Maintenance Addendum Citadel Hercules Automated Vulnerability Remediation Version 3.5 (December 2004)

Canadian Common Criteria Scheme (CCCS)

Maintenance Report

Citadel Hercules® Automated Vulnerability Remediation (AVR), Version 3.5

Issued by:

Communications Security Establishment
Certification Body

Canadian Common Criteria Evaluation and Certification Scheme (CCS)

© 2004 Government of Canada, Communications Security Establishment

Document number 383-7-5-MR
Version 1.0
Date 13 December 2004

1 Introduction

On 8 December 2004, Electronic Warfare Associates-Canada (EWA-Canada) submitted an Impact Analysis Report to the CCS Certification Body on behalf of Citadel Security Software Incorporated, the developer of the Citadel Hercules® Automated Vulnerability Remediation product. The Impact Analysis Report is intended to satisfy requirements outlined in version 1.0 of the Common Criteria document CCIMB-2004-02-009: Assurance Continuity: CCRA Requirements.

In accordance with those requirements, the Impact Analysis Report describes the changes made to Citadel Hercules® Automated Vulnerability Remediation version 3.0 (the maintained Target of Evaluation), the evidence updated as a result of the changes, and the security impact of the changes.

2 Description of changes

The following characterizes the changes implemented in version 3.5 of Citadel Hercules® Automated Vulnerability Remediation. For each change, it was verified that there were no required changes to the security functional requirements in the ST, and thorough functional and regression testing was conducted to ensure that the assurance in the maintained Target of Evaluation (TOE) was maintained. The changes in version 3.5 of Citadel Hercules® Automated Vulnerability Remediation comprise software changes that:

  • restore the expected functionality of the product (bug fixes); and,
  • ensure the accurate collection and presentation of information by the product.

3 Affected developer evidence

Modifications to the product necessitated changes to a subset of the developer evidence that was previously submitted for the TOE. The set of affected developer evidence was correctly identified, and revised versions of all affected developer evidence were submitted.

4 Conclusions

All of the changes are feature changes and corrections to the product, requiring only minor code changes. Through functional and regression testing of Citadel Hercules® Automated Vulnerability Remediation Version 3.5, security assurance was maintained. Consideration of the nature of the changes leads to the conclusion that the changes are classified as minor, and that maintenance is the correct path to continuity of assurance.

5 References

Assurance Continuity: CCRA Requirements , CCIMB-2004-02-009, version 1.0, February 2004.

Technical Oversight for Assurance Continuity of a Certified TOE, CCS-Guide-006, version 1.0, October 2004.

Certification Report for EAL3 Evaluation of the Citadel Hercules® AVR Version 2.2.0, version 1.1, 1 March 2004.

Maintenance Report for Citadel Hercules® Automated Vulnerability Remediation (AVR) Version 3.0, version 1.0, 19 August 2004