The ACM requirements appear to have been written with the assumption that the TOE is an entire product. When the TOE is a subset of a product, does ACM apply to the whole product?

When the sponsor of an evaluation is not the developer, does ACM apply (1) only up to the point at which the sponsor receives the TOE or (2) through the end of the evaluation?

The ACM requirements cover the TOE and information related to the TOE. If the TOE is a subset of an product, then only that part of the product which is the TOE need be covered by the ACM requirements.

The ACM requirements require that CM be in place and in use prior to the end of the evaluation.

Specific Changes

The following application notes are added to the “Objectives” section of CC Part 3, section 8.9 (CM capabilities (ACM_CAP)) after current paragraph 250:

In the case where the TOE is a subset of a product, the ACM requirements apply only to the TOE configuration items, not to the product as a whole. While it is desired that CM be applied from the early design stages and continue into the future, ACM requires that CM be in place and in use prior to the end of the evaluation.

The CC evaluation is of the TOE, not a product. If the TOE is a subset of a product, there are no ACM requirements placed on IT other than the TOE.

While CM “should ensure the integrity of the TOE from the early design stages through all subsequent maintenance actions” (CC, Part 3, paragraph 249), the ACM requirements specify only that CM is in place at the time of evaluation. Furthermore, ACM does not contain any requirements related to the sponsor’s intention to apply CM in the future, after completion of evaluation.