[Public Interpretations Database]

PD-0073: Partial Conformance to a PP/Conditional Requirements in a PP

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Effective Date: 2002-10-23
Last Modified 2006-08-02

Issue

Partial conformance to a PP is not admissible for CC evaluation. Nor are conditional requirements permitted. Is it possible to define a PP that will pass evaluation that contains sets of requirements such that a ST may potentially reference some sets and not reference others yet still claim conformance to that PP?

Resolution

This need can be addressed through the use of a "Core PP package" combined with "component PP packages." The requirements to be common to anything claiming to meet the PP would be captured in the "Core PP package", with the various optional or conditional approaches being expressed in supplemental "component PP Packages". The ST would claim conformance to a "Composite PP" consisting of the Core PP package plus some composition of the "component PP packages". The method of constructing this would be as follows:

  1. Define a core set of corresponding threats, assumptions, and security objectives in the PP package that will be common to all composite PPs created from the components in the PP package.

  2. Define component sets of corresponding threats, assumptions, and security objectives that can be combined with the core set to form composite PPs. More than one component set may be combined to form a PP.

  3. Define a method for choosing which components can and cannot be combined to form composite PPs. It is these composite PPs to which STs will claim conformance. These composite PPs must be complete PPs in all respects.

  4. Define a naming convention that can uniquely and unambiguously identify each possible composite PP that could be created from the PP package.

The following procedures must be performed by the evaluators of a package PP:

  1. Each component of a package PP must be evaluated. They may reference other components to satisfy requirements as per the combination method.

  2. The method used to combine components must be examined to determine that it cannot create a package of threats, assumptions, and security objectives that conflict.

  3. The naming convention must be examined to determine that it performs as expected.

  4. The sets of threats, assumptions, and security objectives for each individual package must examined for consistency and to ensure they do not conflict with each other.

Support

During the development of a PP, a problem was identified with some National Information Assurance Partnership (NIAP) requirements and constraints. The requirements and constraints may cause confusion among ST authors and evaluators who use the PP and could cause inefficient, and potentially erroneous, use of the PP.

This OD details a methodology that enhances the CC in a number of ways, it:

  • Makes the concept of packages more useful and meaningful.

  • Provides for the creation of composite PPs from components in package PPs.

  • Extends the CEM in terms of how to evaluate package PPs.

  • Provides an efficient approach to evaluation of package PPs

In effect, the methodology described here "mass produces" evaluated PPs. By ensuring that the components described in a package PP can be combined in a large but determinate number of ways a product vendor can evaluate a wider variety of products while still claiming conformance to (presumably useful) PPs.

The following definitions are used in this decision:

  • PP component: A set of threats, assumptions, and security objectives

  • PP package: A set of PP components related in some fashion and evaluated together including one core component

  • Composite PP: A PP constructed of PP components all from a single PP package

Note also that the approach detailed here incorporates notions from the proposed revision of ASE.

Modification History:

2004-08-12
Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)

References:

  • [CC-1-219] CC v2.1 Part 1 Section C.2.8, paragraph 219 e).
  • [CEM-2-382] CEM v1.0 Part 2, work unit ASE_PPC.1-1, paragraph 382.
  • [AFLWPP] U. S. Department of Defense Application-level Firewall Protection Profile for Medium Robustness Environments, Version 1.0, 28 June 2000; Section 5.1.1, FIA_UAU.5, paragraph 50 and FCS_COP.1, paragraph 76.
  • [TFFPP] U.S. Department of Defense Traffic-Filter Firewall Protection Profile For Medium Robustness Environments, Version 1.4, 1 May 2000; Section 5.1.1, FIA_UAU.5, paragraph 47 and FCS_COP.1, paragraph 66.
  • [UK-BWFW] UK IT Security Evaluation and Certification Scheme Certification Report No. P164, BorderWare Firewall Server Version 6.5 running on specified Intel platforms, Issue 1.0, January 2002; paragraph 59.
  • [CIMC-PP] Certificate Issuing and Management Components Family of Protection Profiles, Version 1.0, 31 October 2001; Section 6.9, FMT_MOF_CIMC.4 and FMT_MOF_CIMC.5, pages 56-57; Section 6.10, FMT_MOF_CIMC.6, page 57.
  • [SLOSPP] Protection Profile for Single-level Operating Systems in Environments Requiring Medium Robustness, Version 1.22, 23 May 2001; Section 5.3.3.1 and its application note.
  • [MLOSPP] Protection Profile for Multilevel Operating Systems in Environments Requiring Medium Robustness, Version 1.22, 23 May 2001; Section 5.3.7.1 and its application note.
  • [DBMSPP] Database Management System Protection Profile (DBMS PP), May 2000, Issue 2.1; paragraphs 11, 14, 15, 24, 25, and 95-99.
  • [CEM-2-147] CEM v1.0 Part 2, work unit APE_ENV.1-2, paragraph 147 and work unit APE_ENV.1-3, paragraph 150.
  • [CC-3-172] CC v2.1 Part 3, Section 5.5, paragraph 172.
  • [CEM-2-378] CEM v1.0 Part 2, Section 4.4.5, paragraph 378.

Related NIs:

  • None

Related CCIMB-INTERPs:

  • None

Source OD: 0202