[Public Interpretations Database]

I-0427: Identification Of Standards

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0427
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Identification Of Standards
SUPERSEDES:
     I-0385           Identification Of Standards
APPROVAL POSTING:     [cc-in 00025]

EFFECTIVE:            2001-06-22

SOURCE REFERENCE:     CC v2.1 Part 3 Subclause 4.5 APE_REQ
                      CC v2.1 Part 3 Subclause 5.6 ASE_REQ
                      CEM v1.0 Part 2 Subclause 3.4.5.2.1 APE_REQ.1.1E
                      CEM v1.0 Part 2 Subclause 4.4.6.3.1 ASE_REQ.1.1E
RELATED TO:
     I-0385           Identification Of Standards

ISSUE:

Claims about use of a standard may be ambiguous with respect to the source of a metric and the meaning of compliance.

STATEMENT

Claims about use of a standard must be unambiguous with respect to the source of a metric and the meaning of compliance. If a compliance claim is made, the PP/ST author must provide an indication of how compliance is to be determined.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1, and to the CEM, v1.0:

  • The following paragraphs are added to CC Part 3 following paragraph 157 of Application notes in Section 4.5:

    In some instances, it is appropriate for a PP to claim compliance with an external standard, such as the definition of an encryption algorithm. When the standards document provides only one mode of operation of the algorithm, or level of use of the algorithm, the compliance claim is clear. However, some standards define multiple approaches, and a simple citation is insufficient. Citations of an external standard should be unambiguous with respect to what is being required. If the standard specifies multiple modes or manners of operations, the citation should be specific enough to determine which mode or manner of operation applies to the TSF.

    Additionally, there are many ways of determining compliance with a standard. Compliance may be verified as part of the TOE evaluation, it might be claimed by a developer, or it might be verified by an independent party. In order to have consistency across evaluations, the PP author should specify the means of determining compliance, so that consistency across all uses of the PP is achieved.

  • APE_REQ.1 is relabeled as APE_REQ.1-NIAP-0427. Unless otherwise noted in these changes, all normative and informative material associated with APE_REQ.1 is incorporated unchanged into APE_REQ.1-NIAP-0427, and all references to APE_REQ.1 in the CC, CEM, or other Common Criteria documentation are changed to refer to APE_REQ.1-NIAP-0427.

  • The following elements are added to CC Part 3 component APE_REQ.1.1:

    APE_REQ.1.NIAP-0427-1C: All requirements that claim compliance with an external standard shall be unambiguous with respect to the source of the metric and the meaning of compliance.

    APE_REQ.1.NIAP-0427-2C: All requirements that claim compliance with an external standard shall stipulate how compliance is ascertained.

  • The following paragraphs are added to CC Part 3 following paragraph 178 of Application notes in Section 5.6:

    In some instances, it is appropriate for an ST to claim compliance with an external standard, such as the definition of an encryption algorithm. When the standards document provides only one mode of operation of the algorithm, or level of use of the algorithm, the compliance claim is clear. However, some standards define multiple approaches, and a simple citation is insufficient. Citations of an external standard should be unambiguous with respect to what is being required. If the standard specifies multiple modes or manners of operations, the citation should be specific enough to determine which mode or manner of operation applies to the TSF.

    Additionally, there are many ways of determining compliance with a standard. Compliance may be verified as part of the TOE evaluation, it might be claimed by a developer, or it might be verified by an independent party. In order to have consistency across evaluations, the ST author should specify the means of determining compliance, so that consistency across all uses of the ST is achieved.

  • ASE_REQ.1 is relabeled as ASE_REQ.1-NIAP-0427. Unless otherwise noted in these changes, all normative and informative material associated with ASE_REQ.1 is incorporated unchanged into ASE_REQ.1-NIAP-0427, and all references to ASE_REQ.1 in the CC, CEM, or other Common Criteria documentation are changed to refer to ASE_REQ.1-NIAP-0427.

