![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0148: Excluded Functionality and Policy 13
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2009-01-29 |
| Last Modified | 2009-01-29 |
Issue
When a product exhibits features of multiple Technology Types, is it necessary to include the appropriate security functionality of all of those Technology Types in the Security Target?
Resolution
In the case that a product can be used as one of multiple Technology Types, the vendor may satisfy Policy 13 by including only the security functionality appropriate to a single one of those Technology Types, if so desired. If there is a dispute about whether a particular implemented Technology Type must be included within the Security Target, the author of the Letter of Intent should be contacted to determine if the evaluated functionality meets their requirements as a customer. This PD is applicable only if the Technology Type that a product operates can be selected by configuration - if the product comprises multiple Technology Types and none can be disabled, then all Technology Types shall be included.
Support
Policy 13 requires that the logical boundary of a non-component TOE be determined either as including all functionality that would commonly be regarded as security functionality for that product type by the user community, or by compliance to a validated Protection Profile. The rationale for this requirement in Policy 13 is to prevent TOEs whose security claims are reduced to such an extent that the utility of the evaluated TOE is limited. A TOE's security claims can be limited to the appropriate set for a single supported technology type without violating the goal of Policy 13, namely to produce more meaningful evaluation results.
Modification History:
- 2009-01-29:
- PD created (December 2008 ODRB Meeting Agenda Item 3.a.ix)
References:
- None
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0281