CISSP · Question #304
The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would
The correct answer is B. require recertification.. Common Criteria certification is tied to a specific version of a product; any modification, including security patches, invalidates the existing certification and requires the product to undergo recertification to maintain its EAL rating.
Question
Options
- Arequire an update of the Protection Profile (PP).
- Brequire recertification.
- Cretain its current EAL rating.
- Dreduce the product to EAL 3.
How the community answered
(23 responses)- A9% (2)
- B74% (17)
- C13% (3)
- D4% (1)
Why each option
Common Criteria certification is tied to a specific version of a product; any modification, including security patches, invalidates the existing certification and requires the product to undergo recertification to maintain its EAL rating.
The Protection Profile (PP) is a document that defines security requirements for a class of products and is not product-version-specific; applying a patch to a single product does not require updating the PP.
Common Criteria evaluations are performed against a specific, fixed version of a product (known as the Target of Evaluation or TOE). When a security patch is applied, the TOE changes, meaning the evaluated configuration no longer matches the certified configuration. To regain an official EAL rating, the modified product must go through the CC evaluation and certification process again.
The product cannot simply retain its current EAL rating after modification because the certification was granted to a specific, evaluated version of the product, and any change to that version invalidates the certification.
EAL ratings are not automatically downgraded to a lower level upon modification; rather, the entire certification is invalidated and the product loses its EAL status until recertification is completed.
Concept tested: Common Criteria EAL certification and patch recertification requirements
Source: https://www.commoncriteriaportal.org/cc/
Topics
Community Discussion
No community discussion yet for this question.