There is a discrepancy between the definition of "Security attribute" in Part 1 and the use of the term in other portions of the CC, where security attributes are referred to in the context of information and resources.

The CC, in Part 1, appears to permit iteration at the level of assurance components. However, Part 3 only discusses refinement at the element level; no mention is made of iteration.

Iteration is permitted on sets of assurance elements (as defined in Part 3, Section 2.1.3.5) and on assurance elements.

To address this interpretation, the following changes are made to CC v2.1, Part 3: (additions marked thusly; deletions marked thusly)

• In Section 2.1.3.5, after paragraph 53, add the following paragraph:

  Iteration is permitted at the level of developer action elements, content and presentation of evidence elements, and explicit evaluator action elements.

• In Section 2.1.4, replace paragraph 56 with the following:

  In contrast to CC Part 2, neither assignment nor selection operations are relevant for elements in CC Part 3; however, refinements and iterations may be made to Part 3 elements as required.

Further Considerations:

Additionally, the above paragraph may be subject to futher changes depending on the resolution of I-0394 (Iteration Must Cover All Scopes); in particular, there may be additional words noting that if iteration is used to apply a requirement to a subpart of the TOE, there must be sufficient iterations that the entire TOE is covered.

Lastly, corresponding methodology changes may be needed to address the effects of these changes.