Date: | 02/11/2002 |
Subject: | Unique identification of configuration items in the configuration list |
CC Part #1 Reference: | |
CC Part #2 Reference: | |
CC Part #3 Reference: | CC Part 3, Section 8.2 (ACM_CAP) |
CEM Reference: |
Is it required that the configuration list uniquely identify all configuration items, including version numbers as appropriate? ACM_CAP.2.6C requires that the CM system uniquely identify all configuration items, but ACM_CAP.2.4C does not explicitly require that the configuration list itself uniquely identify each configuration item, including version numbers as appropriate.
The intent of ACM_CAP.2 is that the developer provides a unique reference for each version of a TOE configuration item that is submitted, whether draft or otherwise, as evaluation evidence. The configuration list need only contain the version of each configuration item that is specific to the TOE that is being evaluated, and as such the configuration items must be uniquely identified in the configuration list. However, for earlier drafts of configuration items that had been submitted by the developer as evaluation evidence, it is necessary for the evaluator to confirm that these drafts also possess unique identifiers in a manner that is consistent with the unique identification method that is described in the CM documentation.
RationaleIn the CC, the following new assurance element is added after ACM.CAP.2.3C, ACM.CAP.3.3C, ACM.CAP.4.3C, and ACM_CAP.5.3C:
"The configuration list shall uniquely identify all configuration items that comprise the TOE."
In the CEM,
- A new action is inserted after paragraphs 659, 938 and work unit ACM_CAP.4-6, corresponding to the new element.
- The text of the current work units ACM_CAP.2-7, ACM_CAP.3-8 and ACM_CAP.4-9 (and their supporting guidance text) are moved below this new action.
- The text of the current work units ACM_CAP.2-7, ACM_CAP.3-8 and ACM_CAP.4-9 are replaced with the following:
"The evaluator shall examine the configuration items to determine that they are identified in a way that is consistent with the CM documentation."
and the following guidance text:
"Assurance that the CM system uniquely identifies all configuration items is gained by examining the identifiers for the configuration items. For both configuration items that comprise the TOE, and drafts of configuration items that are submitted by the developer as evaluation evidence, the evaluator confirms that each configuration item possesses a unique identifier in a manner consistent with the unique identification method that is described in the CM documentation."
N/A