The end of the FMT_SNMP_EXT.1.1 SFR is confusing as currently written, causing differing interpretations. In addition, the FCS_SNMP_EXT.1.1 SFR is written like an assurance activity instead of a requirement and should be reworded.

Replace FMT_SNMP_EXT.1.1 as follows:

FMT_SNMP_EXT.1.1 The TSF shall implement Simple Network Management Protocol (SNMP) with TLS security in conformance with RFC 6353 “Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)”.

Replace FCS_SNMP_EXT.1.1 and add an assurance activity as follows:

FCS_SNMP_EXT.1.1 The TSF shall support SNMP using TLS in accordance with RFC 6353 supporting the following cipher suites [

·         Mandatory Cipher suites:

o   TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246

·         [selection: Optional Cipher suites:

o TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246

o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

o TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246

o TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

o no other cipher suite]].

Updates made for clarity.