IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

 
Rating Maintenance Phase Program Document Version 2


NATIONAL
COMPUTER SECURITY CENTER
9800 Savage Road
Fort George G. Meade
Maryland 20755-6000

1 March 1995

NCSC-TG-013-95
Library No. S-242,047
Rating Maintenance Phase Program Document Version 2
FOREWORD

FOREWORD

This publication, the Rating Maintenance Phase Program Document
Version 2, is being issued by the National computer Security Center
(NCSC) under the authority of, and in accordance with, DOD Directive
5215.1, "Computer Security Evaluation Center." The purpose of this
document is to describe the process and requirements in the Rating
Maintenance Phase (RAMP) of the Trusted Product Evaluation Program
(TPEP).

/s/

John C. Davis 1 March 1995
National Computer Security Center


I
FINAL: 1 March 1995

Rating Maintenance Phase Program Document Version 2
ACKNOWLEDGMENTS


AUTHORS


Timothy J. Bergendahl
Ronald J. Bottomly
Roberta J. Medlock
W. Olin Sibert
Dana Nell Stigdon

Significant contributions to this document were made by all
individuals who assisted in rewriting the original Rating Maintenance
Phase (RAMP) Requirements, including Diann A. Carpenter, Steve
LaFountain, Robin Oliver, Caralyn Wichers, and members of the vendor
community. Acknowledgment is also given to the authors of the first
version of the Rating Maintenance Phase Program Document, NCSC-TG-013,
dated 23 June 1989.


v
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
TABLE OF CONTENTS


TABLE OF COXTEXTS

FOREWORD iii

ACKNOWLEDGMENTS V

1 Introduction 1
1.1 Evaluation Overview 1
1.2 The Reason for RAMP 2
1.3 RAMP Overview 2
1.4 Goals and Approach 3
1.5 Applicability of RAMP 3
1.6 Scope of RAMP 3
1.6.1 Product Changes 4
1.6.2 Rating Changes 4
1.7 Document Organization 5

2 Overview of the RAMP Process 7
2.1 NIaintaining Assurances 7
2.1.1 Role of the Vendor Security Analyst 7
2.1.2 Role of the Technical Point of Contact 7
2.1.3 RAMP Audits 8
2.1.4 Changes in Requirements 8
2.2 Evaluation Process Activities 9
2.3 Integration with Vendor Process 9
2.4 C2-B1 Requirements Versus B2-A1 9
2.4.1 Future Change Review 10
2.4.2 Analysis Support 10
2.4.3 Penetration Testing 10
2.5 RAMP Status Changes 11
2.6 Products Not Covered by RAMP 11

3 RAMP Requirements 13
3.1 Definitions 13
3.2 C2-B1 Requirements 15
3.3 B2-A1 Requirements 18

4 TPOC Requirements 23
4.1 TPOC Requirements 23
4.2 TPOC Guidance 24
4.2.1 TPOC Technical Guidance to the Vendor 24
4.2.2 TPOC Representation of the Vendor's Position 25
4.2.3 TPOC Recommendation About Revised RM-Plan Approval 25
4.2.4 The TPOC and RAMP TRB Materials 25

vii

FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
TABLE OF CONTENTS


5 The Technical Review Board 27
5.1 The TRB Review Process 27
5.2 Scheduling 28
5.2.1 Scheduling a TRB Date 28
5.2.2 Cancelling a TRB Date 28
5.2.3 TRB Panel Scheduling 29
5.3 TRB Membership 29
5.4 TRB Attendance 29

6 The Future Change Review Board 31
6.1 Purpose 31
6.2 FCRB Agenda 32
6.3 FCRB Membership 32
6.4 FCRB Review Process 32
6.5 Scheduling 33
6.6 FCRB Attendance 33

7 The VSA Class 35
7.1 Registration 36
7.2 Non-Resident Component 36
7.3 Resident Component 37

A Sample RM-Plan Outline 39
A.1 Cover Page 39
A.2 Roman Numeral Pages 39
A.3 Introduction 40
A.4 Procedure for Complying with Applicable Interpretations 40
A.5 Configuration Items and Rationale 40
A.6 Security Analysis 41
A.7 Format of the RAMP Evidence 41
A.8 Procedures for VSA-Performed RAMP Audits 41
A.9 RM-Plan Maintenance 41
A.10 System Failures During RAMP 42
A.11 Other Sections 42
A.12 Appendix A - RAMP Requirements 42
A.13 Appendix B - RAMP Requirements Mapping 42
A.14 Appendix C, etc. 42

B Sample RMR Outline 43
B.1 Cover Letter 43
B.2 Introduction 43
B.3 Criteria Interpretations 44
B.4 Product Changes and Evidence of System Trust 44
B.5 Appendix A - Non-Security-Relevant Changes 45
B.6 Appendix B - "Minor" Security-Relevant Changes 45
B.7 Appendix C, etc. 45

C RAMP Audit 47
C.1 RAMP Audits in General 47


viii
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
TABLE OF CONTENTS


C.2 A "Suitable Representative Sample" 47
C.3 VSA-Conducted RAMP Audits 48
C.4 NSA-Conducted RAMP Audits 48

D Sample QSR Outline 51

E Sample TPOC Report 53
E.1 Introduction 53
E.2 Assessment of the RMR 53
E.3 Assessment of Proposed RM-Plan Changes 53
E.4 Assessment of FER 54
E.5 Summary of RAMP Audit 54
E.6 Testing 54
E.7 FCRB-Recommended Activities 54

F Acronyms 55

ix
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter 1

Introduction

On 23 June 1989, the first version of the Rating Maintenance Phase
Program Document, NCSC- TG-013, was published. The 1989 document
contained Rating Maintenance Phase (RAMP) Requirements for systems
evaluated at the C2 or B1 levels of trust within the Trusted Product
Evaluation Program (TPEP), a program of the National Security Agency
(NSA). Since then, RAMP has evolved, with new RAMP Requirements
announced by NSA in 1991 for systems evaluated at the C2 or B1 levels
of trust.(1) In addition, RAMP Requirements for systems evaluated at the
B2, B3, or Al levels of trust were announced by NSA in 1992.(2)

This document, the Rating Maintenance Phase Program Document Version
2, describes the requirements for the Rating Maintenance Phase of the
TPEP and includes the requirements of all parties involved in RAMP,
and provides guidance regarding RAMP deliverables.


1.1 Evaluation Overview


The Department of Defense Computer Security Center was established in
January, 1981, to encourage the widespread availability of trusted
computer systems for use by facilities processing classified or other
sensitive information. In August, 1985, the name of the organization
was changed to the National Computer Security Center (NCSC). In order
to assist in assessing the degree of trust one could place in a given
computer system, the Department of Defense Trusted Computer System
Evaluation Criteria (TCSEC), DOD 5200.28-STD, dated December, 1985,
was published.

The TCSEC establishes specific requirements that a computer system
must meet in order to achieve a predefined level of
trustworthiness. The TCSEC levels are arranged hierarchically into
four major divisions of protection, each with certain
security-relevant characteristics. These divisions are in turn
subdivided into classes. To determine the division and class at which
all requirements are met by a system, the system must be evaluated
against the TCSEC or its interpretations, the National Computer
Security Center Trusted Network Interpretation (TNI), NCSC-TG-005,
dated July, 1987, or the National Computer Security Center Trusted
Database Management System Interpretation (TDI), NCSC-TG-021, dated
April, 1991. This evaluation is performed for the NCSC by an
evaluation team sponsored by the NSA.

A successful product evaluation results in the production of a Final
Evaluation Report (FER) and an Evaluated Products List (EPL)
entry. The FER is a summary of the evaluation and includes the EPL
rating that indicates the class at which the product satisfies all
TCSEC requirements in terms of both features and assurances. The FER
and EPL entry are made public.


(1) These requirements are contained within Dockmaster's announce
forum transaction 233, dated 12/19/91.
(2) These requirements are contained within Dockmaster's announce
forum transaction 268, dated 09/30/92.

FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 1. INTRODUCTION


1.2 The Reason for RAMP


Once a vendor releases a new version of a product that has received an
EPL rating, the new version is not an evaluated product. Because of
the frequency of new releases and the limited evaluation resources,
continual reevaluation of a vendor product is both impractical and
impossible. In order to meet the goal of having commercially available
trusted products, an efficient and substitute process for reevaluation
is necessary. RAMP was established to provide a mechanism to extend
the previous rating to a new version of a previously evaluated
computer system product.

RAMP seeks to reduce evaluation time and effort required to maintain a
rating by using the personnel involved in the maintenance of the
product to manage the change process and perform Security Analysis.
Thus, the burden of proof for RAMP efforts lies with those responsible
for system maintenance (i.e., the vendor) instead of with an
evaluation team.

1.3 RAMP Overview


During RAMP, all changes to the vendor system must be managed by the
vendor. For each RAMP Cycle, the vendor must be able to identify all
changes to the system and perform Security Analysis of those changes.
The procedures the vendor follows to manage changes to the system are
described in the Rating Maintenance Plan (RM-Plan). This document is
written by the vendor and is approved by the NSA during the original
evaluation. The RM-Plan describes how the vendor will meet the RAMP
Requirements as well as describing the system to which the plan
applies.

During the original evaluation, the vendor also identifies the VSAs(3)
who will be responsible for the security of the system. These
personnel will attend the NSA VSA Class that serves to describe basic
security fundamentals and to explain the procedures of RAMP.

Once the evaluation has been completed, the vendor's Responsible
Corporate Officer (RCO) is tasked with ensuring that the procedures
outlined in the RM-Plan are being followed. The VSAs are responsible
for reviewing the Security Analysis of all changes that have been made
to the system, and for determining that the security features and
assurances of the system are upheld. VSAs may consult a Technical
Point of Contact (TPOC) for assistance with any technical questions
regarding the application of the TCSEC requirements.

RAMP Evidence will be recorded for every change, detailing the
Security Analysis of the change. This information is used when a RAMP
Audit is performed by either the NSA or the vendor, and is used as the
basis for a Rating Maintenance Report (RMR). An RMR is a document that
is submitted to the NSA for every system release that is to be
evaluated. It summarizes all changes that have been made since the
last evaluated release of the system, and describes why the security
features and assurances of the system are upheld. The RMR is input to
the Technical Review Board (TRB).

The VSA (Security Analysis Team (SA-Team)(4) at B2 and above) must
present the contents of the RMR to the TRB before a new EPL rating can
be awarded. The TRB serves both as a technical check and as a
consistency check with all other evaluations. Upon the recommendation
of the TRB, TPEP Management

(3) Although the plural form of VSA is frequently used within this
document, this should not be taken as an indIcation that there must
always be more than one person in the VSA role.
(4) SA-Team is defined within the Definitions section of Chapter 3
of this program document.


2
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
1.4. GOALS AND APPROACH


will make a decision whether or not to extend the rating to the new
product version.


1.4 Goals and Approach


The goal of RAMP is to keep the EPL populated with currently available
trusted products. As previously mentioned, the vendor bears primary
responsibility in RAMP for maintaining product trust as the system
evolves. The vendor accomplishes this by integrating Security Analysis
into the development process.

The NSA recognizes that the expertise for product maintenance lies
with the vendor. Therefore, the RAMP Requirements do not seek to
dictate development procedures, but rather seek to be as flexible as
possible to allow the vendor's current processes to be used with
little enhancement.

Rating maintenance is accomplished by using qualified vendor personnel
(VSAs) to oversee the vendor's product modification process. These
vendor personnel must have strong technical knowledge of computer
security and of their computer product. They will oversee the
development/maintenance cycle of the previ- ously rated product, and
will demonstrate to the NSA that any modifications to the product
preserve the security features and assurances required by the TCSEC
for the rating previously awarded to the evaluated prdduct. The work
of the Vendor Security Analyst (VS A) is meant to be at the same level
of detail as the work performed by TPEP evaluators during the original
evaluation.


