![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0045: Where can policy be specified in a PP?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-06-11 |
| Last Modified | 2006-08-02 |
Issue
Where can policy be specified in a PP?
Resolution
Policy should be specified using requirements, environmental assumptions, etc., and may also be described but should not be defined in the front matter of a PP.
Support
The requirements necessary to ensure that the TOE security policy is enforced must be included in the PP. These requirements must be traceable, through the objectives, to the assumptions, threats, and organizational security policies in the statement of environment, as required by the CC. Definitions are not a permissible substitute for the statements of environment, objectives, and requirements specified in a PP.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- ALFWPPv1.c
Related NIs:
- I-0366: All Administrators Are Authorized
- I-0367: Management Sections Are Informative
Related CCIMB-INTERPs:
- None
Source OD: 0100