[Public Interpretations Database]

PD-0103: Clarify CCEVS Policy for Applying NIAP Interpretations

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Effective Date: 2004-02-17
Last Modified 2006-08-02

Issue

Several CCEVS guidance documents that address the application of NIAP Interpretations in evaluations are inconsistent with the public announcement of an intended policy regarding that issue that was provided to Validators and Evaluators at their respective workshops in Fall 2003.

The Evaluation Team cited the public announcement that NIAP Interpretations were not required and Section 4 of the ETR Template, "CCEVS T6000, Ver 2 (12/23/03)" as justification for not applying several NIAP Interpretations. The Validator posited that the CCTLs and Validators had to comply with the current published policies concerning how to handle NIAP Interpretations:

  • ValGram #10, NIAP CCEVS Interpretations Policy/Guidance (1-11-2001)

  • Section 4.4 of Scheme Publication # 4, Guidance to CCEVS Approved CCTLs, version 1 (3-20-2001)

  • PD-0078, Incorporation of Interpretations into a PP (last modified 10-23-2002)

  • PD-0079, Handling of Interpretations (last modified 11-15-2002)

  • LabGram #21/ValGram #40, Status of NIAP Interpretations (5-9-2003)

In light of the various written and oral policies, guidance, and directions that have been issued, both the CCTL and the Validator requested clarification of which guidance needed to be followed.

Resolution

CCEVS policy stands as written in LabGram #21/ValGram #40 (5-9-2003) and announced at the 2003 Validators' Workshop, that NIAP Interpretations are recommended, but not required. For future reference, in the case of conflicting guidance from CCEVS regarding issues such as this, the latest guidance should be followed.

This Precedent recommends the following procedures for applying NIAP Interpretations to evaluations:

  1. Do not address NIAP Interpretations in the ETR unless they are explicitly included as an SFR or SAR in the Security Target.

  2. Regularly review the NIAP Interpretations and Precedents posted on the NIAP/CCEVS web site to keep up-to-date with current NIAP/CCEVS guidance for interpreting the CC and CEM requirements.

  3. Indicate to Security Target authors during both the early stages of ST development and the ST evaluation any NIAP Interpretations and Precedents that might assist in resolving an evaluation issue.

  4. Document the Evaluation Team's analysis of which NIAP Interpretations and Precedents are applicable to an evaluation in the evaluation records.

    • Which NIAP Interpretation and Precedents need to be applied to the evaluation.

    • Why the remaining NIAP Interpretations and Precedents need not be applied.

     

  5. Follow LabGram #21/ValGram #40's directions for identifying and justifying the changes to the wording of the SFRs and SARs that the CCEVS and NIAP Interpretations required.

All NIAP Interpretations have associated with them a 3-digit stage that represents their position in the NIAP Interpretations Process. The following list associates the Stage numbers to the corresponding Status entries and NIB-recommended evaluator actions.

  • 470: Sent to CCEVS Management and CCIMB for Review
    500: Approved
    510: Approved by CCEVS Management and Mailed to Public Mailing List

    Since it is possible that the CCIMB may reject the NIAP Interpretation, apply the NIAP Interpretation if it assists in resolving an evaluation issue.

  • 550: Approved, Acceptable to CCIMB, No CCIMB Interpretation
    555: Approved, Acceptable to CCIMB, CCIMB Interpretation Pending

    Treat the NIAP Interpretation as a Precedent. That is, if the issue that the NIAP Interpretation resolves is applicable to the evaluation, apply the NIAP Interpretation or provide a rationale for not applying it.

  • 520: Superseded

    If the NIAP interpretation is superseded by another NIAP interpretation, use the other NIAP interpretation as indicated by its STAGE. If the NIAP interpretation is superseded by a CCIMB interpretation, use the superseding CCIMB interpretation.

 

Modification History:

2004-11-12
Clarified Item #4 to elaborate on the types of analysis needed from the evaluation team. This elaboration is based on the words in Draft Handbook 150-20, Information Technology Security Testing -- Common Criteria (April 1999), in particular, Section 285.33 (h)(1) (Criteria for Accreditation, Calibration and Test Methods). (October 2004 ODRB 4.b.i and NIB 6.c.ii)
2004-08-12
Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)

References:

  • ValGram 10, NIAP CCEVS Interpretations Policy/Guidance (1-11-2001)
  • Scheme Publication #4, version 1, (3-20-2001)
  • PD-0078: Incorporation of Interpretations into a PP (10-23-2002)
  • PD-0079: Handling of Interpretations (11-15-2002)
  • ValGram 40/LabGram 21, Status of NIAP Interpretations (5-9-2003)

Related NIs:

  • None

Related CCIMB-INTERPs:

  • None

Source OD: 0227