1.5 Applicability of RAMP


RAMP applies to products that have been evaluated against the TCSEC,
the National Computer Se- curity Center Trusted Network Interpretation
(TNI), NCSC-TG-OO5, dated July, 1987, or the National Computer
Security Center Trusted Database Management System Interpretation
(TDI), NCSC-TG-021, dated April, 1991. However, the Rating Maintenance
Phase always builds upon a product evaluation; it provides no
opportunity to avoid an evaluation.

RAMP applies at all levels of the criteria, from C2 through A1. RAMP
differs slightly between B1 and below and B2 and above; these
differences are highlighted throughout this program document.


1.6 Scope of RAMP


The scope of RAMP activities is limited to those changes that are
feasible to evaluate in the context of the RAMP process, which expects
re-use of previous evaluation evidence and a corresponding reduction
in evaluation effort. There are two factors that limit the
applicability of RAMP: changes to the product and changes to the
rating. In addition, change in ownership of the product or the vendor
company may change a product's eligibility for future RAMP activities.

3
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 1. INTRODUCTION


1.6.1 Product Changes


RAMP applies to the same vendor that originally received the
rating. If a vendor sells an evaluated product to a new vendor, the
new vendor must submit a proposal for evaluation. The new vendor
cannot simply attempt to RAMP any changes made to the system. Once
this new vendor has gone through an evaluation, that vendor is
eligible to participate in RAMP. This restriction is necessary due to
the underlying assumptions of RAMP. RAMP assumes that the vendor has
gone through an evaluation and thus, by experience, understands the
evaluation process and the types of technical questions that should be
asked when performing Security Analysis. Additionally, after
performing an evaluation, the NSA is confident that the vendor does
indeed understand the system and will be able to maintain it as
outlined in the RM-Plan. The NSA has no way of assessing the vendor's
understanding and development procedures short of an evaluation.

The types of changes that may be performed under RAMP have not been
quantified. An objective measurement of "too much" change has not
been established. This will vary depending on the type of system and
the level of trust. At the lower levels of trust (B1 and below), the
vendor may consult with the TRB during a Final or RAMP TRB meeting
regarding future changes to be made.(5) At B2 and above(6) a Future Change
Review Board (FCRB) is convened at the beginning of a RAMP Cycle. The
FCRB helps to determine if the proposed changes are appropriate under
RAMP. If the changes are deemed appropriate, the FCRB also helps to
determine the level of analysis and testing required.

The NSA reserves the right to terminate a RAMP action at any time if
the technical changes have been so vast that NSA believes the system
warrants a new evaluation.

Systems maintaining ratings under RAMP must also realize that RAMP is
not intended to promulgate mistakes or bad decisions. If a mistake was
made during the original evaluation and is uncovered during a RAMP
Cycle by the vendor or by someone else, the vendor is required to
correct the mistake and make sure the system meets the security
requirements. Likewise, the vendor must make sure the system meets any
new interpretations that have been issued.

1.6.2 Rating Changes


In general, the RAMP process does not allow for changing the EPL
rating received in a previous evaluation, for example changing a
rating either up or down, adding or deleting "extra credit" features,
or changing the set of functions (M, I, A, D) performed by a network
component.

However, some changes of this sort may be sufficiently straightforward
to evaluate that the RAMP process is applicable. For such changes,
TPEP Management will make a case-by-case decision, based on a vendor's
proposal, about whether a change is feasible to evaluate under
RAMP. For such rating changes, the standard RAMP process described by
this document will be followed.

Examples of rating changes that could be evaluated under RAMP might
include addition of Device Labels extra credit for a product
previously evaluated at B1; addition of a C2-only configuration of a
product previously evaluated at B1; deletion of Trusted Path extra
credit for a product previously evaluated at B1; creation of an
M-component version of a network component previously evaluated as an
MDIA-component; or a change in rating from Al to B3 because formal
specifications are no longer maintained.

(5) The vendor would seek guidance from the TRB as to whether the
future changes would be appropriate under RAMP.
(6) On a caseby-case basis, an FCRB may be held for B1 and below
when there is an issue regarding the level of NSA involvement
necessary for analysis of proposed changes.


4
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
1.7. DOCUMENT ORGANIZATION


1.7 Document Organization

This document consists of seven chapters and six appendixes. The first
chapter is this Introduction. Chapter two provides an overview of the
RAMP process; chapter three contains the RAMP Requirements for
products under the TPEP; chapters four through six identify and
discuss the requirements of all parties involved in RAMP; and chapter
seven contains a discussion of the VSA Class. The appendixes provide
guidance about writing a RM-Plan; writing a RMR; and RAMP
Audits. Sample outlines for the Quarterly Status Report (QSR) and for
the TPOC Report are also found within the appendixes, as is a list of
acronyms.

Because RAMP continues to evolve, this program document would not be
complete without the addition of an electronic chapter. As updates are
made to this document they will be posted to the announce forum, a
bulletin board on the Dockmaster computer system (or its successor)
that is publicly available. These announcements, once posted, are to
be considered part of this program document. One is not complete
without the other. Periodically, this document will be updated to
incorporate the posted changes. In this manner, the current state of
the Rating Maintenance Phase will be continually documented.


5
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter 2

Overview of the RAMP Process

The Rating Maintenance Phase (RAMP) Requirements are intended to meet
two principal goals: maintaining the assurances that derived from the
product's original evaluation, and being feasible to meet within the
commercial development framework in which the product was
created. Furthermore, to be successful, RAMP must be able to achieve
these goals at reasonable cost both to the National Security Agency
(NSA) and the vendor. This rationale discusses how those goals are
met, concentrating in particular on the distinctions between
evaluation classes.

2.1 Maintaining Assurances

The principal focus of RAMP is maintaining assurance that the
Applicable Requirements are met by the product as the product
evolves. This is done by requiring the vendor to follow an analysis
and change management process in product development and maintenance,
such that the results of the process can be reviewed by NSA. All
changes are reviewed for security-relevance by trained Vendor Security
Analysts (VSAs); this is central to the success of the change analysis
and management.

2.1.1 Role of the Vendor Security Analyst

In effect, the VSA is NSA's representative within the vendor's
organization. A VSA has received RAMP training from the NSA, and is
expected to understand both the product (or specific aspects of the
product, if there are multiple VSAs) and the security requirements-and
be able to assess changes with respect to both. The vendor is
responsible for maintaining trained VSAs during each RAMP Cycle to
ensure that the necessary product expertise is available for the
analysis.

In order to be effective in this role, a VSA must have approval
authority with respect to changes, and must be able to represent the
vendor's organization to the NSA. Thus, a VSA must have a considerable
degree of administrative authority as well as technical skills. The
VSA's role is essential to the Rating Maintenance Phase, since the VSA
has primary responsibility for maintaining the product's assurances. A
VSA is responsible for reviewing the Security Analysis of every change
to the evaluated system. In essence, the VSAs perform the same work as
an evaluation team would, including analysis, approval, reporting, and
presentation to the NSA Technical Review Board (TRB).

2.1.2 Role of the Technical Point of Contact

The Technical Point of Contact (TPOC) is an NSA evaluator (or possibly
several evaluators, depending on the product). The TPOC's
responsibility is to maintain contact between the vendor and NSA; to
keep

7
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 2. OVERVIEW OF THE RAMP PROCESS


the vendor apprised of relevant evaluation issues; and to ensure that
the vendor has a point of contact for technical questions and
discussions.

The TPOC's role is to assist the vendor by providing any information
necessary to ensure that the vendor's activities are properly
directed. This avoids effort wasted in pursuing unsatisfactory
approaches because proper and timely guidance was
unavailable. Although the vendor is expected to do most of the work in
RAMP, continuous involvement by both parties is critical to making the
process successful.

The TPOC must be able able to represent the vendor's point-of-view in
discussions within the evaluation community. This role can be
fulfilled only by an NSA representative because it involves,
potentially, access to proprietary information about other product
evaluations.


2.1.3 RAMP Audits

Although RAMP is based on trust in the vendor's development process,
it would be imprudent to rely on this with no means for
validation. Consequently, RAMP Audits are included in this phase. A
RAMP Audit is expected to verifly that the vendor's NSA-approved RAMP
process has been followed for the changes implemented during that RAMP
Cycle and that the VSA's security analyses are correct.

If there is evidence of process failures (such as significant
discrepancies between planned changes and actual implementation, or
incomplete or incorrect Security Analysis), aperiodic RAMP Audits may
be performed at NSA's discretion.


2.1.4 Changes in Requirements

During RAMP, several things may occur that result in requirements
applying differently to the new version of a product than occurred in
the original evaluation. First, NSA periodically issues
interpretations of the Applicable Requirements and these
interpretations may have the effect that some aspect of an already-
evaluated product is no longer acceptable. Second, a new product
feature (e.g., a new class of objects) may need a new interpretation
of Applicable Requirements. Third, a new flaw in some area of the
product otherwise unaffected by the changes may be discovered during
testing or Security Analysis. Finally, it may be determined in the
course of Security Analysis that the original evaluation team, through
omission or oversight, incorrectly interpreted some Applicable
Requirement.

Rules for handling these situations are deliberately not included in
the current RAMP Requirements. In two cases (novel product features
and flaws discovered in penetration testing), the Applicable
Requirements apply as stated: the new features must conform to the
requirements, and appropriate remedial actions must be taken for
flaws. In the cases where there is a new interpretation or an error of
interpretation, more flexibility is allowed: the results must be
incorporated into the product within a reasonable period of time, but
it would be inappropriate to hold up a RAMP action whose sole purpose
is to fix a critical security flaw in an existing system simply
because the system no longer meets a recently-issued interpretation of
a particular Applicable Requirement. In these cases, Trusted Product
Evaluation Program (TPEP) Management is responsible for reaching an
agreement with the vendor that results in a fully-compliani product in
a reasonable time without placing an undue burden on the vendor.


8
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
2.2.EVALUATION PROCESS ACTIVITIES


2.2 Evaluation Process Activities

During the original evaluation of a product, the product's Rating
Maintenance Plan (RM-Plan) must be evaluated and approved by the
evaluation team. This approval is reviewed by the Technical Review
Board (TRB) during the evaluation, and is reflected in the Evaluated
Products List (EPL) entry. The RM-Plan must Ibe described in the
Initial Product Assessment Report (IPAR), and presented to the IPAR
TRB. Approval of the RM-Plan takes place through the same process
(i.e., evaluation) as approval of other evaluation requirements; there
is no separate approval step

Prior to the Final TRB for a product, the evaluation team must conduct
a RAMP Audit, and present the results of the audit to the Final
TRB. The RAMP Audit must show that the product is being maintained in
accordance with the RM-Plan.

The IPAR and Final Evaluation Report (FER) must include a section
describing how the product satisfies the RAMP Requirements. This
section lists the RAMP Requirements (from Chapter 3 of this document)
and describes how each requirement is satisfied.

2.3 Integration with Vendor Process

The intent of the RAMP Requirements is that they be easily integrated
with the vendor's existing development process. This is accomplished
by stating the requirements at a very high level and allowing them to
be interpreted in a cost-effective manner for each vendor. Aside from
process details necessitated by the Applicable Requirements
themselves, the RAMP Requirements are detailed in the areas of
reporting and review with NSA.

These RAMP Requirements ensure that the vendor's effort in analysis,
and the level of detail at which the analysis is performed, is
commensurate with the effort and scope of the original evaluation. It
does not make sense to require greater depth of analysis for product
changes than for evaluation, since the goal of RAMP is to be more
cost-effective than full-scale evaluation.

2.4 C2-B1 Requirements Versus B2-A1

In order to capitalize on the vendor's expertise with the product,
most of the burden for analysis is placed on the vendor's hands,
especially at the C2 and B1 evaluation classes. This is done in
recognition that the most difficult parts of evaluation involve coming
to a mutual understanding, between NSA and the vendor, of what the
Applicable Requirements - both features and assurances - mean with
respect to a specific product. Once that has been accomplished, it is
generally straightforward to maintain that understanding through
future development, even in the face of significant
changes. Consequently, for C2-B1 products, the change analysis is
entirely the responsibility of the vendor, and NSA serves only in an
advisory, review, and audit role.

