I-0398: Assumptions, Objectives, And Environmental Requirements

TYPE:                 NIAP Interpretation
NUMBER:               I-0398
STATUS:               Pending on: APE/ASE Rewrite
REASON:               Hold - Pending ASE/APE Rewrite

TITLE:                Assumptions, Objectives, And Environmental Requirements

SOURCE REFERENCE:     CC v2.1 Part 1 Subclause 4.3
                      CC v2.1 Part 1 Subclause B.2
                      CC v2.1 Part 1 Subclause C.2
                      CC v2.1 Part 3 Subclause 4.4 APE_OBJ
                      CC v2.1 Part 3 Subclause 4.5 APE_REQ
                      CC v2.1 Part 3 Subclause 5.4 ASE_OBJ
                      CC v2.1 Part 3 Subclause 5.6 ASE_REQ
RELATED TO:           <None>

ISSUE:

STATEMENT

Objectives for the non-IT environment are goals to be met by non-IT environment. They may be assumed, or they may be enforced through requirements on the non-IT environment that are enforced by the fielding organizations. They serve to address non-IT aspects of organizational security policies and may reduce (but not eliminate) threats.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes should be to Part 1: (additions marked thusly; deletions marked thusly)

• Update and correct Figure 4.5 in the following fashion:

  • The arrow between "Assumptions" and "Establish security objectives" should be removed. The figure should be reworked to show that assumptions influence the selection of threats, and eliminate threats from consideration. This might be done by having a box labeled "All Threats", an arrow passing through "Assumptions", resulting in "Residual Threats" (which then go into objectives).

  • Correct the text in figure to make it clear that all requirements are IT requirements. Specifically, in the circle below "Security objectives" the text should be "Establish security requirements", and the boxes below that should be changed to (from left to right): "TOE Functional requirements", "TOE Assurance requirements", and "Requirements for the IT environment".

  • Consider creating a dashed arrow (to indicate the optional nature) going from "Establish security requirements" to a dashed (optional) box labelled "Requirements for the non-IT environment".

• Reword Section 4.3.2, CC v2.1, paragraph 123 as:

  The results of the analysis of the security environment could then be used to state the security objectives that counter the identified threats and address identified organisational security policies and assumptions.

• Correct Figure B.1 to show that there are three types of security objectives: "Security objectives for the TOE", "Security objectives for the IT environment", and "Security objectives for the environment".

• Reword Section B.2.4, CC v2.1, paragraph 196 "b)" third subparagraph as:

  If security objectives are derived from only organisational security policies and assumptions, then the description of threats may be omitted.

• Reword Section B.2.4, CC v2.1, paragraph 196 "c)" second subparagraph as:

  If security objectives are derived from only threats and assumptions, then the description of organisational security policies may be omitted.

• Reword Section B.2.5, CC v2.1, paragraph 198 as:

  The statement of security objectives shall define the security objectives for the TOE and its environment. The security objectives shall address all of the security environment aspects identified. The security objectives shall reflect the stated intent and shall be suitable to counter all identified threats and cover all identified organisational security policies and assumptions. The following categories of objectives shall be identified. Note: when a threat or organisational security policy is to be covered partly by the TOE and partly by its environment, then the related objective shall be repeated in each category.

  a) The security objectives for the TOE shall be clearly stated and traced back to aspects of identified threats to be countered by the TOE and/or organisational security policies to be met by the TOE.

  b) The security objectives for the IT environment shall be clearly stated and to aspects of identified threats to be countered by the IT environment and/or organisational security policies to be met by the IT environment.

  b) c) The security objectives for the non-IT environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE/IT environment and/or organisational security policies or assumptions not completely met by the TOE/IT environment.

  Note that security objectives for the environment may be a re-statement, in whole or part, of the assumptions portion of the statement of the TOE security environment.

