There appears to be a typo in SFR FCS_MACSEC_EXT.4.4 - The TSF shall associate Connectivity Association Key Names (CKNs) with CAKs that are defined by the key derivation function using the CAK as input data (per 802.1X, section 9.8.1).

IEEE 802.1X-2010, section 9.8.1 describes generating the SAK (not the CAK) using the key derivation function using the CAK as input data.

FCS_MACSEC_EXT.4.4 is corrected as shown below, with strikethrough denoting deletions and underline denoting additions:

The TSF shall associate Connectivity Association Key Name (CKN) with CAKs Security Association Key (SAK)s that are defined by the key derivation function using the CAK as input data (per 802.1X, section 9.8.1).

See issue description.