However, products in the B2, B3, and A1 evaluation classes are
expected to exhibit far stronger assurances than C2-B1 products, and
consequently are employed in environments where security is much more
critical than C2-B1 products. Although the vendor can do most of the
work in maintaining the rating, the greater assurance and greater
sensitivity of information processed by systems of these classes
mandates additional

9
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 2. OVERVIEW OF THE RAMP PROCESS


effort in evaluation of changes. The additional effort takes three
forms: the advance analysis of proposed changes by the Future Change
Review Board (FCRB); possible direct support of the analysis effort by
NSA personnel; and NSA support for penetration testing.

In some cases, changes to a C2 or B1 product may warrant an FCRB. This
would occur where proposed product changes are sufficiently complex to
require an in-depth analysis beforehand. Requests for FCRBs for C2 and
B1 products will be considered on a case-by-case basis by TPEP
Management.


2.4.1 Future Change Review

The role of the FCRB is to assess the likelihood that planned changes
will result in unexpected security consequences and to recommend the
nature and scope of evaluation effort appropriate to assess those
changes. This largely informal proceeding allows the vendor to
benefit from the knowledge of experienced evaluators, and also
provides NSA opportunity to devote specific resources to assist the
vendor in making the changes.

In the previous version of the Rating Maintenance Phase Program
Document,(1) NCSC-TG-013, dated 23 June 1989, future change review was a
much more structured and formal process, and was required. Future
change review is no longer required at the Bi and C2 classes because
it requires a degree of planning and commitment that is not
appropriate in commercial product development (and a corresponding
reduction of flexibility for the vendor), and also because standard
commercial development practices are considered sufficient to maintain
the assurances of those evaluation classes. In addition, this version
of the RAMP Requirements eliminates the fixed categories for FCRB
recommendations, instead allowing them to be tailored to each
situation.


2.4.2 Analysis Support

Depending upon the changes involved, the FCRB may recommend that the
SA-Team be augmented with additional NSA evaluators. This
recommendation would arise in instances where the FCRB believes the
TPOC may require assistance for tasks requiring independence from the
developers, yet too arduous for the TPOC to perform alone in a timely
fashion. For example, the code study involved in assessing the
system's architecture (e.g., for modularity) necessitates that the
review be as objective as possible. Because VSAs are typically
developers, this need for objectivity may require a greater need for
independence between the vendor and NSA.


2.4.3 Penetration Testing

At the B2 class and above, there are strict requirements for
penetration testing, which by its very nature is an adversarial
process. Furthermore, the penetration testing in the original
evaluation is based solely on work performed by the evaluation team,
as opposed to the team's review of work perfdrmed by the vendor.

Although some very simple changes can be reviewed without any need for
penetration testing, most will require such testing to help rule out
side-effects. For example, penetration testing may include validation
of the vendor's covert channel analysis, which is usually affected by
performance enhancements in the underlying hardwar~a very common
reason for RAMP activity.

(1) Only B1 and C2 products were addressed within this document.


10
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
2.5. RAMP STATUS CHANGES


2.5 RAMP Status Changes

In the event of a significant change in a product's RAMP status, NSA
will publish an announcement describing the change. Changes warranting
such an announcement include a vendor's voluntary withdrawal from the
RAMP process; termination of RAMP activities from failure to meet RAMP
requirements; change Iin ownership of the product or vendor; and
product changes that result in reevaluation because they cannot be
accommodated by RAMP.


2.6 Products Not Covered by RAMP


RAMP Requirements are not defined for the C1 evaluation class because
NSA no longer performs C1 evaluations. The minimal value of such
products in protecting sensitive information and the limited customer
demand does not justify either evaluations or RAMP. In addition, RAMP
Requirements are not defined for subsystem evaluations (performed
under the Computer Security Subsystem Interpretation (CSSI),
NCS~TG-009, dated 16 September 1988), since the limited assurance
provided by such products does not justify their incorporation into
the RAMP Program.

11
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter3
RAMP Requirements

Before stating the Rating Maintenance Phase (RAMP) Requirements, terms
are defined that are used within the requirements. These definitions
are to be considered part of the requirements (i.e., whenever one of
the Idefined terms is used, it refers to the definition of that
term). Not all of these definitions are applicable to both the C2-B1
requirements and the B2-A1 requirements. Details that differ between
the two sets of requirements are spelled out in the requirements
themselves.

In these requirements, references are made to the National Security
Agency (NSA) as an authority for approvals, appointments, etc. This
refers specifically to the Chief of the Trusted Product and Network
Security Evaluations Division or a designee.

In these requirements, references are also made to designated
personnel: the Vendor Security Analysts (VSAs) and the Technical
Points of Contact (TPOCs). Depending on the product, there may be only
one of each, or there may be several. In the case that there are
several, they are jointly responsible for their activities. Although
the plural form is always used, this should not be taken as an
indication that there must always be more than one person in the role.

3.1 Definitions

The following definitions apply to the requirements specified within
Sections 3.2 and 3.3.


APPLICABLE REQUIREMENTS: The requirements under which the product is
to be evaluated, including the Trusted Computer System Evaluation
Criteria (TCSEC), Trusted Network Interpretation (TNI), or Trused
Database Management System Interpretation (TDI), and all approved
interpretations that apply to the product. An interpretation applies
to the product if and only if it refers to a feature or assurance that
is present in the product and the interpretation was approved either
prior to the most recent Evaluated Products List (EPL) date of the
product or more than one calendar year prior to the submission of a
Rating Maintenance Report (RMR) for the product version being
considered.

CONFIGURATION ITEM (CI): Any item that may be changed under RAMP and
is required by the RAMP Requirements for the target evaluation class
to be defined as a Configuration Item (CI). The granularity of a CI
shall be sufficient to support the Security Analysis of future
changes.

CONFIGURATION MANAGEMENT PLAN (CM-PLAN): The vendor document that
describes how the TCSEC Configuration Management requirement is met
(for levels B2 and above).


FUTURE CHANGE REVIEW BOARD (FCRB): The panel who reviews future
evaluated product changes and makes a recommendation to the NSA on the
composition of the Security Analysis Team (SA-Team). The FCRB consists
of Technical Review Board (TRB) members and other personnel as
appointed

13
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 3. RAMP REQUIREMENTS

by the NSA. The FCRB recommends to Trusted Product Evaluation Program
(TPEP) Management the nature and extent of the analysis to be
performed by the Security Analysis Team (SA-Team), the compo sition of
the SA-Team, the schedule, and the nature of SA-Team's presentation to
the RAMP TRB. These recommendations are based on the FCRB's analysis
of the scope and complexity of the proposed changes and the degree to
which the changes will affect security-relevant aspects of the
product.

QUARTERLY STATUS REPORT (QSR): An informal status report to be
delivered by the fifth working day of January, April, July, and
October describing the vendor's current status and activities with
respect to the RAMP program. Failure to deliver two successive QSRs is
considered grounds for termination of the product's participation in
RAMP.

RAMP AUDIT: A review of the RAMP Evidence, based on a suitable
representative sample, to ensure that only approved changes are
implemented, that all CIs are updated consistently, and that Security
Analysis is performed satisfactorily. In addition to the required RAMP
Audits performed by the VSAs, aperiodic RAMP Audits may be performed
by a Security Analysis Team (for B2 and above) or the TPOC.

RAMP CYCLE: The period of time between the dates of two consecutive
EPL entries for the product.

RAMP EVIDENCE: The record of Security Analysis. It serves to establish
accountability for each change and to provide justification for the
inclusion of each of those changes.

RAMP PRODUCT: The complete set of CIs comprising the current RAMP
action. The original evaluated product is the starting point for the
first RAMP Product.

RATING MAINTENANCE PHASE (RAMP): The phase of the Trusted Product
Evaluation Program (TPEP) that follows the Evaluation Phase. RAMP
consists of a series of rating maintenance actions (RAMP Cycles) that
assess the compliance with Applicable Requirements of updated versions
of the product and allow those versions to be listed on the
EPL. During RAMP, the vendor performs the majority of the work to
determine that changes to the product maintain the previously attained
rating.

RATING MAINTENANCE PLAN (RM-Plan): The vendor document that describes
the mechanisms, procedures, and tools used to meet the RAMP
Requirements. The procedures in the RM-Plan are followed throughout
the Rating Maintenance Phase. The RM-Plan is proposed by the vendor
and approved as part of the evaluation process. The RM-Plan may change
during the course of RAMP for a product, particularly in the
identification of designated personnel and identification of CIs.

RATING MAINTENANCE REPORT (RMR): Summary of RAMP Evidence that is
submitted to the TRB.

RESPONSIBLE CORPORATE OFFICER (RCO): A person empowered financially
and legally to commit resources in support of RAMP and support the
technical role of the VSAs, including denial of Trusted Computing Base
(TCB) changes.

SECURITY ANALYSIS: Security Analysis is an examination of the TCB to
determine whether a proposed change, or set of changes, upholds the
security features and assurances of the original evaluated product and
any subsequent releases of the product that have been previously
maintained under RAMP, in compliance with the Applicable Requirements.

14
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
3.2.C2-B1 REQUIREMENTS


SECURITY ANALYSIS TEAM (S A-Team): The individual or individuals
(e.g., VSAs, TPOCs, additional evaluators) responsible for
performing the Security Analysis and presentation and defense of the
RAMP Evidence before the TRB.

TECHNICAL POINT OF CONTACT (TPOC): An evaluator, assigned by the NSA,
who serves as the primary technical interface between the vendor and
the NSA, and is assigned on the basis of familiarity with the product
and its evaluation. A product may have multiple TPOCs, and the set of
TPOCs assigned to a product may vary depending on the nature of the
RAMP activity being performed.

TECHNICAL REVIEW BOARD (TRB): An advisory panel to the NSA. The TRB
provides a source of senior technical review of the technical
findings, conclusions, and recommendations of individual evaluation
teams. The TRB serves as a check point for the quality, uniformity,
and consistency of evaluations.

UPDATED FINAL EVALUATION REPORT: An updated version of the Final
Evaluation Report (FER) that describes, at the level of detail of the
original FER, the evaluated product together with the changes
incorporated during the RAMP Cycle. The updated FER must be maintained
in the same form as the original FER produced by the evaluation team,
and must include change bars identifying the sections modified by the
updates. The updated FER is the joint responsibility of the NSA and
the vendor and may not be distributed externally without approval of
both parties.

VENDOR BUSINESS POINT OF CONTACT (VBPOC): The person identified to act
on behalf of the RCO in support of RAMP.

VENDOR SECURITY ANALYST (VSA): The vendor personnel responsible for
execution of all technical tasks in RAMP.


3.2 C2-B1 Requirements


CONFIGURATION ITEM: Configuration items shall be identified by the
vendor in an NSA-approved RM-Plan and shall encompass:


1. The components or subsystems, including software source and
object code, that comprise the Trusted Computing Base (TCB).

2. Any hardware and/or software features that are used to
periodically validate the correct operation of the TCB in
satisfaction of the System Integrity requirement.

3. The informal or formal model of the security policy (at the B1
evaluation class).

4. The Security Features User's Guide (SFUG).

5. The Trusted Facility Manual (TFM).

6. The test plan, the test procedures that show how the security
mechanisms were tested, and the expected results of the security
mechanisms' functional testing, and related test documentation.

7. The design documentation.

15
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 3. RAMP REQUIREMENTS


8. The RM-Plan.


RAMP EVIDENCE: For each change, RAMP Evidence shall include the
following:


1. A description of the change.

2. The issues and conclusions of the Security Analysis.

3. Identification of the CIs affected.

4. The status of the changes to the CIs (e.g., being implemented,
or completed).


RATING MAINTENANCE PLAN (RM-Pian): The RM-Plan shall include the
following:


1. Identification of the VSA(s) and the RCO, including their
corporate position.

2. The division of technical responsibilities among VSAs (if more than one).

3. The original date of approval of the RM-Plan and the dates of
all approved changes.

4. The policies and procedures for Security Analysis.

5. The procedures for complying with applicable interpretations.

6. The policy for using emergency procedures for correcting errors
and for incorporating these corrections in subsequent scheduled
product releases.

