Assurance Continuity Maintenance Report
BSI-PP-0020-V2-2007-MA-02
Protection Profile
for
electronic Health Card (eHC) -
elektronische Gesundheitskarte (eGK),
Version 2.6
developed on behalf of the
Federal Ministry of Health, Germany
Assurance Package: EAL 4 augmented with
ADV_IMP.2, AVA_MSU.3 and AVA_VLA.4
Common Criteria Recognition
Arrangement
The Protection Profile identified in this report was assessed according to the Assurance
Continuity: CCRA Requirements, version 1.0, February 2004. The baseline for this
assessment was the Certification Report, the Protection Profile and the Evaluation
Technical Report of the Protection Profile certified by the Federal Office for Information
Security (BSI) under BSI-PP-0020-V2-2007.
The change to the certified Protection Profile is at the level of editoriell changes, minor
changes of the access control policy and editoriell changes of SFR operations and
Application Notes, changes that have no effect on assurance. The identification of the
maintained Protection Profile is indicated by a new version number compared to the
certified Protection Profile.
Consideration of the nature of the change leads to the conclusion that it is classified as a
minor change and that certificate maintenance is the correct path to continuity of
assurance.
Therefore, the assurance as outlined in the Certification Report BSI-PP-0020-V2-2007 is
maintained for this version of the Protection Profile. Details can be found on the
following pages.
This report is an addendum to the Certification Report BSI-PP-0020-V2-2007.
Bonn, 30. October 2008
Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 185-189 - D-53175 Bonn - Postfach 20 03 63 - D-53133 Bonn
Phone +49 228 99 9582-0 - Fax +49 228 9582-5477 - Infoline +49 228 99 9582-111
Assurance Continuity Maintenance Report BSI-PP-0020-V2-2007-MA-02
Assessment
The Protection Profile identified in this report was assessed according to the Assurance
Continuity: CCRA Requirements [1] and the Impact Analysis Report (IAR) [2]. The
baseline for this assessment was the Certification Report of the certified Protection
Profile [3], the Protection Profile [4] and the Evaluation Technical Report as outlined in
[3].
The author of the Protection Profile for the electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK), SRC GmbH, submitted an IAR [2] to the BSI for approval. The
IAR is intended to satisfy the requirements outlined in the document Assurance
Continuity: CCRA Requirements [1]. In accordance with those requirements, the IAR
describes (i) the changes made to the certified PP, (ii) the evidence updated as a result
of the changes and (iii) the security impact of the changes.
The Protection Profile for electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK) was changed due to the inclusion of a new version of the eHC
specifications as a reference as well as a changed access control policy
SFP_access_rules and changes of an Application Note for the FDP_SDI.2 -Security
Functional Requirements. The change is not significant from the standpoint of security.
The version number of the Protection Profile has changed from version 2.5 to version
2.6.
Conclusion
The change to the TOE is at the level of an updated reference and of the modification of
editoriell changes, minor changes of the access control policy and editoriell changes of
SFR operations and Application Notes, changes that have no effect on assurance.
Consideration of the nature of the change leads to the conclusion that it is classified as a
minor change and that certificate maintenance is the correct path to continuity of
assurance.
Therefore, BSI agrees that the assurance as outlined in the Certification Report [3] is
maintained for this version of the Protection Profile. This report is an addendum to the
Certification Report [3]. The version number of the Protection Profile has changed from
version 2.5 to version 2.6.
Maintenance Report V1.0
ZS_01_01_F_502_V108 Page 2 of 3
Assurance Continuity Maintenance Report BSI-PP-0020-V2-2007-MA-02
References
[1] Common Criteria document CCIMB-2004-02-009 “Assuarance Continuity: CCRA
Requirements”, version 1.0, February 2004
[2] Impact analysis for the Common criteria Protection Profile electronic Health Card
PP-0020, second Maintenance, Version 1.1, 29.07.2008
[3] Certification Report BSI-PP-0020-V2-2007 for „Protection Profile for the electronic
Health Card (eHC) – elektronische Gesundheitskarte (eGK), Version 2.0
developed on behalf of the Federal Ministry of Health, Germany“, Bundesamt für
Sicherheit in der Informationstechnik, (15. February 2007)
[4] Protection Profile for the electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK) developed on behalf of the Federal Ministry of Health,
Germany, Version 2.6, 29.07.2008
Maintenance Report V1.0
ZS_01_01_F_502_V108 Page 3 of 3