CCEVS Interpretations

Interpretations and Evolution of the Criteria and Methodology
While the Common Criteria is intended to be coherent, concise, and unambiguous, it is still in need of clarification. At an international level, the Common Criteria Management Board (CCMB) is tasked with issuing updates, explanations, and errata concerning the Common Criteria and Methodology. The CCRA acknowledges that individual schemes may also provide their own interpretations, the intent being that these national interpretations are also shared at the international level. To this end, the CCEVS has procedures in place to help resolve questions that arise concerning the criteria, methodology, or procedures as they relate to the CCEVS.

The OR Submission
When a question arises during an evaluation, an Observation Request (OR) is generated. This OR can originate from the sponsor, the evaluator, or the validator, and is sent to the scheme via the Validator. The scheme assigns a unique identification number to the OR for tracking purposes; ORs are numbered sequentially by order of arrival.

Figure 1

Within 8 days, the scheme issues an Observation Decision (OD) in response to the OR; it is given the same number as the OR that it answers. This response is binding upon the evaluation for which it was generated. However, because of the quick turn-around, it might not have been as thoroughly investigated as one might hope.

In order to address this, the OR and OD are forwarded to the Observation Decision Review Board.

The Appeal Process
If the originator of the OR disagrees with the CCEVS-issued OD and the originator wishes to formally appeal it, the scheme will reconsider the OD.

The formal appeal must be submitted to Director, NIAP CCEVS with a copy to scheme-comments@niap-ccevs.org and include:

  • Identification of the OD/OR being appealed (attached copy).
  • Identification of the item(s) being appealed.
  • Explanation and justification for the disagreement.
  • Identification of specific supporting references (document identification, section and paragraph) for all justifications (where applicable).
  • Proposal for acceptable resolutions, revisions or alternatives to the OD.

The Director, NIAP CCEVS will acknowledge receipt of the appeal within 3 business days. After consultation with the involved parties and the Observation Decision Review Board (ODRB), the final verdict is rendered to either uphold the original decision or issue a revised OD.

The appeal resolution process ends when the Director, NIAP CCEVS issues the scheme's response to the appeal. The ODRB reviews the OD whether appealed or not.

The ODRB
The ODRB is a group of individuals chartered with reviewing all ODs that are made by the scheme. These decisions are reviewed for technical soundness and consistency. If a decision is issued yet found to be in conflict with past decisions, or is found to be technically unsound, the ODRB alerts scheme management. During deliberations of the ODRB, if the decision is found to address the application of the criteria, but no problem is found with the criteria/methodology, then a Precedent may be generated. Precedents are numbered sequentially in order of creation and serve as a publically-accessible collection of case law for consideration during future evaluations. Precedents typically center on acceptable ways to meet the criteria.

Figure 2

If, during deliberations, the ODRB finds a problem with the wording of the Criteria and/or methodology, an interpretation request is sent to the NIAP Interpretations Board. The ODRB meets two times per quarter, the goal being a fairly current review of decisions.

The NIB
The NIAP Interpretations Board (NIB) is a group of individuals chartered with investigation interpretation requests that are made, thereby serving as the CCEVS analogue to the CCMB. It also oversees the scheme's written procedures for clarity and technical soundness.
During discussions, the NIB may discover non-technical issues that must be addressed by the scheme. These may arise from a lack of guidance or problems with the wording of the scheme publications, a new procedure to be defined, a new document to be created, a recurring misunderstanding in need of clarification, or anything else indicative of a problem with the efficiency of the scheme. Such scheme issues are brought to the attention of scheme management.

Figure 3

The NIB employs a database to track all of its technical concerns with the criteria and/or methodology. An entry is added to the queue for each request for interpretation that is received. During discussions, other issues concerning the criteria and/or methodology might be discovered; for each such question or concern raised, another queue entry is generated.

The initial state of a database entry is an identified problem or question concerning the wording of the Common Criteria or Common Evaluation Methodology. Progression of the entry involves investigating the criteria as well as related literature. The NIB attempts to agree on an interpretation of the words in question, or on a proposed rewording of the criteria/methodology. The database entries are processed by NIB members between meetings as their schedules permit. Database entries may also be processed by members of the public interested in investigating and developing solutions to issues that have been identified.

Once a proposal is formulated and properly formatted by the NIB, it is posted for review by the scheme, evaluation community, validation community, and other interested parties. Comments that are received are then discussed in subsequent NIB meetings, and incorporated into an updated version; the cycle continues iteratively until a final proposal is created. This is then forwarded to scheme management for approval, at which time it becomes a CCEVS Interpretation, applicable to all subsequent evaluations within the CCEVS.

Once the CCEVS Interpretation is adopted, it is also forwarded to the Common Criteria Management Board (CCMB), which is responsible for maintaining the official international version of the crietia and methodology. If a proposal is never formulated by the NIB because of fundamental questions concerning the criteria/methodology, the NIB constructs a Request for Interpretation and submits it to the CCMB for clarification. For more details on the CCMB and requests for interpretations, see the CCMB's website (www.commoncriteriaportal.org).