Closed woodbe closed 3 years ago
I moved the new artefact text that we will want to use in the toolbox process into the biometricITC/Administration#41 pull request to update that document with more details on the expectation of the changes.
@n-kai While I agree that the iTC does not have the ability to control the evaluators actions, as we are the ones in control of the Toolbox, I don't see how it can be acceptable to allow someone to add new tests to the toolbox and then say that it is comparable to an evaluation that didn't have those.
My concern is something along these lines:
So now vendor 2 has run the tests that meet v1, but also a set of tests that don't meet anything in v1 or anything in the approved v2 from the iTC. How would this be handled? How would this be repeatable (the NIAP requirement)?
This is why I want to say that the process for adding a new toolbox artefact would run something like this:
So this would mean going from v1, the lab would provide updates that we would use to create a v2, which would be accepted as the iteration for that modality. If the iTC decides additional changes are needed, then a v3 would be created, but v2 would be able to be used for the evaluation, and would be in effect as the current set of tests for all new evals running (so if another vendor started 3 months later, they would also have to use these docs with the new artefacts.
What I am trying to avoid is having 2 vendors testing the same modality and one of these scenarios happening (because the lab can do what it wants and still be approved):
The way less ideal way to handle this scenario, I would think, would be to to say that until the new artefacts are approved, even if there is testing to the new artefacts, the certificate can only claim compliance to the current published version of the toolbox. If the scheme wants to list additional details about tests that is fine, but there wouldn't be any compliance claim to anything except the current version of the toolbox. The problem here though is that there is no consistency for any new artefacts, and likely this will be frowned upon (especially by NIAP).
This is a start to the new artefacts test plan.
This will close #342
This update changes the assumptions section in the text. Other changes still need to be updated.