ANNEX V
Point V.1 of Annex V to Implementing Regulation (EU) 2024/482 is replaced by the following:
‘V.1 Certification report
1.
Based on the evaluation technical reports provided by the ITSEF, the certification body establishes a certification report to be published together with the corresponding EUCC certificate and security target.
2.
The certification report is the source of detailed and practical information about the ICT product and about the ICT product’s secure deployment. It shall therefore include all publicly available and sharable information of relevance to users and interested parties. Publicly available and sharable information may be referenced by the certification report.
3.
The certification report shall contain at least the following information:
(a)
executive summary;
(b)
identification of the ICT product;
(c)
contact information related to the evaluation of the ICT product;
(d)
security policies;
(e)
assumptions and clarification of scope;
(f)
architectural information;
(g)
supplementary cybersecurity information, if applicable;
(h)
ICT product evaluation summary and evaluated configuration;
(i)
results of the evaluation and information regarding the certificate;
(j)
comments and recommendations if applicable;
(k)
annexes, if applicable;
(l)
reference to the security target of the ICT product submitted to certification;
(m)
when available, the mark or label associated to the scheme;
(n)
glossary, if applicable;
(o)
bibliography.
4.
The executive summary referred to in paragraph 3, point (a) shall be a brief summary of the entire certification report. It shall provide a clear and concise overview of the evaluation results and shall include the following information:
(a)
name of the evaluated ICT product;
(b)
name of the ITSEF which performed the evaluation;
(c)
completion date of evaluation;
(d)
date of issuance of the certificate;
(e)
where applicable, date of issuance of the initial certificate;
(f)
validity period;
(g)
unique identification of the certificate as described in Article 11;
(h)
brief description of the certification report results, including:
(i)
the version and if applicable release of the Common Criteria applied to the evaluation;
(ii)
the Common Criteria assurance package or list of security assurance components, the AVA_VAN level applied during the evaluation and the corresponding assurance level as set out in Article 52 of Regulation (EU) 2019/881 to which the EUCC certificate refers to;
(iii)
where applicable, the Protection Profile(s) to which the ICT product is claiming compliance to;
(iv)
reference to the security policy of the evaluated ICT product;
(v)
disclaimer(s), if applicable.
5.
The identification referred to in paragraph 3, point (b) shall clearly identify the evaluated ICT product, including the following information:
(a)
the unique identification of the evaluated ICT product;
(b)
enumeration of the ICT product’s components that are part of the evaluation with version number of each component;
(c)
reference to additional requirements to the operational environment of the certified ICT product.
6.
The contact information referred to in paragraph 3, point (c) shall include at least the following information:
(a)
name of the developer;
(b)
name and contact information of the holder of the EUCC certificate;
(c)
name of the certification body that issued the certificate;
(d)
responsible national cybersecurity certification authority;
(e)
name of the ITSEF which performed the evaluation, and, where applicable, the list of subcontractors.
7.
The security policy referred to in paragraph 3, point (d), shall contain the description of the ICT product’s security policy as a collection of security services and the policies or rules that the evaluated ICT product shall enforce or comply with. It shall also include the following information:
(a)
a description of the vulnerability management and vulnerability disclosure procedures of the certificate holder, to be completed solely with information that can be made publicly available;
(b)
the assurance continuity policy of the holder of the certificate, including, where applicable, the description of the certificate holder’s lifecycle management or production processes in accordance with Section IV.1 of Annex IV;
(c)
where applicable, the presence of patch management procedure and the outcome of its assessment in accordance with Section IV.4 of Annex IV.
8.
The assumptions and clarification of scope referred to in paragraph 3, point (e), shall contain information regarding the circumstances and objectives related to the intended use of the product as referred to in Article 7(1), point (c) and shall include the following:
(a)
assumptions on the ICT product’s usage and deployment in the form of minimum requirements, such as proper installation and configuration and hardware requirements being satisfied;
(b)
assumptions on the environment for the compliant operation of the ICT product;
(c)
description of any threats to the ICT product that are not countered by the evaluated security functions of the product according to the intended use, if deemed relevant for a potential ICT product user.
The information referred to in the first subparagraph shall be as clear and understandable as possible to enable potential users of the certified ICT product to make informed decisions about the risks associated with its use.
9.
The architectural information referred to in paragraph 3, point (f), shall include a high-level description of the ICT product and its main components, based on the deliverables defined in the Common Criteria assurance family: Development – TOE Design (ADV_TDS).
10.
The supplementary cybersecurity information referred to in paragraph 3, point (g) shall include the link to the website of the holder of the EUCC certificate referred to in Article 55 of Regulation (EU) 2019/881.
11.
The ICT product evaluation and configuration referred to in paragraph 3, point (h), shall describe both the developer and evaluator testing effort, outlining the testing approach, configuration and depth. It shall include at least the following information:
(a)
an identification of the used assurance components from the standards referred in Article 3;
(b)
the version of the state-of-the-art documents and further security evaluation criteria used in the evaluation;
(c)
the settings and configuration of the TOE used for the testing and vulnerability analysis;
(d)
any protection profile that has been used, including the following information: the protection profile name, version, date and certificate.
12.
The results of the evaluation and information regarding the certificate referred to in paragraph 3, point (i) shall include information on the attained assurance level as referred to in Article 4 of this Regulation and Article 52 of Regulation (EU) 2019/881.
13.
The comments and recommendations referred to in paragraph 3, point (j), are used to impart additional information about the evaluation results. Those comments and recommendations may take the form of shortcomings of the ICT product discovered during the evaluation or mentions of features which are particularly useful.
14.
The Annexes referred to in paragraph 3, point (k), are used to outline any additional information that may be useful to the audience of the report but does not logically fit within the prescribed sections of the report, including in cases of a complete description of security policy.
15.
The security target referred to in paragraph 3, point (l), shall reference the evaluated security target. The evaluated security target shall be provided with the certification report for the purposes of publication on the website referred to in Article 50(1) of Regulation (EU) 2019/881. Where sanitisation of the evaluated security target is necessary prior to publication, it shall be done in accordance with point V.2 of Annex V to this Regulation.
16.
The marks or labels associated to the EUCC scheme referred to in paragraph 3, point (m), shall be inserted in the certification report in accordance with the rules and procedures laid down in Article 11.
17.
The Glossary referred to in paragraph 3, point (n), is used to increase the readability of the report by providing definitions of acronyms or terms of which the meanings may not be readily apparent.
18.
The bibliography referred to in paragraph 3, point (o), shall include references to all documents used in the compilation of the certification report. That information shall include at least the following:
(a)
the security evaluation criteria, state-of-the-art documents and further relevant specifications used;
(b)
the evaluation technical report;
(c)
the evaluation technical report for composite evaluation, where applicable;
(d)
technical reference documentation;
(e)
developer security guidance;
(f)
developer configuration list.
In order to guarantee the reproducibility of the evaluation, all documentation referred to has to be uniquely identified with the proper release date and proper version number.’.