  • The following elements are added to component CC Part 3 component ASE_REQ.1:

    ASE_REQ.1.NIAP-0427-1C: All requirements that claim compliance with an external standard shall be unambiguous with respect to the source of the metric and the meaning of compliance.

    ASE_REQ.1.NIAP-0427-2C: All requirements that claim compliance with an external standard shall stipulate how compliance is ascertained.

  • The following is added to CEM Part 2 following paragraph 265:

    APE_REQ.1.NIAP-0427-1C

    APE_REQ.1-NIAP-0427-1 The evaluator shall check that any standard external to the PP to which functional or assurance requirements are claiming compliance is unambiguously specified, and that the meaning of compliance is clear.

    If the PP does not include any compliance claims to an external standard, this work unit is not applicable and therefore considered to be satisfied.

    The evaluator determines that any external standards to which compliance is being claimed are specified in such a way that it may be seen to which standard, or which parts of a standard, the compliance claim is being made. The evaluator determines that the standard, or portion of the standard, is clearly and unambiguously specified, and that the meaning of compliance is clear and unambiguous.

    APE_REQ.1.NIAP-0427-2C

    APE_REQ.1-NIAP-0427-2 The evaluator shall examine the PP to determine that it stipulates how compliance to an external standard is ascertained.

    If the PP does not include any compliance claims to an external standard, this work unit is not applicable and therefore considered to be satisfied.

    The evaluator determines that it is clear how compliance to an external standard is achieved. This may be specified by a refinement of an element of the PP. The refinement should make clear if the standard compliance is met through evaluator actions, or by having a third party independent laboratory show compliance (e.g., by use of the results produced by an accredited FIPS-140 laboratory).

  • The following is added to CEM Part 2 following paragraph 454:

    ASE_REQ.1.NIAP-0427-1C

    ASE_REQ.1-NIAP-0427-1 The evaluator shall check that any standard external to the ST to which functional or assurance requirements are claiming compliance is unambiguously specified, and that the meaning of compliance is clear.

    If the ST does not include any compliance claims to an external standard, this work unit is not applicable and therefore considered to be satisfied.

    The evaluator determines that any external standards to which compliance is being claimed are specified in such a way that it may be seen to which standard, or which parts of a standard, the compliance claim is being made. The evaluator determines that the standard, or portion of the standard, is clearly and unambiguously specified, and that the meaning of compliance is clear and unambiguous.

    ASE_REQ.1.NIAP-0427-2C

    ASE_REQ.1-NIAP-0427-2 The evaluator shall examine the ST to determine that it stipulates how compliance to an external standard is ascertained.

    If the ST does not include any compliance claims to an external standard, this work unit is not applicable and therefore considered to be satisfied.

    The evaluator determines that it is clear how compliance to an external standard is achieved. This may be specified by a refinement of an element of the ST. The refinement should make clear if the standard compliance is met through evaluator actions, or by having a third party independent laboratory show compliance (e.g., by use of the results produced by an accredited FIPS-140 laboratory).

SUPPORT:

In some instances, it is appropriate for a PP/ST to claim compliance with an external standard, such as the definition of an encryption algorithm. When the standards document provides only one mode of operation of the algorithm, or level of use of the algorithm, this is not a problem. However, some standards define multiple approaches, and a simple citation is insufficient. This interpretation requires citations of an external standard to be unambiguous with respect to what is being required. If the standard specifies multiple modes or manners of operations, the citation must be specific enough to determine which mode or manner of operation applies to the TSF.

Additionally, there are many ways of determining compliance with a standard. It may be performed as part of the TOE evaluation, it might be a developer claim, or it might be verified by an independent party. In order to have consistency across evaluations, the PP/ST author should specify the means of determining compliance, so that consistency of interpretation across all uses of the PP/ST is achieved.

Note: This interpretation is superseding a previously-approved formal interpretation primarily to reflect modifications to the interpretation format. The intent of the interpretation has not been changed, although some specifics of the criteria changes or the support may have been clarified or corrected.