![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0467: Can Guidance Documentation Meet TSF Requirements?
TYPE: Guidance NUMBER: I-0467 STATUS: Sent to CCEVS Management and CCIMB for Review TITLE: Can Guidance Documentation Meet TSF Requirements? FIRST POST: [cc-cmt 00556] RELATED TO: <None> CCIMB ENTRY: CCIMB-INTERP-0252
ISSUE:
Can guidance documentation or manual procedures meet requirements levied against the TSF? For example, can guidance documentation be used to meet the requirements of FPT_PHP?STATEMENT
Guidance and actions resulting from following the guidance are not part of the TSF. Requirements levied on the TSF must be met by hardware, firmware, or software components.SUPPORT:
The TSF is defined as "A set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TSP." The TOE, on the other hand, is defined as "An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation." This makes it clear that the definition of TSF excludes the administrator and user guidance documentation.SFRs are typically levied against the TSF, not the TOE. When an SFR is levied against the TSF, then administrator or user guidance documentation cannot satisfy the requirement.
For example, consider the components in FPT_PHP. The guidance or actions that result from following the administrator or user guidance documentation can not detect the physical attack, alert system administrators about the physical attack, or resist the physical attack. Only the hardware, software or firmware that are part of TOE can provide these functions.