7. A convincing argument to show that the described mechanisms,
procedures, and tools are sufficient to address all changes to
the product, including new features, bug fixes, and changes to
satisfy Applicable Requirements.

8. The procedures for a VSA-performed RAMP Audit.

9. The procedures for RM-Plan maintenance.

10. A list of all CIs.

11. The rationale for the chosen granularity of CIs.

12. A description of the format of the RAMP Evidence.

13. All updates necessary to reflect corrective measures taken
after a RAMP process failure (e.g., failure to follow, or error
in following, the RM-Plan), if one has occurred.


RATING MAINTENANCE REPORT (RMR): Each RMR shall include the following:


1. A summary identifying each change that has been made since the
previous evaluated release of the RAMP Product.

2. A description of all security-relevant changes and the Security
Analysis of those changes.

3. A description of how the RAMP Product meets the Applicable Requirements.

16
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
3.2.C2-B1 REQUIREMENTS


4. Identification of all tools used for generating CIs.

5. The internal procedures used for restoring the RAMP process if
the RAMP Cycle covered by the RMR included a process
failure. The description of the internal procedures must
include:

. The nature of the failure;

. The Security Analysis conducted to establish corrective
measures and verify product trust

. Establishment of the missing trail of evidence linking the
evaluated product to the RAMP Product.

6. Results of the VSA-conducted RAMP Audit.

RESPONSIBLE CORPORATE OFFICER: The Responsible Corporate Officer, or
if the RCO has designated a VBPOC to act on behalf of the RCO, the
VBPOC, shall:


1. Always be identified while the vendor is participating in RAMP
and shall be responsible for the overall management of the
vendor's RAMP effort.

2. Identify at least one VSA at all times while rating maintenance
actions are underway.

3. Be responsible for submitting a proposed RM-Plan during the
initial evaluation and shall obtain approval of the RM-Plan
before entering the Formal Evaluation Phase.

4. Ensure that all subsequent changes to the RM-Plan, to reflect
all changes made in the vendor's implementation of the ratings
maintenance process, are submitted to the NSA for approval.

5. Sign the cover letter of the proposed RM-Plan.

6. Sign the cover letter of the RMR.

7. Ensure that any requested RAMP Audit is conducted promptly
following the request.

8. Be responsible for submitting, as directed by the TPOC, copies
of the following materials at least four weeks in advance of the
scheduled RAMP TRB:

. The RMR;

. The NSA-approved RM-Plan;

. The Updated Final Evaluation Report (FER);

. The proposed product description for the EPL.

SECURITY ANALYSIS: Security Analysis shall include the following:


1. Examining changes to the RAMP Product for security relevance,
including analyzing the effects on the TCB.

2. Reviewing the design of approved changes.

3. Ensuring that the RAMP Product is adequately tested, including
ensuring adequate test coverage through modification of the
tests as necessary.

4. Ensuring that all documentation needed to show compliance with
the Applicable Requirements, including design and user
documentation, is updated consistently to reflect all changes to
the TCB.

17
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 3. RAMP REQUIREMENTS


A change shall be considered to affect the TCB if it alters code or
documentation within the identified TCB boundary, changes the TCB
boundary, augments the TCB, or indirectly affects the function of TCB
elements.

A change shall be considered security-relevant if it directly affects
any mechanism implementing identified security policies (e.g.,
discretionary access control (DAC), object reuse, TCB isolation) or if
it directly affects the maintenance of security data.

Security Analysis shall encompass cumulative effects involving all CI
changes. (For example, two otherwise acceptable changes may conflict
in terms of security because one assumes conditions that no longer
hold, given the other change.) Security Analysis shall also consider
the effects of interrelationships among the security features of the
RAMP Product.

VENDOR SECURITY ANALYST (VSA): A Vendor Security Analyst shall:


1. Successfully complete the NSA training program for VSAs (i.e.,
the VSA Class).

2. Deliver the vendor's Quarterly Status Reports (QSRs) to the
vendor forum on the required schedule.

3. Conduct, supervise, or monitor all Security Analysis tasks
according to the approved RM-Plan.

4. Review the Security Analysis prior to the submission of the RMR
for the rating maintenance action.

5. Conduct an initial RAMP Audit prior to the original evaluation
team's testing of the TCB. The results of this initial RAMP
Audit must be provided to the evaluation team.

6. Conduct at least one RAMP Audit for each RAMP Cycle. The
results of the RAMP Audit must be included in the next quarterly
status report following the RAMP Audit.

7. Ensure that before the RMR is submitted, the relevant parts(2) of
the entire security functional test suite used in the original
evaluation, as updated during the RAMP Cycle, are successfully
executed on a representative sample of hardware.

8. Demonstrate to the TRB that Security Analysis has been conducted
according to the approved RM-Plan in that RAMP Cycle.

3.3 B2-A1 Requirements

CONFIGURATION ITEM: Configuration Items shall be identified in the
CM-Plan and shall encompass:


1. The RM-Plan.

2. The CM-Plan.

3. The hardware/firmware subsystems incorporated in the TCB.

(1) This audit can be conducted in conjunction with the TPOC's audit.
(2) In general, the entire test suite must be executed for each RAMP
action because it is infeasible to determine with confIdence which
tests could not have been affected by the changes. If, however, the
changes are limited in scope, or there are parts of the test suite
that can be shown to be unaffected, a subset of the tests may t)e
performed. The rationale for any such limitations must be presented to
the RAMP TRB Panel.


18
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
3.3.B2-A1 REQUIREMENTS


4. Any hardware and/or software features that are used to
periodically validate the correct operation of the TCB in
satisfaction of the System Integrity requirement.

5. The Trusted Facility~Manual (TFM).

6. The Security Features User's Guide (SFUG).

7. All items specified in the Configuration Management requirement
of the Applicable Requirements.


CONFIGURATION MANAGEMENT: The CM-Plan shall include a list of all CIs
and the rationale for the chosen granularity of CIs. The CM-Plan
shall be followed throughout RAMP.


RAMP EVIDENCE: For each change, RAMP Evidence shall include the
following:


1. A description of the change.

2. The issues and conclusions of the Security Analysis.

3. Accountability for change.

4. Identification of the CIs affected.

5. The status of the changes to the CIs (e.g., being implemented,
or completed).

6. All other information about the change maintained by the
product's configuration management system.


RATING MAINTENANCE PLAN (RM-Plan): The RM-Plan shall include the
following:


1. Identification of the VSA(s) and the RCO, including their
corporate position.

2. The division of technical responsibilities among VSAs (if more than one).

3. The original date of approval of the RM-Plan and the dates of
all approved changes.

4. The policies and procedures for performing Security Analysis.

5. The procedures for complying with applicable interpretations.

6. A convincing argument to show that the described mechanisms,
procedures, and tools are sufficient to address all changes to
the product, including new features, bug fixes, and changes to
satisfy Applicable Requirements.

7. The procedures for a VSA-performed RAMP Audit.

8. The procedures for RM-Plan maintenance.

9. The policy for using emergency procedures for correcting errors
and for incorporating these corrections in subsequent scheduled
product releases.

10. The format of the RAMP Evidence.

11. All updates necessary to reflect corrective measures taken after
a RAMP process failure (e.g., failure to follow, or error in
following, the RM-Plan), if one has occurred.


19
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 3. RAMP REQUIREMENTS


12. The CM-Plan.


RATING MAINTENANCE REPORT (RMR): Each RMR shall include the following:


1. A summary identifying each change that has been made since the
previous evaluated release of the RAMP Product.

2. A description of all security-relevant changes and the Security
Analysis of those changes.

3. A description of how the RAMP Product meets the Applicable Requirements.

4. Identification of all tools used for generating CIs.

5. The internal procedures used for restoring the RAMP process, if
the RAMP Cycle covered by the RMR included a process
failure. The description of the internal procedures must include
the following:

. The nature of the failure;

. The Security Analysis conducted to establish corrective
measures and verify product trust;

. Establishment of the missing trail of evidence linking the
evaluated product to the RAMP Product.

6. Results of the VSA-conducted RAMP Audit.

7. Results of the covert channel analysis.

8. Results of the system architecture study.

9. Results of penetration testing.

10. Results of specification to code mapping (A1 evauation class only).


RESPONSIBLE CORPORATE OFFICER: The Responsible Corporate Officer, or
if the RCO has designated a VBPOC to act on behalf of the RCO, the
VBPOC, shall:


1. Always be identified while the vendor is participating in RAMP
and shall be responsible for the overall management of the
vendor's RAMP effort.

2. Identify at least one VSA at all times while rating maintenance
actions are underway.

3. Be responsible for submitting a proposed RM-Plan during the
initial evaluation and shall obtain approval of the RM-Plan
before entering the formal evaluation phase.

4. Ensure that all subsequent changes to the RM-Plan, to reflect
all changes made in the vendor's implementation of the ratings
maintenance process, are submitted to the NSA for approval.

5. Sign the cover letter of the proposed RM-Plan.

6. Sign the cover letter of the RMR.

7. Ensure that any requested RAMP Audit is conducted promptly
following the request.

8. Be responsible for submitting, as directed by the TPOC, copies
of the following materials at least four weeks in advance of the
scheduled RAMP TRB:


20
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
3.3. B2-A1 REQUIREMENTS


. The RMR;

. The NSA-approved RM-Plan;

. The Updated Final Evaluation Report (FER);

. The proposed product description for the EPL.


SECURITY ANALYSIS: Security Analysis shall include the following:


1. Examining proposed changes to the RAMP Product for security
relevance, including analyzing the effects on the TCB.

2. Reviewing the design and implementation of approved changes.

3. Ensuring that the RAMP Product is adequately tested including
ensuring adequate test coverage through modification of the
tests as necessary.

4. Ensuring that all documentation needed to show compliance with
the Applicable Requirements, including design and user
documentation, is updated consistently to reflect all changes to
the TCB.


A change shall be considered to affect the TCB if it alters code or
documentation within the identified TCB boundary, changes the TCB
boundary, augments the TCB, or indirectly affects the function of TCB
elements.

A change shall be considered security-relevant if it directly affects
any mechanism implementing identified security policies (e.g.,
discretionary access control (DAC), object reuse, TCB isolation) or if
it directly affects the maintenance of security data.

Security Analysis shall encompass cumulative effects involving all CI
changes. (For example, two otherwise acceptable changes may conflict
in terms of security because one assumes conditions that no longer
hold, given the other change.) Security Analysis shall also consider
the effects of interrelationships among the security features of the
RAMP Product.

SECURITY ANALYSIS TEAM (SA-TEAM): The SA-Team shall perform the
following activities.


1. Conduct, supervise, or monitor all Security Analysis tasks
according to the NSA-approved RM-Plan.

2. Review and approve the Security Analysis prior to the submission
of the RMR for the rating maintenance action.

3. Perform penetration testing.

4. Perform the system architecture study.

5. Ensure that, before the RMR is submitted, the relevant parts(3) of
the entire security functional test suite used in the original
evaluation, as updated during the RAMP Cycle, are successfully
executed on a representative sample of hardware.

(3) In general, particularly at the B1 class and below, the entire
test suite must be executed for each RAMP action because it is
infeasible to determine with confidence which tests could not have
been affected by the changes. If, however, the changes are very
limited in scope, or there are parts of the test suite that can be
shown to be `maffected, a subset of the tests may be performed. The
rationale for any such limitations must be presented to the RAMP TRB
Panel.

21
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 3. RAMP REQUIREMENTS


6. Review and approve the Updated FER.

7. Review and approve the RMR.

8. Demonstrate to the TRB that Security Analysis has been conducted
according to the NSA-approved RM-Plan for each RAMP Cycle.

9. Present to the TRB the processes/methods used for performing
penetration testing, covert channel analysis, system
architecture study, and specification to code mapping.


