![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0016: Evidence for APE Assurance Requirements
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
CC APE_REQ.1.9C states:
'The evidence shall justify why any non-satisfaction of dependencies is appropriate'.
First, there is no 'evidence' required of PP developers, only a rationale. CC v2.1, part 1, subclause B.2.8.b.3.iii, appears to indicate that the PP authors intended to demonstrate that a selected set of security functional requirements, that fail to satisfy all dependencies, is appropriate to satisfy the security objectives. Is this a correct interpretation?
(Note that this requirement is restated verbatim in ASE_REQ.1.8C)
Resolution
The answer is provided in the CEM v1.0 Part 2, paragraphs 231, 232, and 233 of work unit APE_REQ.1-14. This work unit and these specified paragraphs clearly give the guidance needed for the issues raised in the OD:
| APE_REQ.1-14 | The evaluator shall examine the security requirements rationale to determine that an appropriate justification is given for each case where security requirement dependencies are not satisfied. |
| 231 | The evaluator determines that the justification explains why the dependency is unnecessary, given the identified security objectives. |
| 232 | The evaluator confirms that any non-satisfaction of a dependency does not prevent the set of security requirements adequately addressing the security objectives. This analysis is addressed by APE_REQ.1.13C. |
| 233 | An example of an appropriate justification is when a software TOE has the security objective: “failed authentications shall be logged with user identity, time and date” and uses FAU_GEN.1 (audit data generation) as a functional requirement to satisfy this security objective. FAU_GEN.1 contains a dependency on FPT_STM.1 (reliable time stamps). As the TOE does not contain a clock mechanism, FPT_STM.1 is defined by the PP author as a requirement on the IT environment. The PP author indicates that this requirement will not be satisfied with the justification: “there are attacks possible on the time-stamping mechanism in this particular environment, the environment can therefore not deliver a reliable time-stamp. Yet, some threat agents are incapable of executing attacks against the time-stamping mechanisms, and some attacks by these threat agents may be analysed by logging time and date of their attacks.” |
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- TFFWPPv1.c
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0094