In some instances, it is appropriate for a PP/ST to claim compliance with an external standard, such as the definition of an encryption algorithm. When the standards document provides only one mode of operation of the algorithm, or level of use of the algorithm, this is not a problem. However, some standards define multiple approaches, and a simple citation is insufficient. There needs to be a requirement that citations of an external standard need be unambiguous with respect to what is being required. If the standards specifies multiple modes or manners of operations, the citation must be specific enought to determine which mode or manner of operation applies to the TSF. Additionally, there are many ways of determining compliance with a standard. It may be performed as part of the TOE evaluation, it might be a developer claim, or it might be verified by an independent party. In order to have consistency across evaluations, the PP/ST author should specify the means of determining compliance, so that consistency of interpretation across all uses of the PP/ST is achieved.

The following interprets both the APE_REQ and ASE_REQ families in Part 3 of the Common Criteria: Claims about use of a standard must be unambiguous with respect to the source of a metric and the meaning of compliance. If a compliance claim is made, the PP/ST author must provide an indication of how compliance is to be determined.

To address this intepretation, the following elements should be added to the Content and Presentation elements of APE_REQ.1, with parallel additions to the Content and Presentation elements of ASE_REQ.1: APE_REQ.1.xC: All requirements that claim compliance with an external standard shall be unambiguous with respect to the source of the metric and the meaning of compliance. APE_REQ.1.xC: All requirements that claim compliance with an external standard shall stipulate how compliance is ascertained. For these units, an application note should be added along the lines of the following: In some instances, it is appropriate for a PP/ST to claim compliance with an external standard, such as the definition of an encryption algorithm. When the standards document provides only one mode of operation of the algorithm, or level of use of the algorithm, this is not a problem. However, some standards define multiple approaches, and a simple citation is insufficient. Citations of an external standard should be unambiguous with respect to what is being required. If the standards specifies multiple modes or manners of operations, the citation should be specific enought to determine which mode or manner of operation applies to the TSF. Additionally, there are many ways of determining compliance with a standard. It may be performed as part of the TOE evaluation, it might be a developer claim, or it might be verified by an independent party. In order to have consistency across evaluations, the PP/ST author should specify the means of determining compliance, so that consistency of interpretation across all uses of the PP/ST is achieved. Additional work units should be added to the CEM to address these new elements.