Objectives
The capabilities of the CM system address the likelihood that accidental or unauthorised modifications of the configuration items will occur. The CM system should ensure the integrity of the TOE from the early design stages through all subsequent maintenance efforts.
The objectives of this family include the following:
a) ensuring that the TOE is correct and complete before it is sent to the consumer;
b) ensuring that no configuration items are missed during evaluation;
c) preventing unauthorised modification, addition, or deletion of TOE configuration items.
Component levelling
The components in this family are levelled on the basis of the CM system capabilities, the scope of the CM documentation provided by the developer, and whether the developer provides justification that the CM system meets its security requirements.
Application notes
ACM_CAP.2 Configuration items introduces several elements which refer to configuration items. The ACM_SCP CM scope family contains requirements for the configuration items to be tracked by the CM system.
ACM_CAP.2.3C The CM documentation shall include a configuration list. C introduces a requirement that a configuration list be provided. The configuration list contains all configuration items that are maintained by the CM system.
ACM_CAP.2.6C The CM system shall uniquely identify all configuration items. C introduces a requirement that the CM system uniquely identify all configuration items. This also requires that modifications to configuration items result in a new, unique identifier being assigned.
ACM_CAP.3.8C The evidence shall demonstrate that the CM system is operating in accordance with the CM plan. C introduces the requirement that the evidence shall demonstrate that the CM system operates in accordance with the CM plan. Examples of such evidence might be documentation such as screen snapshots or audit trail output from the CM system, or a detailed demonstration of the CM system by the developer. The evaluator is responsible for determining that this evidence is sufficient to show that the CM system operates in accordance with the CM plan.
ACM_CAP.3.9C The CM documentation shall provide evidence that all configuration items have been and are being effectively maintained under the CM system. C introduces the requirement that evidence be provided to show that all configuration items are being maintained under the CM system. Since a configuration item refers to an item that is on the configuration list, this requirement states that all items on the configuration list are maintained under the CM system.
ACM_CAP.4.11C The CM system shall support the generation of the TOE. C introduces the requirement that the CM system support the generation of the TOE. This requires that the CM system provide information and/or electronic means to assist in determining that the correct configuration items are used in generating the TOE.