VENDOR SECURITY ANALYST: A Vendor Security Analyst shall:


1. Successfully complete the NSA training program for VSAs (i.e.,
the VSA Class).

2. Deliver the vendor's Quarterly Status Reports (QSRs) to the
vendor forum on the required schedule.

3. Present to the FCRB an overview of the changes to be made to the
system during the RAMP Cycle and the preliminary Security
Analysis of these changes. This presentation shall occur at the
start of the RAMP Cycle.

4. Conduct an initial RAMP Audit prior to the original evaluation
team's testing of the TCB. The results of this initial RAMP
Audit shall be provided to the evaluation team.

5. Conduct at least one RAMP Audit(4) for each RAMP Cycle. The
results of the RAMP Audit shall be included in the next
quarterly status report following the RAMP Audit.


(4) This audit can be conducted in conjunction with the TPOC's audit.


22
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter 4

TPOC Requirements,

A Technical Point of Contact (TPOC) is an evaluator, assigned by the
National Security Agency (NSA), who serves as a consultant to a vendor
while the vendor is in the Rating Maintenance Phase (RAMP) of NSA's
Trusted Product Evaluation Program (TPEP). The TPOC is the interface
between the vendor and the NSA, and reports to the NSA Branch Chief
who is responsible for RAMP activity associated with the product.

A TPOC for a product is assigned by the NSA during the Evaluation
Phase of the TPEP, with the TPOC most likely being a member of the
Evaluation Phase team. It is likely that the NSA will assign more than
one TPOC for a product, especially if the product is a complex
one. During the Evaluation Phase, the TPOC works closely with the Team
Leader to assure a smooth transition into RAMP.

During the Evaluation Phase, the team, in the absence of a TPOC,
serves as the TPOC. Also, the team must deal with RAMP just as they
deal with other issues during the Evaluation Phase.

4.1 TPOC Requirements

TPOC Requirements for products at all levels of trust follow. Only the
first requirement differs for C2-B1 products vs B2-A1 products.


1. The first requirement is as follows:

. For a B1-C2 product, the TPOC shall provide technical
guidance concerning satisfying the Applicable Requirements
for the product under RAMP;

. For a B2-A1 product, the TPOC shall provide technical
guidance to the vendor concerning the product under RAMP. In
the event that a Security Analysis Team (SA-Team) is required
by TPEP Management for the RAMP effort, the TPOC shall be the
leader of the SA-Team.

2. The TPOC shall represent the vendor point-of-view in technical
discussions that involve the evaluation community.

3. The TPOC shall provide quarterly status reports to the vendor
evaluation forum by the fifth working day of the month during the
months of January, April, July, and October.

4. The TPOC shall examine and assess the RAMP Evidence, including
the Rating Maintenance Report (RMR), Rating Maintenance Plan
(RM-Plan), updated Final Evaluation Report (FER), and Evaluated
Products List (EPL) entry.

5. The TPOC shall examine all change descriptions for Configuration
Item (CI) changes that are part of the RAMP action, including
those that are not described by the RMR because they are not
security-relevant.

23
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 4. TPOC REQUIREMENTS

6. The TPOC shall assess whether the vendor process requirements,
for the Vendor Security Analysts (VSAs) and the Responsible
Corporate Officer (RCO), have been satisfied during the RAMP
action.

7. The TPOC shall prepare a cover letter describing the TPOC's
assessment of the evaluation evidence and changes, and post it to
the vendor forum.

8. The TPOC shall conduct at least one RAMP Audit(1) each RAMP
Cycle. The results of the audit shall be included in the next
Quarterly Status Report (QSR) following the RAMP Audit.

9. The TPOC, in cooperation with TPEP Management, shall schedule
RAMP Technical Review Board (TRB) meetings.

10. The TPOC shall ensure that the Updated FER has been completed
and shall be responsible for any updates to the Evaluator's
Comments section.

11. At least four weeks prior to the scheduled RAMP TRB, the TPOC
shall provide to NSA, and post to the vendor forum, a written
report that describes the vendor's RAMP activity, the activity
of the TPOC during the RAMP Cycle, and the results of the RAMP
Audit. This report shall also contain the TPOC's written
statement about the quality and accuracy of the Updated FER.(2)

12. The TPOC shall direct the vendor with respect to distribution of
the following materials (one copy of the materials to each RAMP
TRB member and applicable TPEP Management) in preparation for a
scheduled RAMP TRB:

. The RMR;

. The approved RM-Plan;

. The Updated FER;

. The proposed product description for the EPL;

. The TPOC's cover letter describing the assessment of evidence.

4.2 TPOC Guidance

The following guidance applies to the TPOC Requirements.

4.2.1 TP0C Technical Guidance to the Vendor.

The TPOC should not be considered as a replacement for the Evaluation
Phase team, although the vendor for the product under RAMP can expect
to receive some technical guidance from the TPOC. In the event the
TPOC needs assistance in performing his/her duties, the TPOC should
seek additional NSA resources via the NSA Branch Chief responsible for
RAMP of the product.

(1) This audit can be conducted in conjunction with the VSA's audit.
(2) A suggested outline for this report is contained within Appendix E
of this program document.


24
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
4.2. TPOC GUIDANCE


4.2.2 TP0C Representation of the Vendor's Position.

It is possible that during RAMP the TPOC might not agree with the
vendor's point-of-view for a particular technical issue. It is
essential, however, that the TPOC identify and represent the vendor's
point-of-view while acting in the role of TPOC. As an example, the
TPOC might enter a transaction on Dockmaster's interp forum that
identifies her/him as a TPOC for Vendor X's product that is under
RAMP, and goes on to represent the vendor's point-of-view relating to
an issue. The TPOC would then be free, while acting outside of the
role as TPOC, to respond to the transaction just described in a way
that does not favor the vendor's point-of-view.


4.2.3 TP0C Recommendation About Revised RM-Plan Approval.

There must always be an NSA-approved Rating Maintenance Plan (RM-Plan)
in effect for RAMP to proceed for a TPEP product. When a vendor
desires to revise an approved RM-Plan, the TPOC must review the
revised RM-Plan and write a summary that focuses on the revision and
that includes a recommendation for approval or non-approval of the
revised RM-Plan. The summary must also highlight any unusual or risky
areas of which TPEP Management should be aware.

The TPOC then provides a copy of the Revised RM-Plan and the summary
to the NSA Branch Chief responsible for the RAMP activity and to each
RAMP Technical Review Board (TRB) member. Approval of the revised
RM-Plan takes place through the same process (i.e., RAMP TRB) as
approval of other changes to configuration items.


4.2.4 The TP0C and RAMP TRB Materials.

The TRB materials, specifically the Rating Maintenance Report (RMR),
the approved RM-Plan, the Updated FER, and the proposed EPL entry for
the product under RAMP, must be made available to the TPOC at least
four weeks before the date of a scheduled RAMP TRB. The TPOC
facilitates, in accordance with current distribution practices, the
distribution of these materials to RAMP TRB members and to TPEP
Management.


25
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter 5

The Technical Review Board

The primary goal of the Trusted Product Evaluation Program (TPEP) is
to evaluate and place commercial-off-the-shelf trusted products on to
the Evaluated Products List (EPL). The Technical Review Board (TRB) is
responsible for assisting in ensuring the technical quality,
uniformity, and consistency of TPEP evaluations. During the Rating
Maintenance Phase (RAMP) each TRB member has the following
responsibilities:


. To ensure that all Applicable Requirements of the evaluation
criteria are interpreted correctly by each Vendor Security Analyst
(VSA);

. To ensure that the evaluation criteria are applied consistently
across all evaluations;

. To ensure the uniformity of evaluation procedures across all
evaluations by enforcing a consistently high technical quality for
all evaluations;

. To ensure that the VSAs' conclusions are supportable from the
evidence presented;

. To ensure that the depth and breadth of analysis are consistent
with the proposed rating of the trusted product;

. To provide recommendations to the TPEP Management relative to the
quality of the VSAs' understanding of the product, the quality of
the presentation of evidence reflected in the report and oral
presentation, and the findings of the VSAs and any course of
action proposed by them.

The TRB Panel reviews the vendor's NSA-approved Rating Maintenance
Plan (RM-Plan), Rating Mainte nance Report (RMR), Updated Final
Evaluation Report (FER), and draft RAMP EPL entry, in order to
determine if the product's rating has been maintained. No RAMP TRB
will take place for a product until the FER (or Updated FER) of the
previous evaluated version has been completed. Also, a RAMP TRB for a
product will not take place until all the required actions from the
previous TRB for that product are completed. Required actions are
those that have been documented in the Final Decision published by
TPEP Management.

5.1 TRB Review Process

The RAMP TRB review process is as follows:

1. The VSA is responsible for developing a final draft of the
results of an evaluation and a proposed course of action for each
major milestone.

2. The Branch Chief, in coordination with the Technical Point of
Contact (TPOC), schedules a TRB meeting with the TRB
Coordinator. No TRB meeting should be scheduled until the Branch
Chief feels confident that the product meets all the requirements
of the candidate class.

27
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 5. THE TECHNICAL REVIEW BOARD

3. All reports submitted to the TRB should contain line numbers and
be available in PostScript format. They should also include all
relevant decisions and interpretations affecting the product.

4. Four weeks prior to the TRB meeting, the Vendor Security Analyst
(VSA) submits the required documentation to the TPOC. The TPOC,
within one week, then distributes the documentation to all
applicable TRB members and to TPEP Management.

5. TRB members have two weeks to review the documentation and post
comments, statements, and questions to the T~B forum. These
comments are forwarded to the VSA and/or the TPOC by the TRB
Coordinator.

6. In the final week before the TRB meeting, the VSAs (SA-Team at B2
and above) can use the posted comments to prepare their
presentation to the TRB.

7. The VSAs (SA-Team at B2 and above) present findings to the TRB.

8. The TRB is allowed up to one week to post the final
recommendations to the TRB forum. The recommendation is made
available to the TPOC and/or the VSA.

9. After the TRB has posted the final recommendation, TPEP
Management has up to one week to post the final decision. During
this time, the VSAs (SA-Team at B2 and above) and TPEP technical
advisors have an opportunity to express their concern to TPEP
Management about the TRB recommendation.

10. A final decision can be to accept, reject, or conditionally
accept the product. If the product is accepted a new RAMP Cycle
for the product begins. If the product is rejected, the VSAs
(SA-Team at B2 and above) must repeat all (or some) steps in the
process and must defend the product before another RAMP TRB. When
the product is conditionally accepted, it means that there are
some actions that must be addressed by the VSAs (SA-Team at B2
and above) before the product can enter a new RAMP Cycle.

5.2 Scheduling

The TRB Coordinator can schedule TRB sessions up to nine months in
advance. The TRB schedule is published every 30 days on the TRB forum
and Team leader forum to reflect newly scheduled products. Initial
Product Assessment Report (IPAR)/Test TRBs are scheduled for two days
while Test, Final, and RAMP TRBs are scheduled for one day. The TRB
session will begin mid-month on a Tuesday and end on a Thursday unless
circumstances warrant otherwise.


5.2.1 Scheduling a TRB Date

TPOCs desiring to schedule a TRB should inform their Branch
Chief. Once the TPOC and Branch Chief agree on a timeframe, the TRB
Coordinator should be contacted to schedule a date.


5.2.2 Cancelling a TRB Date

TPOCs, and/or a Branch Chief wishing to cancel and/or reschedule a TRB
date should immediately contact the TRB Coordinator. The TRB
Coordinator will work to reschedule the TRB date if that is what is
requested.


28
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
5.3.TRB MEMBERSHIP

5.2.3 TRB Panel Scheduling

Each TRB session will have at least four primary members scheduled to
appear at the TRB and one alternate member, who will be obligated to
fill a primary member's position in case of schedule conflicts. If not
required five weeks before the TRB session, the alternate will be
excused from the TRB session. If within five weeks of the TRB session
a primary member cannot attend, this member must find a replacement
from the TRB Imembership. A different chair will be appointed for each
product scheduled to be presented at the TRB session.

