stakeholders and request feedback on how the evaluation was conducted. This feedback will be used to make improvements for future CTAS evaluations and other assurance methodologies.


of 21

VI. ASSURANCE MAINTENANCE

89. Following completion of a CTAS Evaluation Phase, NCSC strongly recommends the customer enters a Maintenance Phase to provide continued assurance to the evaluated configuration.

90. The primary aim of a Maintenance Phase is to complete the assurance maintenance activities required by the Accreditor to support the accreditation of a TOE derivative.

91. The Maintenance Phase will comprise the maintenance activities specified in an agreed AMP.

92. Maintenance activities will normally be required throughout the TOE lifecycle. This lifecycle can be viewed as a sequence of Maintenance Phase cycles.

93. Maintenance activities may address Low risk (minor) changes in derivatives of a Target of Evaluation.

94. A CTAS Re-evaluation may address Medium and High risk changes in derivatives of a Target of Evaluation. The associated AMP/Security Impact Analysis can help focus the evaluation activities on the TOE changes.

95. When required by the Accreditor, NCSC will ensure that the maintenance approach in a specified Maintenance Phase is consistent with an agreed AMP and will provide confidence that the maintenance results and updated AMP are sound and complete.

96. When requested to undertake such work, NCSC may review the Assurance Maintenance Report produced during a Maintenance Phase cycle and may assess these against the requirements detailed in the associated Security Target and AMP. NCSC may then produce feedback on the report and AMP and provide recommendations highlighting any key issues requiring the attention of the Accreditor, including updates to the AMP and/or ST. In particular, NCSC may provide advice on whether a re-evaluation should be considered by the Accreditor, based on the scale of the changes detailed in the Assurance Maintenance Report(s) and associated AMP(s)/SIA(s) since the previous evaluation or re-evaluation.

97. Such maintenance support is not part of the formal CTAS offering, but appropriate ongoing ad-hoc maintenance review and advice is available from NCSC. Please contact NCSC Enquiries for such support and for further details of maintenance approaches that are consistent with the principles and methodology of CTAS.


of 21

APPENDIX A: CTAS STAKEHOLDERS – ROLES & RESPONSIBILITIES

Introduction

1. This appendix identifies and details the stakeholders related to a CTAS evaluation and the various roles that each stakeholders can undertake.

2. The input that each stakeholder provides to an evaluation is dependant of the

scope and scale of an evaluation. In many situations some stakeholders will not be involved, or will only have minimal impact.

3. Many stakeholders may be referred to by their organisation name (e.g. NCSC)

when communicating with other stakeholders or organisations. This is especially true when the stakeholder is performing a business function that could be utilised for other assurance schemes.

NCSC

• CTAS Scheme Management Team o Responsible for the ensuring that the scheme runs smoothly and that all

other stakeholders have the required information/resources to complete their tasks effectively. Responsible for owning CTAS Company/NCSC relationship

• Delivery Manager o Responsible for the delivery of a given CTAS evaluation

• CTAS Assessor o Responsible for managing the technical aspects of a given CTAS

evaluation, signing off the various key evaluation phases on behalf of NCSC and producing the final Assessment Statement on behalf of NCSC.

• NCSC Specialists o Responsible for organising/conducting specialist testing/evaluation by

NCSC for a given CTAS evaluation. • SRM/CAM

o Responsible for processing initial request for CTAS and assisting potential customers with the initial steps of application.

• Commercial & Finance o Responsible for ensuring that all commercial aspects of a given evaluation

are completed correctly. o Responsible for ensuring that all financial tasks are completed correctly.

Accreditor’s

• Pan-Government Accreditor (PGA) o Responsible for accrediting the TOE for pan-government use by

multiple/many HMG entities. • MOD

o Responsible for accrediting the TOE for use by all of MOD or specific sections/forces/projects.

• Departmental


of 21

o Responsible for accrediting the TOE for use by a specific department/HMG area.

HMG/MOD Sponsor

• Senior Information Risk Owner (SIRO) o Responsible for understanding and making risk ownership decisions for a

defined area, often based on Accreditor’s recommendation • Contract/Project Manager

o Responsible for the delivery of a defined TOE project, typically in addition to the IA aspects, from an HMG perspective.

• Tech Lead o Responsible for the technical design and requirements capture related to a

given TOE and its implementation. Integrator/Supplier/Developer

• Contract/Project Manager o Responsible for the delivery of a defined TOE project, typically in addition

to the IA aspects, from an integrator/supplier perspective. • Tech Lead/s

o Responsible for the design, development and implementation of a given system/service.

• Integrator o Typically responsible for the integration of the TOE.

• Specialists o Responsible for the delivery of specialist services/actions in relation to the

given TOE.

CTAS Company • CTAS Company PoC/Mgt

o Primary CTAS contact at the company and responsible for ensuring company meets its CTAS requirements.

• CTAS project PoC/Lead o Responsible for delivering CTAS company requirements for a given CTAS

evaluation • Evaluator

o CTAS Company employees responsible for undertaking the evaluation activities specified in the EWP in accordance with CTAS Principles & Methodology.

• CHECK o CTAS Company employees responsible for conducting defined CHECK

testing.


of 21

APPENDIX B: OVERVIEW OF CTAS EVALUATION PROCESS

Create low level plans referenced

from the EWP

Create Security Target

Perform Document Review, Audit,

Analysis and Test Activities on the

TOE

Complete Evaluation Report & draft AMP

Maintain the TOE;

continuously update the

AMP (NCSC advice can be

requested)

Evaluation results

Planning Stage Activity Stage Reporting Stage

Maintenance Phase

Definition Stage

Gate 1 Discuss ST

at Task Start up Meeting

Gate 2 Agree low level plans & EWP

Note: this is a contractual agreement by NCSC having got approval from the other stakeholders

Gate 3 Review Progress

Note: Once all activities have been successfully completed, the Evaluators can enter the Reporting stage.

Gate 4 NCSC issue CTAS

Assessment Statement Note: This is the end of the contracted CTAS evaluation phase, following review of Evaluation Report and AMP.

Preparation Phase Evaluation Phase


of 21

CUSTOMER FEEDBACK FORM

NCSC welcomes feedback. Please use this form to send any technical comments to: IES Service Management Team NCSC A2i Hubble Road Cheltenham GL51 0EX Email: [email protected]

Title of NCSC Document:

CTAS PRINCIPLES & METHODOLOGY, Version 1.2

Department and Address:

Your Name:

Your Contact Details:

Comments:

mailto:[email protected]

CTAS Principles & Methodology 1 - NCSC.GOV.UK

Documents

Transcript of CTAS Principles & Methodology 1 - NCSC.GOV.UK