Archived TD0183: NIT Technical Decision for Use of the Supporting Document
NDSD V1.0, FWSD V1.0
The Network Interpretations Team (NIT) has issued a technical decision regarding the use of the Supporting Document (SD). The NDSD as well as the FWSD do not state specifically how to apply them.
The following paragraphs shall therefore be added to NDSD and FWSD in a separate subchapter of chap. 1:
"This Supporting Document (SD) defines three types of Evaluation Activities (EAs) – TOE Summary Specification (TSS), Guidance Documentation, and Tests and is designed to be used in conjunction with cPPs. cPPs that rely on this SD will explicitly identify it as a source for their EAs1. Each security requirement (SFR or SAR) specified in the cPP could have multiple EAs associated with it. The security requirement naming convention is consistent between cPP and SD ensuring a clear one to one correspondence between security requirements and evaluation activities.
The cPP and SD are designed to be used in conjunction with each other, where the cPP lists SFRs and SARs and the SD catalogues EAs associated with each SFR and SAR. Some of the SFRs included in the cPP are optional or selection-based. Therefore an ST claiming conformance to the cPP does not necessarily have to include all possible SFRs defined in the cPP.
In an ST conformant to the cPP, several operations need to be performed (mainly selections and assignments). Some EAs define separate actions for different selected or assigned values in SFRs. The evaluator shall neither carry out EAs related to SFRs that are not claimed in the ST nor EAs related to specific selected or assigned values that are not claimed in the ST.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecision_SDInterpretation.pdf
Only the evaluation activities/assurance activities according to the SFRs included in the ST as well as according to the operations performed in the ST need to be performed. Failing an evaluation activity/assurance activity related to an SFR not contained in the ST or an option not included in the ST due to performed operations shall not lead to a 'fail' verdict.