5.3 TRB Membership

TRB members are nominated by TPEP Management and appointed by TPEP
Management. Senior technical personnel are nominated for TRB
membership based on their experience and expertise. TRB membership is
open to all qualified individuals. TRB members participate in four to
eight TRB sessions per year.

5.4 TRB Attendance

TRB sessions are treated as closed meetings. Attendance is mandatory
for the TRB Panel and the evaluation team presenting the
product. Attendance is optional for others within the evaluation
community (e.g., TPEP personnel). Because seating is limited, anyone
who desires to observe a TRB must make a seat reservation with the TRB
Coordinator at least one week prior to the commencement of a TRB
meeting. Failure to make a reservation can result in denial of
access. The vendor may send the following individuals to the RAMP TRB
reviewing the vendor's product:


. All TPEP-recognized VSAs for that specific product may attend and
present that product to members of the TRB;

. The appropriate Responsible Corporate Officer (RCO) for that
product may attend the TRB to observe the presentations;

. A maximum of three developers associated with the vendor and that
product may attend the TRB to observe the presentations.


29
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Chapter 6

The Future Change Review Board

It is envisioned that more National Security Agency (NSA) involvement
during the Rating Maintenance Phase (RAMP) will be required for higher
assurance (B2-A1) products than for lower assurance (C2-B1) products,
with the increased involvement being in the form of the possible
committment of NSA resources to a Security Analysis Team (SA-Team). A
Future Change Review Board (FCRB) meeting is always held for products
at the B2 through Al evaluation classes, and may, on approval of
Trusted Product Evaluation Program (TPEP) Management, be held for C2
and B1 products.

Because all the types of changes that vendors may make during RAMP
cannot be predicted, nor can the scope of changes that vendors may
make be quantified, it is very difficult to identify objective
criteria for determining the composition of a SA-Team during RAMP. To
assist in making this determination, a FCRB will be convened to make a
recommendation to Trusted Product Evaluation Program (TPEP) Management
on the composition of the SA-Team. Based on the FCRB's recommendation,
TPEP Management will make a resource decision concerning how, or
whether, to proceed with the proposed RAMP action.

6.1 Purpose

The FCRB is a panel that reviews proposed changes in evaluated
products. After the review, it makes a recommendation to TPEP
Management regarding the nature and extent of the analysis to be
performed by the SA-Team, the composition of the SA-Team, and the
nature of SA-Team's presentation to the RAMP Technical Review Board
(TRB). These recommendations are based on the FCRB's analysis of the
scope and complexity of the proposed changes, and the degree to which
the changes will affect security-relevant aspects of the product.

The SA-Team composition recommendation may include only VSA(s), VSA(s)
and TPOC(s), or a combination of VSA(s), TPOC(s), and other NSA
evaluators, possibly with expertise in special areas. Recom-
mendations for specific evaluator expertise will be made as the
proposed changes warrant; for example, a "port" from a
single-processor to multi-processor hardware platform would likely
need specific expertise in covert channel analysis. Additional
evaluators may also be recommended when the proposed changes require
significant work to evaluate.

The SA-Team may be required to present its results to the RAMP TRB
panel either electronically (i.e., by providing just the Rating
Maintenance Report (RMR)) or in person (as well as providing the
report). The former option would be recommended when the changes are
straightforward and the security-relevant aspects are entirely clear
at the time of the FCRB presentation. The latter would be recommended
when the changes are complex or where the full security impacts are
not yet clear.

The FCRB recommendation will include schedule, level of effort for
analysis, required personnel expertise, and nature of presentation to
the RAMP TRB.(1) The level of effort recommended by the FCRB can range

(1) This might involve no RAMP TRB presentation; only an on-line
interaction with the RAMP TRB; etc.

31
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 6. THE FUTURE CHANGE REVIEW BOARD

from nothing beyond the routine Security Analysis performed by the
VSA(s), to a significant evaluation effort involving multiple NSA
evaluators in addition to the VSA(s) and TPOC(s).

6.2 FCRB Agenda

FCRB members will receive a summary of changes to be presented at the
FCRB and a copy of the previous Final Evaluation Report (FER) or
Updated FER (if it is one that has not yet been published and
available to all FCRB members) two weeks prior to the scheduled
FCRB. This serves as background reading for the FCRB members and
allows them to think about the scope of changes contemplated by the
vendor. The FCRB is not expected to provide written comments to the
vendor or the TPOC.

The day of the FCRB, the TPOC will introduce the VSA to the FCRB. The
VSA will then present the types of changes to be made during this RAMP
Cycle along with a preliminary Security Analysis of the proposed
changes.


6.3 FCRB Membership

FCRB members are appointed by TPEP Management. They are drawn from the
TRB members, senior technical evaluators, and TPEP
Management. Ultimately, it is envisioned that the FCRB will consist of
the regularly scheduled TRB, plus one person (if necessary) who is
very familiar with the system being evaluated.


6.4 FCRB Review Process

The FCRB review process is as follows:


1. The Branch Chief, in coordination with the TPOC, schedules an
FCRB meeting with the TRB Coordinator. No FCRB meeting is
scheduled until a legal agreement has been signed and the
RM-Plan has been approved.

2. Three weeks prior to the FCRB meeting, a VSA submits to the
TPOC a written summary of proposed product changes to be
presented at the upcoming FCRB.

3. Three weeks prior to the FCRB meeting, the TPOC submits the
vendor proposed product changes summary and a copy of the Final
Evaluation Report (FER) or Updated FER (if not yet printed and
distributed) to NSA's distribution organization. The
distribution organization prepares and distributes the
documentation to all FCRB members and staff within one
week. This information is background reading for the FCRB. The
FCRB is not expected to prepare written comments for the vendor.

4. The VSA presents proposed product changes to the FCRB.

5. The FCRB chair within one week posts a final recommendations to
the TRB forum. This recommendation is made available to the
TPOC and/or the VSA.

3
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
6.5. SCHEDULING


6. After the FCRB chair has posted a flnal~recommendation, TPEP
Management has up to one week to post the final decision. During
this week, the evaluation team and TPEP technical advisors have
an opportunity to express their concern to TPEP Management about
the FCRB recommendation.

7. The final decision determines the composition of the SA-Team and
the committment of NSA resources to the effort.

6.5 Scheduling

FCRB meetings are held during normally scheduled TRB sessions. An
FCRB, however, is always a distinct activity: it must be requested
separately from the RAMP TRB, and is performed only after all the RAMP
TRB activities have been completed. The presentations for RAMP TRB and
FCRB may not be combined.

6.6 FCRB Attendance

FCRB sessions are treated as closed meetings. Attendance is mandatory
for the FCRB Panel, the TPOCs and VSAs for the product being
discussed, and is optional for all others within the evaluation
community. Seating at a FCRB is limited, so anyone who desires to
observe a FCRB must make a seat reservation with the TRB Coordinator
at least one week prior to the commencement of a FCRB meeting. Failure
to make a reservation can result in denial of access. The vendor whose
product will be discussed at a FCRB Meeting may send the following
individuals to the FCRB:


1. All NSA-recognized VSAs for the product may attend and present
that product to the FCRB. If a vendor has several products
participating in RAMP, only the VSAs representing the product
that is the focus of the FCRB may attend.

2. The appropriate Responsible Corporate Officer (RCO) for the
product that is the focus of the FCRB may attend the FCRB to
observe the presentations.

3. A maximum of three developers associated with the vendor whose
product is the focus of the FCRB may attend the FCRB to observe
the presentations.

33
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2


Chapter 7

The VSA Class

Within the Bating Maintenance Phase (RAMP) Requirements, a Vendor
Security Analyst (VSA) is defined as "...the vendor personnel
responsible for execution of all technical tasks in RAMP," and a VSA
requirement is that "VSA candidates shall successfully complete the
National Security Agency (NSA) training program for VSAs." Although
formally known as the "National Security Agency's Vendor Security
Analyst Training Class," the phrases "VSA Class" or "RAMP Class" are
commonly used to refer to this training class.

Typically, the VSA Class is conducted semiannually, with one class
offered in the March/April timeframe and the other in the
August/September timeframe. Requests for VSA Class registration are
posted on the Dockmaster vsa forum. Registration can take place either
via Dockmaster or by FAX. The NSA assumes no responsibility for the
selection of a VSA by a vendor, and, in particular, the consequences
of an inappropriate selection of a VSA by a vendor.

The VSA Class consists of two components: a Non-Resident Component and
a Resident Component. The Non-Resident Component is completed at the
vendor site, and the Resident Component is completed at a site in the
Baltimore, Maryland, area. The VSA Class addresses, but is not limited
to, the following major areas:


. General principles of computer security;

. Trusted Computer System Evaluation Criteria (TCSEC) requirements,
including interpretations;

. Security issues in the system development process;

. All aspects of RAMP.


Upon successuful completion of the VSA Class, NSA, through its INFOSEC
Outreach Program, identifies each VSA as a Certified Security Advocate
in the discipline of trusted product rating maintenance.(1) If, at any
time, a VSA is not associated with a vendor product under NSA's
Trusted Product Evaluation Program (TPEP), then the VSA is identified
not as a Certified Security Advocate but as a Security Advocate. A
Security Advocate can reapply to NSA to once again become a Certified
Security Advocate provided this individual is sponsored by a vendor
having an association with NSA's TPEP, and provided that the
individual would be a VSA for that vendor's product.

(1) As of 1 February 1994, all current VSAs are "grandlathered" into
the INFOSEC Outreach Program as Certified Security Advocates.


35
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
CHAPTER 7. THE VSA CLASS


7.1 Registration

The first step in the VSA Class registration process is for the
Responsible Corporate Officer (RCO) to forward a completed
registration form to the RAMP Coordinator.(2) Ideally, the RCO will
provide the NSA with the completed registration form several months
prior to the beginning of the Resident Component of the VSA Class. An
RCO can identify more than one VSA candidate for participation in a
particular VSA Class. In such a case, a separate completed
registration form should be submitted for each candidate.

If the NSA accepts a VSA candidate into the VSA Class, the NSA will
notify both the RCO and the VSA candidate via United States Mail.

7.2 Non-Resident Component

Approximately six weeks prior to the beginning of the Resident
Component, the VSA candidate will receive the following via United
States Mail:


. A set of instructions relating to the VSA Class as a whole;

. A collection of TCSEC self-paced study modules and related self-tests;

. A collection of Trusted Network Interpretation (TNI) self-paced
study modules and related self-tests;

. A collection of Trusted Database Management System Interpretation
(TDI) self-paced study modules and related self-tests;

. Copies of articles that supplement the course modules;

. A self-administered examination based on the study materials
identified above, and instructions describing when and how to
return the completed examination to the NSA.


In addition to the materials provided by NSA, above, the following
books should be obtained by each VSA candidate, since the self-paced
study modules require readings from these books. The Tanenbaum book is
also used during the Resident Component of the VSA Class.


. Operating Systems: Design and Implementation, Andrew S. Tanenbaum,
Prentice Hall, 1987; ISBN 0-13-637406-9 025.

. Building a Secure Computer System, Morrie Gasser, Van Nostrand
Reinhold, 1988; ISBN 0-442-23022-2

. Research Directions in Database Security, Teresa Lunt,
Springer-Verlag, 1992; ISBN 0-387-97736-8.

(2) The RAMP Coordinator will be identified within the posting(s)
relating to the VSA Class that will appear on the Dockmaster vsa
forum.

36
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
7.3. RESIDENT COMPONENT


Prior to taking the self-administered examination, which is returned
to the NSA approximately two weeks prior to the beginning of the
Resident Component of the VSA Class, a VSA candidate should expect to
invest 80-100 hours of study time into the Non-Resident Component.
Students will not be admitted to the Resident Component if their
examination has not been received by the NSA prior to the beginning of
the Resident Component.

7.3 Resident Component

The Resident Component of the VSA Class is a five day formal training
period that provides attendees with RAMP-specific information, and
that models numerous tasks that a VSA is required to perform during a
RAMP Cycle. The RAMP Class culminates with each attendee making a
presentation before a mock RAMP Technical Review Board (TRB).

