Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 185-189 - D-53175 Bonn - Postfach 20 03 63 - D-53133 Bonn
Phone +49 3018 9582-0 - Fax +49 3018 9582-5477 - Infoline +49 3018 9582-111
Assurance Continuity Maintenance Report
BSI-PP-0020-V2-2007-MA-01
Protection Profile
for
electronic Health Card (eHC)–
elektronische Gesundheitskarte (eGK),
Version 2.5
developed on behalf of the
Federal Ministry of Health, Germany
Assurance Package: EAL 4 augmented with
ADV_IMP.2, AVA_MSU.3 and AVA_VLA.4
Common Criteria Arrangement
The Protection Profile identified in this report was assessed according to the Assurance
Continuity: CCRA Requirements, version 1.0, February 2004. The baseline for this
assessment was the Certification Report, the Protection Profile and the Evaluation
Technical Report of the Protection Profile certified by the Federal Office for Information
Security (BSI) under BSI-PP-0020-V2-2007.
The change to the certified Protection Profile is at the level of editoriell changes, minor
changes of the access control policy and editoriell changes of SFR operations, changes
that have no effect on assurance. The identification of the maintained Protection Profile
is indicated by a new version number compared to the certified Protection Profile.
Consideration of the nature of the change leads to the conclusion that it is classified as a
minor change and that certificate maintenance is the correct path to continuity of
assurance.
Therefore, the assurance as outlined in the Certification Report BSI-PP-0020-V2-2007 is
maintained for this version of the Protection Profile. Details can be found on the
following pages.
This report is an addendum to the Certification Report BSI-PP-0020-V2-2007.
Bonn, 26. March 2008
Assurance Continuity Maintenance Report BSI-PP-0020-V2-2007-MA-01
Assessment
The Protection Profile identified in this report was assessed according to the Assurance
Continuity: CCRA Requirements [1] and the Impact Analysis Report (IAR) [2]. The
baseline for this assessment was the Certification Report of the certified Protection
Profile [3], the Protection Profile [4] and the Evaluation Technical Report as outlined in
[3].
The author of the Protection Profile for the electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK), SRC GmbH, submitted an IAR [2] to the BSI for approval. The
IAR is intended to satisfy the requirements outlined in the document Assurance
Continuity: CCRA Requirements [1]. In accordance with those requirements, the IAR
describes (i) the changes made to the certified PP, (ii) the evidence updated as a result
of the changes and (iii) the security impact of the changes.
The Protection Profile for electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK) was changed due to the inclusion of a new version of the eHC
specifications as a reference as well as a changed access control policy
SFP_access_rules and changes to the operations of the Security Functional
Requirements regarding cryptography to be independant of further development of the
cryptographical standards in accordance with the specifications. The change is not
significant from the standpoint of security. The version number of the Protection Profile
has changed from version 2.0 to version 2.5.
Conclusion
The change to the TOE is at the level of an updated reference and of the modification of
editoriell changes, minor changes of the access control policy and editoriell changes of
SFR operations, changes that have no effect on assurance. Consideration of the nature
of the change leads to the conclusion that it is classified as a minor change and that
certificate maintenance is the correct path to continuity of assurance.
Therefore, BSI agrees that the assurance as outlined in the Certification Report [3] is
maintained for this version of the Protection Profile. This report is an addendum to the
Certification Report [3]. The version number of the Protection Profile has changed from
version 2.0 to version 2.5.
Maintenance Report V1.0
ZS_01_02_F_201_V105 Page 2 of 3
Assurance Continuity Maintenance Report BSI-PP-0020-V2-2007-MA-01
Maintenance Report V1.0
ZS_01_02_F_201_V105 Page 3 of 3
References
[1] Common Criteria document CCIMB-2004-02-009 “Assurance Continuity:
CCRA Requirements”, version 1.0, February 2004
[2] Impact Analysis for the Common Criteria Protection Profile for the
electronic Health Card (eHC) BSI-PP-0020-V2-2007-MA01, Version 1.0,
02.01.2008
[3] Certification Report BSI-PP-0020-V2-2007 for „Protection Profile for the
electronic Health Card (eHC) – elektronische Gesundheitskarte (eGK),
Version 2.0 developed on behalf of the Federal Ministry of Health,
Germany“, Bundesamt für Sicherheit in der Informationstechnik,
(15. February 2007)
[4] Protection Profile for the electronic Health Card (eHC) – elektronische
Gesundheitskarte (eGK) developed on behalf of the Federal Ministry of
Health, Germany, Version 2.5, 02.01.2008