![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0047: Reflecting Compliance With Multiple PPs
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-06-11 |
| Last Modified | 2006-08-02 |
Issue
How does a ST reflect compliance with multiple PPs as a function of the choice of operating mode of the TOE? For example, consider a TOE that supports two independent modes of operation. It is compliant with the Application Level Firewall PP (ALFWPP) in one mode of operation and compliant with the Traffic Filter Firewall PP in a different (selectable) mode of operation.
Resolution
In order for a TOE to claim compliance with multiple PPs, it must be compliant with each of the claimed PPs for the single configuration that is evaluated. For this product, a separate ST needs to be produced for each mode of operation, with compliance claimed for the appropriate PP.
Support
The PP supports the ability for an ST to claim compliance with multiple PPs. However, the presumption is that a single configuration of the TOE (i.e., the configuration defined by the ST) is compliant with each of the PPs for which compliance is claimed.
In the case described here, compliance with each PP is being claimed for different configurations of the TOE; in effect, two different instantiations of the product. This requires that the ST include conditional requirements, a notion not supported by the CC. Note that for this case, the two configurations of the product do not meet the same security requirements. This suggests that the the two configurations do not counter the same threats, and do not have the same security objectives. This, in turn, implies that the configurations cannot both satisfy a single ST. However, this is exactly what is required for a product to claim compliance with multiple PPs. That is, such compliance can be claimed only when a single ST counters the threats, satisfies the objectives, and meets the requirements of all claimed PPs concurrently.
The only method provided by the CC for claiming compliance to different PPs via selectable "modes" or configurations of a product is to define each distinct configuration as an independently-defined TOE; that is, via separate STs.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- ALFWPPv1.d.1
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0156