Re: Acceptance plan needed for configuration items that don't go into the TOE
- Subject: Re: Acceptance plan needed for configuration items that don't go into the TOE
- From: "Observation Decisions Review Board" <faigin@aero.org>
- Date: Mon, 30 Oct 2006 08:27:46 -0800
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
On July 26th Ben Rogers wrote:
> Our team has been debating whether or not an acceptance plan is required
> for items that are not incorporated into the TOE. Does lifecycle, del
> and ops, and development doc require an acceptance plan under CC 2.3
> ACM_CAP 4.13?"
No, because they are not a part of the TOE. From the CC Part I Definitions
section:
"TOE: An IT product or system and its associated guidance
documentation that is the subject of an evaluation."
The CC Part 3 requirement is:
ACM_CAP.4.13C The acceptance plan shall describe the procedures
used to accept modified or newly created configuration items as
part of the TOE.
The CEM describes the evaluator tasks:
4:ACM_CAP.4-18 The evaluator shall examine the acceptance
procedures to determine that they describe the acceptance
criteria to be applied to newly created or modified
configuration items.
1264 An acceptance plan describes the procedures that are to be
used to ensure that the constituent parts of the TOE are of
adequate quality prior to incorporation into the TOE. The
acceptance plan should identify the acceptance procedures to be
applied:
It would be excruciatingly clear if 4:ACM_CAP.4-18 had words such as "which are
to be made part of the TOE" at the end of the sentence. Yet, it is clear from
the preceding and following paragraphs that the acceptance procedures are only
applied to the configuration items that will become part of the TOE. There can
be many configuration items that are not incorporated into the TOE yet need to
be managed.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov