Objectives
The Assurance Maintenance Plan (AM Plan) identifies the plans and procedures a developer must implement in order to ensure that the assurance that was established in the certified TOE is maintained as changes are made to the TOE or its environment. The AM Plan is specific to the TOE, and is tailored to the developer's own practices and procedures.
Component levelling
This family contains only one component.
Application notes
An AM Plan covers one assurance maintenance cycle, this being the period from the completion of the most recent evaluation of the TOE to the completion of the next planned re-evaluation.
The requirements AMA_AMP.1.2C and AMA_AMP.1.3C serve to provide a clear identification of the baseline for assurance maintenance, in terms of the evaluation results and the definition of the categorisation of TOE components. The TOE component categorisation report is subject to the requirements of the AMA_CAT family, and provides the basis for the security impact analysis performed by the developer security analyst.
The definition of the scope of changes covered by the plan, as required by AMA_AMP.1.4C, should be in terms of the category of components of the TOE that may be changed and the representational level at which changes can occur (referencing the TOE component categorisation report where appropriate).
AMA_AMP.1.5C requires a description of the developer's current plans for any new releases of the TOE. These plans may be subject to change, and hence require an update to the AM Plan. It should be noted, however, that in this context the term new release does not, for example, include minor ('unplanned') releases of the TOE to incorporate bug fixes.
AMA_AMP.1.6C requires a definition of the planned schedule for AM audits (see the AMA_EVD family below) and the targeted re-evaluation of the TOE, together with a justification of the proposed schedules. The schedules may be defined in terms of elapsed time (e.g. annual AM audits), or they may be linked to specific new releases of the TOE. The planned schedules should take into account the expected changes to the TOE during the period, and also any elapsed period between the evaluation of the TOE and the establishment of the AM Plan. In particular, any changes outside the scope of the AM Plan will trigger a re-evaluation.