During the Resident Component, which focuses on the RAMP Requirements,
students are introduced to Trusted MINIX,(3) a derivative of the MINIX
Operating System,(4) and an approach to its security analysis. As the
week progresses, class participants break into groups that simulate
vendor RAMP teams, and each member of each group selects a Service
Improvement Request (SIR) for possible implementation within Trusted
MINIX. Each group member performs security analysis, generates an
Engineering Change Order (ECO), and writes a section of an Rating
Maintenance Report (RMR). The RMR is submitted to and defended before
a mock TRB panel.


(3) For purposes of the VSA Class it is assumed that Trusted MINIX
has been successfully evaluated at the C2 level of trust.
(4) The MINIX Operating System was invented by Andrew S. Tanenbaum
and is described within the book Operating Systems: Design and
implementation, Andrew S. Tanenbaum, Frentice Hall, 198T: ISBN
0-13-637406-9 025.

37
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2

Appendix A

Sample RM-Plan Outline

A Rating Maintenance Plan (RM-Plan) that is written from the
appropriate RM-Plan requirements, and that adequately addresses each
applicable requirement, should result in a solid RM-Plan. Consistent
with this, it is suggested that an appendix of a vendor's RM-Plan
contain the entire set of applicable Rating Maintenance Phase (RAMP)
Requirements, and that another appendix contain a mapping that shows
how the RM-Plan meets the RAMP Requirements.

It is emphasized that the RM-Plan outline presented below is merely an
example, and that it is not required. The suggestions that are
offered are based on experience that the National Security Agency
(NSA) has had with RM-Plans to date. If the outline is adopted, the
vendor can decide whether or not to devote an entire section or
appendix to a particular topic, or to reduce the number of sections
and/or appendixes by addressing multiple topics within a particular
section or appendix.

A.1 Cover Page

The contents of this page should identify the product that will be or
is under RAMP. In addition, the name of the author(s) of the document
should be shown, as well as the date the document was written. The
cover page should also identify the date that the NSA approved the
RM-Plan, if it has been approved, and should show the history of any
prior RM-Plan approval(s).

A.2 Roman Numeral Page(s)

The "Roman numeral page(s)" of the RM-Plan can be used to contain
information that might be expected to be modified during the life of
the RM-Plan. This information includes the following:


. The name and company title of the Responsible Corporate Officer (RCO);

. The name and company title of the Vendor Business Point of Contact
(VBPOC), if a VBPOC is identified;

. The name and company title of the Vendor Security Analyst (VSA),
or of each VSA if there are more than one;

. The date and Evaluated Products List (EPL) entry number for each
Dockmaster EPL posting relating to the product;

. The title, date, Report Number, and Library Number of the Final
Evaluation Report (FER) and each Updated FER associated with the product.

39
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
APPENDIX A. SAMPLE RM-PLAN OUTLINE


Since changes to an RM-Plan might involve one or more of the items
identified above, placement of these items in a common location should
simplify the RM-Plan approval process, especially if the only
change(s) to an RM-Plan involves one or more of these items.

A.3 Introduction

It is recommended that the Introduction section of the RM-Plan contain
a pointer to the applicable RAMP Requirements, and that all
definitions within the applicable RAMP Requirements be adopted as
definitions for use within the RM-Plan.

In addition, the Introduction section should contain a one or two page
overview of the product, along with a pointer to the most recent FER
or Updated FER identified within the "Roman numeral page(s)" of the
RM-Plan. Other vendor-specific definitions and conventions could also
be identified within the Introduction section.

The Introduction section is also a good place to emphasize the role of
the VSA in RAMP, and to address the requirement that the RM-Plan shall
describe "the division of technical responsibilities among VSAs (if
more than one)."


A.4 Procedure for Complying with Applicable Interpretations

The NSA periodically issues interpretations of the Trusted Computer
System Evaluation Criteria (TCSEC). These interpretations become part
of the TCSEC, and as such, must be addressed. Products in RAMP under
the Trusted Product Evaluation Program (TPEP) must comply with
applicable TCSEC interpretations. This section of the RM-Plan should
describe how the vendor will comply with TCSEC interpretations that
might impact a product under RAMP. Issues to be addressed include the
following:


. A description of how the vendor will monitor interpretations of
the TCSEC;

. A description of how the vendor will determine if an
interpretation is applicable to their product under RAMP;

. A description of how the vendor will comply with any applicable
interpretation(s) that impact their product under RAMP.


A.5 Configuration Items and Rationale

It is recommended that each Configuration Item (CI) be listed in an
appendix of the RM-Plan. In addition, that appendix would be an
appropriate place to describe the rationale for CI identification.

There should be an indication about the access the Vendor Security
Analyst (VSA) has to each CI, specifically, where each CI is kept and
the method of VSA access. CI access is very important, since the VSA
must have access to each CI in order to perform Security Analysis.


40

FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
A.6. SECURITY ANALYSIS


A.6 Security Analysis

Since Security Analysis is the centerpiece of RAMP, the vendor must be
sure that the Security Analysis section of the RM-Plan describes in
detail how Security Analysis is performed for the product under RAMP.
It is essential that the role the VSA plays in Security Analysis be
identified, especially in terms of the applicable RAMP
Requirements. Diagrams, tracking forms, examples, etc., should be used
within this section to convey to the reader of the RM-Plan how product
changes are made and how Security Analysis is performed. A vendor
should view the development of the Security Analysis section of the
RM-Plan as requiring a major level of effort during the RM-Plan
development process.


A.7 Format of the RAMP Evidence

By definition, RAMP Evidence is the record of Security Analysis. It is
the summary of RAMP Evidence that is contained within the Rating
Maintenance Report (RMR) that is submitted to the RAMP Technical
Review Board (TRB). It is thus essential that the vendor carefully
consider what the RAMP Evidence will be and that the format of the
evidence be identified and explained within this section of the
RM-Plan. For example, a vendor database that is used to track changes
to an evaluated product might be identified as a source of RAMP
Evidence. If so, the RM-Plan should identify this database, describe
the fields contained within it, and describe the role the database
will play in Security Analysis.


A.8 Procedures for VSA-Performed RAMP Audits

A VSA is required to conduct an initial RAMP Audit prior to the
evaluation team's testing of the Trusted Computing Base (TCB). In
addition, a VSA is required to conduct a RAMP Audit during each RAMP
Cycle. This section of the RM-Plan should describe the approach that
the VSA will take while conducting a RAMP Audit. Topics that should be
covered in this section include the following:


. Identification of the specific RAMP Evidence that will be audited;

. A description of how the RAMP Evidence will be selected for audit,
including the approximate percentage of the RAMP Evidence that
will be audited;

. A discussion of the depth of the audit.


A.9 RM-Plan Maintenance

There must always be an NSA-approved RM-Plan in place for RAMP to
continue. In addition, the NSA-approved RM-Plan is a configuration
item under RAMP. Due to these factors, the vendor must describe how
the RM-Plan will be managed during RAMP to assure that an NSA-approved
RM-Plan is in effect at all times.

41
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
APPENDIX A. SAMPLE RM-PLAN OUTLINE


A.10 System Failures During RAMP

It is possible that a system failure requiring an emergency fix may
occur during RAMP. The vendor must describe how this type of failure
will be addressed should it occur.


A.11 Other Sections

As required by the vendor to provide a complete RM-Plan.


A.12 Appendix A - RAMP Requirements

A listing of the applicable RAMP Requirements as they appear within
Chapter 3 of this Rating Maintenance Phase Program Document Version 2.

A.13 Appendix B - RAMP Requirements Mapping

A table of pointers that demonstrate how the RAMP Requirements shown
in Appendix A are satisfied by the current RM-Plan. Particular
attention should be paid to the RM-Plan requirements that are
contained within the set of RAMP Requirements shown in Appendix A.(1)

A.14 Appendix C, etc.

As required by the vendor to provide a complete RM-Plan. The following
are suggested, however:


. Template(s) used for a change request;

. Sample output from a tracking system database.


(1) Although Appendix A and Appendix B might be combined into one
appendix, it is recommended that they remain separate so that the
RM-Plan reader has available in Appendix A the RAMP Requirements in
their original form and without entries that have been made by the
vendor.


FINAL: 1 March 1995 42
Rating Maintenance Phase Program Document Version 2


Appendix B

Sample RMR Outline

The Rating Maintenance Report (RMR) is the summary of Rating
Maintenance Phase (RAMP) Evidence that is submitted by the Responsible
Corporate Officer (RCO) to the RAMP Technical Review Board (TRB)
during a RAMP Cycle. RMR requirements are contained within the set of
applicable RAMP Requirements, and the RMR should be written such that
the RMR requirements are fully addressed. The following RMR outline is
suggested but not required; it is intended to provide guidance to the
vendor community.


B.I Cover Letter

This letter should be addressed to the Chief of NSA's Trusted Product
Evaluation Program (TPEP), and should include the following:


. Identification of the new product version, the evaluated product,
and any intervening product releases;

. Identification of the product rating established in the
evaluation and maintained through the previous release;

. Serial number of the Final Evaluation Report (FER), and serial
numbers of Updated FER(s);

. An assertion that the new release maintains the product rating;

. A statement that all aspects of the National Security Agency
(NSA)-approved Rating Maintenance Plan (RM-Plan) were followed
during the current RAMP Cycle, and that the contents of the RMR
reflects a true account of the RAMP Evidence generated during the
current RAMP Cycle;

. The signature of the RCO.


B.2 Introduction

The intent of the Introduction is to provide the reader of the RMR
with a high-level description of the changes that have been made to
the product since the latest Evaluated Products List (EPL) entry was
made. Since the vendor submits the NSA-approved Rating Maintenance
Plan (RM-Plan), the Final Evaluation Report (FER) or most recent
Updated FER, and the RMR to the RAMP TRB, pointers within the RMR to
sections of the most recent FER, and/or the N5A~approved RM-Plan can
be provided. This will result in an RMR focusing on the RAMP Evidence
that was generated during the current RAMP Cycle.

Topics to be covered in the Introduction section of the RMR include
the following:


. Identification of any vendor-unique terms used within the RMR;

43
FINAL: 1 March 1995
Rating Maintenance Phase Program Docurnent Version 2
APPENDIX B. SAMPLE RMR OUTLINE

. Identification of the Trusted Computing Base (TCB) for the
original evaluated product in terms of hardware, software, and
firmware

. A discussion of the rationale for Configuration Item (CI)
identification for the product under RAMP;

. A list of the CIs for the product under RAMP;

. A list of updated CIs due to product changes during the current
RAMP Cycle;

. The rationale for determining effects on the TCB of product changes.


Finally, since the vendor should run the entire security test suite on
the product prior to RMR submission, a statement to this effect,
including test results, should appear within the RMR, with the
Introduction section being a good place to include this information.


B.3 Criteria Interpretations

This section of the RMR is intended to address any Trusted Computer
System Evaluation Criteria (TCSEC) interpretations that have impacted
the product during the current RAMP Cycle. For each such
interpretation, the following should he addressed in this section:


. Each TCSEC interpretation applying to the product for the first
time should be identified, and comments on the significance of
each of these interpretations to the current product release
should be provided;

. Pointers should be provided to discussions in the RMR section on
"Product Changes and Evidence of System Trust" wherein product
changes were made during the current RAMP Cycle because of
specific TCSEC interpretation(s).


B.4 Product Changes and Evidence of System Trust

This section is the centerpiece of the RMR, and should address all
security-relevant changes that have been made to the product since the
last EPL entry. Since the focus of the RAMP is on security-relevant
changes, it is suggested that all changes determined to be
non-security-relevant be briefly identified within an appendix of the
RMR. The identification should be in the form of a one or two line
meaningful title that conveys the nature of the change to the RMR
reader, as well as an associated vendor reference; for example, an
Engineering Change Order (ECO) number.(1) This reference would allow
the vendor to provide the NSA with information about a non-security
relevant change in a timely manner, if so requested. Similarly, for
security-relevant changes determined to be "minor" in nature, another
appendix can be used to briefly identify each. A one or two line
meaningful title, and an associated ECO reference should be
sufficient.

