![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0091: Dependencies of Requirements on the IT Environment
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2003-05-23 |
| Last Modified | 2006-08-02 |
Issue
Does the CC require all dependencies (both SFRs and SARs) of requirements on the IT environment to either be satisfied in the ST or provide a rationale for not being satisfied?
Resolution
If there is a dependency on an SFR or SAR allocated to the TOE, it must either be satisfied or the non-satisfaction justified. Non-satisfaction can be justified by meeting the dependency in the environment, when this is consistent with the TOE description.
If there is a dependency on an SFR allocated to the IT environment, it need not be explicitly satisfied/verified, although providing an explanation of how that dependency is met can provide clarification and make the job of the integrator easier.
Support
After the Objectives have been derived (from the Assumptions, OSPs, and Threats), they are divided into Objectives to be met by the TOE, and Objectives relegated to the IT environment. The Objectives for the TOE are then used to derive SFRs (and possibly SARs) for the TOE. The ST/PP author may -- yet need not -- choose to similarly derive SFRs/SARs for the IT environment from the environment's objectives. For each of the SFRs for the TOE, there is an explanation of how the SFR is met by the TOE (this is the TSS).
Each of the TOE's SFRs may have dependencies: each dependency is either included among the SFRs/SARs for the TOE, or will presumably be met by the IT environment (in which case the rationale for excluding the SFR from the list of TOE SFRs is that it will be provided by the IT environment).
If the SFRs for the IT environment have been listed, then the dependencies of those environmental SFRs will also be environmental SFRs, and should be in the list of SFRs for the IT environment. However, as specification of environmental SFRs is optional, these "second level" SFRs could be omitted and left to the integrator to address.
What must be ensured is that all dependencies of a TOE SFR are addressed. If the SFRs for the IT environment have been listed, then the TOE's dependent SFRs that are claimed to be met by the IT environment must be included in that list. If, however, the SFRs for the IT environment have not been listed, then the TOE's dependent SFRs that have been rationalized as being met by the IT environment must be mapped back to the Objectives for the environment.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC Part 1 v2.1, Section 4.4.1.3 Component, paragraph 147.
- CC Part 1 v2.1, Annex C, Section C.2.6 IT security requirements, paragraph 215 (particularly item c, sub-item 4)
- CC Part 1 v2.1, Annex C, Section C.2.9 Rationale, paragraph 222 (particularly item b, sub-item 3)
- CC Part 3 v2.1, Section 2.1.3.4 Dependencies, paragraphs 45-48.
- CC Part 3 v2.1, Section 5.6 IT Security Requirements (ASE_REQ), ASE_REQ.1.7C and ASE_REQ.1.8C, page 48.
- CEM Part 2 v1.0, ASE_REQ1.-13 (particularly paragraph 418)
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0213