Issue 1: There is a discrepancy in the PP_NDCPP_MACSEC_EP_V1.2 Test 2 that requires verification that a CAK be protected when distributed, when none of the elements of FCS_MACSEC_EXT.4 state that the CAK must be wrapped, and FCS_MACSEC_EXT.4.2 specifically requires the SAK to be wrapped. 

Issue 2: Additionally, FCS_MACSEC_EXT.4 Test 3 and FMT_SMF.1 Test 3 are almost identical, and do not account for TOEs that only support pre-shared keys for CAK establishment.

For Issue 1: There is a typo in the PP_NDCPP_MACSEC_EP_V1.2.  Therefore, FCS_MACSEC_EXT.4 Test 2 is modified to replace the word “CAK” with “SAK” as follows:

Test 2: The evaluator shall capture traffic between the TOE and a MACsec-capable peer in the Operational Environment. The evaluator shall then cause the TOE to distribute a SAK to that peer, capture the MKPDUs from that operation, and verify the key is wrapped in the captured MKPDUs.

For Issue 2: FCS_MACSEC_EXT.4 Test 3 and FMT_SMF.1 Test 3 are duplicative, therefore, FCS_MACSEC_EXT.4 Test 3 shall be removed. 

See issue description.