The "Product Changes and Evidence of System Trust" section of the RMR
could open with a brief overview of the contents of the section,
including pointers to the two appendixes identified above. The
remainder of

(1) A vendor might use different terminology. This terminology
would be described within the "vendor-specific terminology" portion of
the Introduction section of the RMR.

44
FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2
B.5.APPENDIX A - NON-SECURITY-RELEVANT CHANGES


this section can then focus on the "major" security-relevant changes
that have been made to the product during the current RAMP Cycle. For
each, the following should be addressed:


. A description of the change that includes the following:

1. A functional description.

2. A description of user-visible effects.

. The ECO number associated with the change;

. Identification of the CIs that were modified, if any, as a result
of the change;

. Classification of the change as being or not being
security-relevant;

. Evidence of product trust to include the following:

1. Explanation of relevant TCSEC interpretations, if any.

2. Relevant TCB mechanisms and assurances.

3. Tests and test modifications, if any.

4. Summary of test results.

5. Pointers to system and test documentation.

6. Pointers to specific code-level changes.


B.5 Appendix A - Non-Security-Relevant Changes

This appendix would contain a list of non-security-relevant changes,
including a one or two line meaningful title for each, and an
associated vendor reference for each.


B.6 Appendix B - "Minor" Security-Relevant Changes

This appendix would contain a list of minor security-relevant changes,
including a one or two line meaningful title for each, and an
associated vendor reference for each.


B.7 Appendix C, etc.

As required by the vendor to provide a complete RMR.

45
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Appendix C

RAMP Audit

The Rating Maintenance Phase (RAMP) Requirements at all levels of
trust provide the following definition of the RAMP Audit.

RAMP AUDIT: A review of the RAMP Evidence, based on a suitable
representative sample, to ensure that only approved changes are
implemented, that all Configuration Items (CIs) are updated
consistently, and that Security Analysis is performed
satisfactorily. In addition to the required RAMP Audits performed by
the Vendor Security Analysts (VSAs), aperiodic RAMP audits may be
performed by a Security Analysis Team (for B2 and above) or the
Technical Point of Contact (TPOC).(1)

There are two purposes of a RAMP Audit, namely to verify compliance
with the RAMP process, and to check the Security Analysis that has
been performed.


C.1 RAMP Audits in General

There are two "types" of NSA-conducted RAMP Audits, the first
occurring prior to the team's testing of the Trusted Computing Base
(TCB), and the second occurring during each RAMP Cycle. In addition,
there are two "types" of VSA-conducted RAMP Audits, the first
occurring prior to the team's testing of the TCB, and the second
occurring during each RAMP Cycle.

The first "type" of RAMP Audit, that conducted during the evaluation
and prior to the Test Technical Review Board (TRB), is intended to
assure that the policies and procedures identified within the NSA-
approved Rating Maintenance Plan (RM-Plan) are in place.

The second "type" of RAMP Audit, that conducted during each RAMP
Cycle, is the one whose focus is on the RAMP AUDIT requirement. It is
during this type of RAMP Audit that the RAMP Evidence is examined to
ascertain that only approved changes have been implemented, that all
CIs have been updated consistently, and that Security Analysis has
been performed satisfactorily.

C.2 A "Suitable Representative Sample"

The definition of RAMP Audit states that a "suitable representative
sample" of the RAMP Evidence must be reviewed during the audit. This
raises the question of "What constitutes a suitable representative
sample?" This question is not easy to answer. A starting point,
however, might be to focus on the RAMP Evidence as a whole, then to
break it out into three areas, as follows:

(1) Although not a RAMP Requirement, a vendor can expect that the
National Security Agency (NSA) will allow the vendor at least ten (10)
working days to prepare for an aperiodic RAMP Audit.

47
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
APPENDIX C. RAMP AUDIT


. Major security-relevant changes (e.g., implementation of new
features within the product);

. Minor security-relevant changes (e.g., security-relevant bug
fixes);

. Non-security-relevant changes (e.g., non-security-relevant bug
fixes).


If, as a rule-of-thumb, approximately 10% of the entire RAMP Evidence
is subjected to a RAMP Audit, then the following break-out would be
reasonable concerning the 10%:


. Direct 70% of the RAMP Audit effort in the area of major
security-relevant changes;

. Direct 20% of the RAMP Audit effort in the area of minor
security-relevant changes;

. Direct 10% of the RAMP Audit effort in the area of
non-security-relevant changes.


C.3 VSA-Conducted RAMP Audits

VSA-conducted RAMP Audits should focus on assuring that the RAMP Audit
requirement is met by the vendor.


C.4 NSA-Conducted RAMP Audits

A starting point for the NSA-conducted RAMP Audits would be a
vendor/NSA discussion, perhaps originating from a vendor briefing,
about the nature of the changes that have been made to the product
since the last NSA-conducted RAMP Audit, with emphasis on how these
changes were implemented. As a result of this discussion, the National
Security Agency (NSA) representative(s) should feel comfortable that
all changes made to the system were consistent, in concept, with the
mechanisms described within the NSA-approved RM-Plan for the product.

The next step would be for the NSA representative(s) to request the
Vendor Security Analyst (VSA) to demonstrate to the NSA that changes
to the product have been made in an acceptable manner, as described
within the NSA-approved RM-Plan. There would most likely be a one or
two week interval between the discussion described above and the
evidence demonstration. During this interval, the NSA would identify
to the VSA exactly what evidence demonstration must be
provided. Suggestions are as follows:


. A demonstration, using real examples, of VSA access to all CIs
identified within the NSA-approved RM-Plan;

. A VSA-conducted demonstration of the Security Analysis that was
performed for each of the following types of changes, including
a demonstration of all tools used to support the Security
Analysis process (e.g., on-line tracking system):

1. A specific "major" security-relevant change.
2. A specific "minor" security-relevant change.
3. A specific non-security-relevant change.

48
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
C.4.NSA-CONDUCTED RAMP AUDITS


. A demonstration, using real examples, of CI update methodology
for each of the following types of CIs:

1. Hardware CI;

2. Software CI;

3. Firmware CI;

4. Documentation CI;

5. Security test suite CI.

49

FINAL:1 March 1995
Rating Maintenance Phase Program Document Version 2

Appendix D

Sample QSR Outline

During the Rating Maintenance Phase (RAMP) a Quarterly Status Report
(QSR) must be posted on the vendor forum by both the Vendor Security
Analyst (VSA) and Technical Point of Contact (TPOC) by the fifth
working day of the months of January, April, July, and October. Each
QSR should have as its subject line "Quarterly Status Report," and
have the following format:


Product Identification: This section should include information such
as:

. Vendor name and address;

. Product name and version;

. Identification of Evaluated Products List (EPL) entries for
this product;

. Platform;

. Product availability date;

. Other information as determined necessary.

Accomplishments this Quarter: A list of what has transpired since the
previous QSR, including brief descriptions where appropriate, should
be contained within this section.

Plans for Next Quarter: A list of what is expected to occur before the
next QSR should be contained within this section.

Major Milestones: This section includes identifying events such as:

. Implementation completion (e.g., of a new product feature);

. Testing completion;

. RAMP Audit activity;

. RAMP Technical Review Board (TRB) presentation.

Outstanding Technical Issues and Concerns: A list of any
technically-based questions or issues which have yet to be answered
should be contained within this section.

Outstanding Management Issues: A list of any managerial questions or
issues which have yet to be answered should be contained within this
section.

Membership List: A list of TPOCs, VSAs, and the technical and
managerial leaders of both vendor and Trusted Product Evaluation
Program (TPEP), including addresses and telephone numbers, should
appear within this section.


51
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2

Appendix E

Sample TPOC Report

The Technical Point of Contact (TPOC) Report is the summary of the
TPOC's assessment of the activities performed in the course of the
Rating Maintenance Phase (RAMP) Cycle, particularly an assessment of
the Rating Maintenance Report (RMR) and of proposed changes to the
Rating Maintenance Plan (RM-Plan). The report identifies the main
events that occurred during the RAMP Cycle being reported. Emphasis
(that is, greater detail) is given to the descriptions of those
activities where the TPOC has a more active role. The activities of
the Vendor Security Analysts (VSAs) are described in the RMR. The
following TPOC Report outline is suggested but not required; it is
intended to provide guidance to the TPOCs.


E.1 Introduction

The introduction should provide a brief overview of the activities
since the previous RAMP Technical Review Board (TRB) Meeting (or, for
an initial RMAP Cycle, since the Final TRB). This overview should
include identification of version numbers, timeframes when milestones
were reached, management issues, interpretations, and any other
information that would be of interest to the TRB. For RAMP Cycles for
which a Future Change Review Board (FCRB) meeting was held, the
introduction should also include a list of the tasks that the FCRB
recommended be done.


E.2 Assessment of the RMR

The TPOC must provide to the TRB an assessment of the completeness,
quality, and clarity of the RMR, including an affirmation of its
conformance to the RAMP Program Document requirements. This
assessment should include a summary of major changes to the evaluated
product.


E.3 Assessment of Proposed RM-Plan Changes

The TPOC must provide to the TRB an assessment of the completeness and
clarity of the updated RM-Plan, including an affirmation of its
practicality and conformance to the RAMP Program Document
requirements. This assessment should include the identification of
major additions, deletions, or changes to the RM-Plan.


53
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2
APPENDIX E. SAMPLE TPOC REPORT


E.4 Assessment of FER

The TPOC must provide to the TRB an assessment of the quality and
accuracy of the Updated Final Evaluation Report (FER). This assessment
should include the identification of major additions, deletions, or
changes to the FER. This would be fairly high-level, primarily because
the TRB will have a copy of the Updated FER.


E.5 Summary of RAMP Audit

This is where the TPOC describes the activities of the RAMP
Audit. This includes not only the activities themselves, but also an
assessment of the outcome. Any problems that were encountered, along
with their resolutions, should be described. The TPOC may also want to
include an identification of the participants of the RAMP Audit.


E.6 Testing

A summary of the results of the testing effort should be
described. This description includes the TPOCs role during testing,
any tests that were added to the vendor's test suites during this RAMP
Cycle, and an assertion that all of the tests ran favorably.

For B2 and above classes, a description of the Penetration Testing
excercise should also be included. Like the description of RAMP audit,
this description should contain more detail, because the TPOCs role is
more active than, say, the functional testing effort.


E.7 FCRB~Recommended Activities

This section should provide details on the tasks recommended by the
FCRB (listed in the "Introduction" section of the TPOC report). Each
item should have its own description at a level of detail equivalent
to that of Penetration Testing or the RAMP Audit.


54
FINAL: 1 March 1995
Rating Maintenance Phase Program Document Version 2


Appendix F
Acronyms

CI Configuration Item TFM Trusted Facility Manual

CM Configuration Management TNI Trusted Network Interpretation

CM-Plan Configuration Management Plan TPEP Trusted Product Evaluation Program

CSSI Computer Security Subsystem TPOC Technical Point of Contact
Interpretation
TRB Technical Review Board
DAC Discretionary Access Control
VBPOC Vendor Business Point of Contact
DOD Department of Defense
VSA Vendor Security Analyst
ECO Engineering Change Order

EPL Evaluated Products List

FCRB Future Change Review Board

FER Final Evaluation Report

IPAR Initial Product Assessment Report

IPTR Intensive Preliminary Technical Review

NCSC National Computer Security Center

NSA National Security Agency

NIST National Institute for Standards and
Technology

QSR Quarterly Status Report

RAMP Rating Maintenance Phase

RCO Responsible Corporate Officer

RM-PIan Rating Maintenance Plan

RMR Rating Maintenance Report

SA-Team Security Analysis Team

SFUG Security Features User's Guide

SIR Service Improvement Request

TCB Trusted Computing Base

TCSEC Trusted Computer System
Evaluation Criteria

TDI Trusted Database Management
System Interpretation


55

U.S. GOVERNMENT PRINTING OFFICE:1995 - 622-093 - 1302/82145
FINAL: 1 March 1995