[Public Interpretations Database]

I-0393: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0393
STATUS:               Formally Superseded

TITLE:                A Completely Evaluated ST Is Not Required When TOE
                      Evaluation Starts
SUPERSEDED BY:        
     CCIMB-INTERP-0150

EFFECTIVE:            2001-03-15
SUPERSEDED:           2003-07-15

SOURCE REFERENCE:     CC v2.1 Part 1 Figure 4.4
                      CC v2.1 Part 1 Figure 5.1
                      CC v2.1 Part 1 Subclause 4.2.2
                      CC v2.1 Part 1 Subclause 4.5.3
                      CC v2.1 Part 3 Subclause 3.1
RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0150

ISSUE:

In an ideal world, a Security Target (ST) would be completely evaluated before a TOE evaluation starts. In order for this to happen, however, there would need to be a finalized TOE configuration (down to version and patch numbers), and no aspects of evaluation (including testing) would result in changes to the TOE.

In the real world, this never happens. Instead, there may be nuances of the hardware or software platform that are finalized during the TOE evaluation. Further, the evaluation activities, such as testing and analysis, may uncover areas where the ST requires correction, especially in the TOE summary specification.

STATEMENT

A completely-evaluated ST is not required before TOE evaluation may start, although a substantially complete ST is required.

RECOMMENDED CRITERIA CHANGES

In order to address this interpretation, the following changes are made to CC v2.1, Part 1 (additions marked thusly; deletions marked thusly):

  • Correct Figure 4.4 to change the circle labeled "Evaluate TOE" to "Evaluate ST and TOE".

  • Reword Subclause 4.2.2, paragraph 110, as follows:

    The TOE evaluation process, as described in Figure 4.4 may be carried out in parallel with development, or it may follow. The process of TOE evaluation includes the evaluation of the ST against the ASE requirements in Part 3. The principal inputs to TOE evaluation are:

    a) the set of TOE evidence, which includes the evaluated a substantially complete ST as the basis for TOE evaluation (a "substantially complete" ST is an ST where all sections have been completed to an extent acceptable by the evaluation scheme and for which no significant evaluation hurdles are foreseen);

    b) the TOE for which the evaluation is required;

    c) the evaluation criteria, methodology, and scheme.

  • Reword Subclauses 4.5.2 and 4.5.3 as follows:

    4.5.2 ST TOE evaluation

    TOE evaluation involves two tasks: evaluation of an ST against the ST evaluation criteria contained in Part 3, and evaluation of the TOE against the evaluation criteria in Part 3 using the ST as a basis.

    The evaluation of the ST for the TOE is carried out against the evaluation criteria for STs contained in Part 3. The goal of such an evaluation is twofold: first to demonstrate that the ST is complete, consistent, and technically sound and hence suitable for use as the basis for the corresponding TOE evaluation; second, in the case where an ST claims conformance to a PP, to demonstrate that the ST properly meets the requirements of the PP.

    4.5.3 TOE evaluation

    The TOE evaluation is carried out against the evaluation criteria contained in Part 3 using an evaluated the ST as the basis. The goal of such an evaluation is to demonstrate that the TOE meets the security requirements contained in the ST. The TOE evaluation may commence against a ST that is substantially complete, provided that the ST evaluation is fully complete prior to completion of the TOE evaluation.

  • Change all references in the CC to subclause 4.5.3 to refer instead to subclause 4.5.2.

  • Correct Figure 5.1 to have the arrow go from the "Evaluated PP" square to the current "Evaluate TOE" circle, the latter being relabeled as "Evaluate ST and TOE". The "Evaluate ST" circle and the "ST evaluation results" rectangle would be eliminated.

In order to address this interpretation, the following changes are made to CC v2.1, Part 3 (additions marked thusly; deletions marked thusly):

  • Reword Subclause 3.1, paragraph 133, as follows:

    These criteria are the first requirements presented in this Part 3 because the PP and ST evaluation will normally be performed before the TOE evaluation. They play a special role in that information about the TOE is assessed and the functional and assurance requirements are evaluated in order to find out whether the PP or ST is a meaningful basis for a TOE evaluation.

SUPPORT:

This interpretation recognizes the real world situation. The position taken by this interpretation is supported by CEM v1.0 Section B.4.1, paragraph 1800, which says:

For some cases the different assurance classes may recommend or even require a sequence for the related activities. A specific instance is the ST activity. The ST evaluation activity is started prior to any TOE evaluation activities since the ST provides the basis and context to perform them. However, a final verdict on the ST evaluation may not be possible until the TOE evaluation is complete, since changes to the ST may result from activity findings during the TOE evaluation.

This interpretation requires the ST to be substantially complete. This means that:

  1. All sections of the ST are substantially complete.

  2. A preliminary assessment of the ST against the ASE requirements uncovers no significant failures.

This interpretation does not place a specific metric on "substantially complete". The setting of such a metric, as well as defining "substantially complete", is an evaluation scheme issue. The appropriate value is a business decision that weights the risks to an evaluation's schedule against the reasonability of finalizing ST details during TOE evaluation.