![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0060: Does One Reference or Transcribe Requirements When Including Components in a PP/ST?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-08-13 |
| Last Modified | 2006-08-02 |
Issue
When specifying security functional requirements or security assurance requirements (SFR/SAR) in a PP or ST, what constitutes a proper reference to the SFR/SAR: must the component short name and its accompanying content/verbiage be transcribed, or is the short name itself sufficient?
Resolution
Although desirable for PP/ST readability, there is no requirement to "reference and transcribe" rather than "reference only" Common Criteria security requirements. However, in order to enhance the usability of PPs and STs, the security functional requirement (SFR) short name and its accompanying content/verbiage should be specified. Further, when operations are performed on components, those components should be transcribed to clearly show how the operation has been applied to the component.
Support
This position is supported by the following words in the CC and CEM:
-
CC, Part 1, Annex B, paragraph B.2.1 (Content and Presentation) and CC, Part I, Annex C, paragraph C.2.1 (Content and Presentation) state that a PP[/ST] should be presented as a user-oriented document that minimizes reference to other material (which includes the CC) that might not be readily available to the PP[/ST] user.
-
CC, Part 3, ASE_REQ.1.6C (and the corresponding APE_REQ requirement) state that "Operations on IT security requirements included in the ST shall be identified and performed."
-
CEM, Part 2, section 3.4.5.2.1 (APE_REQ) and its near parallel twin, section 4.4.6.3.1 (ASE_REQ), specifically, APE_REQ.1.1C/ASE_REQ.1.1C states the evaluator determines that all TOE security functional requirements components drawn from Part 2 are identified, either by reference to an individual component in Part 2 [ST: in a PP that the ST claims to be compliant with], or by reproduction in the PP[/ST].
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
- 2004-10-14
- Fixed spelling error: "shuld" was changed to "should".
References:
- TFFWPPv1.c
Related NIs:
- I-0361: "Reference" Refers To A Citation Of The Text Source
Related CCIMB-INTERPs:
- None
Source OD: 0097