• In Section B.2.6, the second paragraph of list item "b)" should be reworded as follows:

  b) The optional statement of Security requirements for the IT environment shall identify the IT security requirements that are to be met by the IT environment of the TOE. If the TOE has no asserted dependencies on the IT environment, this part of the PP may be omitted.

  c) Note that Security security requirements for the non-IT environment, while often useful in practice, are not required to be a formal part of the PP as they do not relate directly to the implementation of the TOE. If present, they state the requirements that a fielding organization must ensure are in place in order for all identified threats and organisational security policies to be addressed.

  The subsequent list item should be renumbered to be "d)".

• Similar changes to those identified above for Annex B should be made to Annex C.

To address this interpretation, the following changes should be to Part 3: (additions marked thusly; deletions marked thusly)

• The APE_OBJ.1.3C element should be reworded as:

  The security objectives for the environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE and/or organisational security policies or assumptions not completely met by the TOE.

• The APE_OBJ.1.5C element should be reworded as:

  The security objectives rationale shall demonstrate that the stated security objectives are suitable to cover all of the identified organisational security policies and assumptions.

• The APE_REQ.1.12C element should be reworded as:

  The security requirements rationale shall demonstrate that the IT security requirements are suitable to meet the security objectives that are allocated to the TOE and IT environment.

• Parallel changes to the changes identified above for APE_OBJ and APE_REQ should be made to ASE_OBJ and ASE_REQ.

FURTHER CONSIDERATIONS:

SUPPORT:

Background

In CC v2.1, there are two types of assumptions: some are simply statements about assumed behaviors, others are statements about assumed non-IT environmental conditions. [CC v2.1, Part 1, B.2.4, para. 196 "a)"] These assumptions are considered axiomatic [CC v2.1, Part 1, 4.3.1, para. 122 "a)"]. The CC permits the second type of assumption to be mapped to non-IT environmental objectives. However, there is no requirement to perform such a mapping, and the figures and text in Part 1 do not make a clear distinction between IT and non-IT objectives.

Objectives for the environment must be traced back to aspects of the threats and organizational security policies (OSPs) that are not met by the TOE [CC v2.1, Part 1, B.2.5, para. 198 "b)"]. However, all such objectives do not have corresponding requirements. Only the security objectives for the IT environment must be addressed by IT security requirements [CC v2.1, Part 1, 4.3.2, para. 126]; any requirements for the non-IT environment are optional [CC v2.1, Part 1, B.2.6, para. 199 "b)", second paragraph].

Confusion arises in the following areas:

1. The CC permits objectives to address assumptions. However, assumptions are axiomatic, that is, they are taken for granted and are statements accepted as true. Hence, it is confusing to state them additionally as a "goal", as they are already given as true.

2. The distinction between the IT and non-IT environment objectives is not clear. This creates confusion on the extent to which any non-IT requirements must be mapped to non-IT objectives.

Towards a Uniform Picture

This interpretation attempts to address this confusion and create a coordinated view. In this view, assumptions serve to eliminate threats from consideration; that is, they take the full set of interesting threats and reduce it to a set of residual threats that must be addressed. Residual threats and organizational security policies are addressed by objectives. Ideally, they should be addressed by IT objectives (TOE and IT environment), but some aspects of the residual threats/OSPs (especially OSPs) may be non-IT related. These would be addressed by non-IT objectives.

This results in the following clear breakdown:

• Assumptions describe the security aspects of the environment in which the TOE will be used or is intended to be used. The include assumptions about user behaviour, non-IT security procedures, and other environmental aspects.

• Threats are statements about potential attacks to the IT assets that remain after assumptions are taken into account. Threats may be reduced by objectives.

• OSPs are statements of policy from the sponsoring organizations. OSPs may be addressed by objectives or assumptions.

• Objectives are statements about the goals of TOE or its environment.

The PP or ST author has the option of using either assumptions or non-IT environment objectives to state non-IT environmental conditions. Non-IT environment objectives should be used when the non-IT environmental condition is used to reduce a threat that is also reduced by IT environment or TOE objectives. Threats that are eliminated by non-IT environment conditions should be handled by assumptions, and not listed as residual threats.

NOTE TO THE IWG: This interpretation probably eliminates the need for I-0368.