![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0024: Conformance with a PP with respect to Level of Audit
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
If a Security Target claims compliance with a PP and then goes on to add additional requirements, must the audit requirements of the additional SFRs also comply with the PP FAU_GEN required level of audit (basic, minimal, etc.) or can they be considered at a different audit level and still be in compliance with the PP.
Resolution
The PP/ST paradigm, in some cases (audit being one of them, SOF being another possible one), should allow for a PP writer to express objectives and requirements that apply to a broad set of SFRs, some of which may not be specified directly in the PP. However this intention must be expressed in a clear, unambiguous manner in the PP objectives (and hence their associated requirements). The following "rules of application" are offered for consideration when determining if PPs can legitimately levy audit requirements on SFRs not specified in the PP:
Rules of Application
If PP authors wish to extend auditing requirements to include unspecified SFRs they must:
-
Ensure that an appropriate objective is written that articulates this intent.
-
Choose a minimum level of auditing predefined by the CC (i.e., minimal, basic, detailed) to give guidance on the level of auditing for SFRs not currently specified in the PP.
-
Explicitly identify this intent in the rationale for the objectives and requirements. Without an explicit statement of this nature, it is assumed that the PP author's intent is that the audit package explicitly identifies the SFRs that must be audited to claim compliance to the PP.
Note: Although this could be broadly applicable, this decision deals explicitly with the application of audit requirements to non-specified SFRs. The rule may be shown to apply to other areas, but this must be shown to be valid before a broad policy is levied on all SFRs.
Support
The rationale for this ruling is that the CC is supposed to offer PP/ST authors a paradigm to express their security needs.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CAPPv1.d
- CEM v1.0 Part 2 ASE_REQ.1-12
Related NIs:
- I-0347: Including Sensitive Information In Audit Records
Related CCIMB-INTERPs:
- None
Source OD: 0182