![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0071: Identification of Operations on Security Functional Requirements
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-10-23 |
| Last Modified | 2006-08-02 |
Issue
Does an ST have to identify operations performed with respect to the PP (i.e., only those done in addition to the PP), or with respect to the CC (i.e., operations performed within the PP, as well as operations performed in addition to the PP)?
Resolution
The CC has a number of requirements dealing with “operational conformance” of IT requirements. One is A*E_REQ.1.6C that focuses on identifying operations that must be analyzed by the evaluator to determine conformance to the Common Criteria requirements. A second is ASE_PPC.1.2C that focuses on evaluator analysis of operations required by a PP to be completed in an ST that is targeting a compliance claim to that PP. On the surface, these two requirements imply that option 3 is the only acceptable interpretation.
However, the question that is highlighted by this OR focuses on how ASE_REQ.1.6C is actually met. Specifically:
In meeting ASE_REQ.1.6C, does the ST have to identify operations that have been already identified in the PP as well operations that have been invoked by the ST author?
Examining CC, Part 1, Annex C, paragraph 219, item b, we find the following statement that sheds some light on the appropriate answer to this question.
“If the ST claims only compliance with the requirements of [ed. an evaluated] PP without need for further qualification, the reference to the PP is sufficient to define and justify the TOE objectives and requirements. Restatement of the PP contents is unnecessary.”
This supports the notion that restatement of requirements (and hence identification of PP invoked operations) is unnecessary unless the ST further refines them or otherwise invokes an operations required by the PP. This means that the presentation of the ST need not readily facilitate evaluator analysis that has already been performed as part of a PP evaluation. Hence, for STs claiming compliance to PPs that have been evaluated, there is no need to identify operations that have already been analyzed as part of a PP evaluation. (i.e, identification can rely on work performed as part of the PP evaluation). Note that if additional requirements have been added that are not present in the PP, operations must be identified appropriately.
However, if the PP that is targeted for conformance has not been evaluated (note: ASE_PPC does not require that PP’s be evaluated before they can be used in a conformance claim), the ST must identify all operations that are invoked whether they are initiated from the PP or from the CC itself.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CEM Part 2, Version 1.0, ASE_REQ.1-10
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0201