PD-0023: Design Decomposition for Physical Security

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Issue

Consider a TOE that has physical hardware mechanisms, such as locks, that are defined to be subsystems. How are the design decomposition requirements to be addressed for such subsystems?

Resolution

The purpose of the design documentation levels of abstraction (FSP, HDL, and LLD) is to increase understandability of the design. Greater understandability, in turn, contributes to the introduction of fewer security flaws into a IT product over its life cycle. If understandability is NOT increased by more refinement in the design documentation, then it is not necessary. For simple TOEs, not all three levels of abstraction (ADV_HLD, ADV_LLD, ADV_IMP) need to be different, as long as understandability of the TOE is achieved.

Support

The basic notion is that multiple levels of design abstraction may not be needed for conceptually simple hardware mechanisms, such as physical enclosures or locks. The amount of design information is typically dictated by the complexity of the mechanism, for example, locks vs. enclosures.

Modification History:

2004-08-12

Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)

References:

• CC v2.1

Related NIs:

• None

Related CCIMB-INTERPs:

• None

Source OD: 0176