[The following is the ASCII version of the proposal as posted on Gibraltar. A pretty-printed PDF version is attached.] [NOTE: This proposal is being re-posted after being updated to reflect comments the IWG received on its previous posting, or comments arising from further IWG discussion of the proposal.] This transaction consists of a proposal for a National Interpretation of a Common Criteria document. It is being posted in accordance with the procedures of the IWG. Comments on this proposal are welcomed and should be posted to this transaction chain. If any party wishes to post a comment anonymously, the comment should be mailed to IWG@gibraltar.ncsc.mil in a form suitable for posting. All comments should be posted no later than Monday, February 5, 2001. CCITSE/CEM NIAP INTERPRETATION (PROPOSED) _________________________________________________________________ I-0393: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts _________________________________________________________________ NUMBER: I-0393 STATUS: IWG Reworked External Post in IWG Review TYPE: NIAP Interpretation TITLE: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts SOURCE REFERENCE: CC v2.1 Part 1 Figure 4.4 CC v2.1 Part 1 Figure 5.1 CC v2.1 Part 1 Subclause 4.2.2 CC v2.1 Part 1 Subclause 4.5.3 CC v2.1 Part 3 Subclause 3.1 RELATED TO: <None> ISSUE: In an ideal world, a Security Target (ST) would be completely evaluated before a TOE evaluation starts. In order for this to happen, however, there would need to be a finalized TOE configuration (down to version and patch numbers), and no aspects of evaluation (including testing) would result in changes to the TOE. In the real world, this never happens. Instead, there may be nuances of the hardware or software platform that are finalized during the TOE evaluation. Further, the evaluation activities, such as testing and analysis, may uncover areas where the ST requires correction, especially in the TOE summary specification. STATEMENT OF INTERPRETATION: A completely-evaluated ST is not required before TOE evaluation may start, although a substantially complete ST is required. SPECIFIC INTERPRETATION: In order to address this interpretation, the following changes are made to CC v2.1, Part 1 (additions marked _thusly_; deletions marked _[DEL:_ thusly _:DEL]_ ): * Correct Figure 4.4 to change the circle labeled "Evaluate TOE" to "Evaluate _ST and_ TOE". * Reword Subclause 4.2.2, paragraph 110, as follows: The TOE evaluation process, as described in Figure 4.4 may be carried out in parallel with development, or it may follow. _The process of TOE evaluation includes the evaluation of the ST against the ASE requirements in Part 3._ The principal inputs to TOE evaluation are: a) the set of TOE evidence, which includes _[DEL:_ the evaluated _:DEL]_ _a substantially complete_ ST as the basis for TOE evaluation _(a "substantially complete" ST is an ST where all sections have been completed to an extent acceptable by the evaluation scheme and for which no significant evaluation hurdles are foreseen)_; b) the TOE for which the evaluation is required; c) the evaluation criteria, methodology, and scheme. * Reword Subclauses 4.5.2 and 4.5.3 as follows: 4.5.2 _[DEL:_ ST _:DEL]_ _TOE_ evaluation _TOE evaluation involves two tasks: evaluation of an ST against the ST evaluation criteria contained in Part 3, and evaluation of the TOE against the evaluation criteria in Part 3 using the ST as a basis._ The evaluation of the ST for the TOE is carried out against the evaluation criteria for STs contained in Part 3. The goal of such an evaluation is twofold: first to demonstrate that the ST is complete, consistent, and technically sound and hence suitable for use as the basis for the corresponding TOE evaluation; second, in the case where an ST claims conformance to a PP, to demonstrate that the ST properly meets the requirements of the PP. _[DEL:_ 4.5.3 TOE evaluation _:DEL]_ The TOE evaluation is carried out against the evaluation criteria contained in Part 3 using _[DEL:_ an evaluated _:DEL]_ _the_ ST as the basis. The goal of such an evaluation is to demonstrate that the TOE meets the security requirements contained in the ST. _The TOE evaluation may commence against a ST that is substantially complete, provided that the ST evaluation is fully complete prior to completion of the TOE evaluation._ * Change all references in the CC to subclause 4.5.3 to refer instead to subclause 4.5.2. * Correct Figure 5.1 to have the arrow go from the "Evaluated PP" square to the current "Evaluate TOE" circle, the latter being relabeled as "Evaluate ST and TOE". The "Evaluate ST" circle and the "ST evaluation results" rectangle would be eliminated. In order to address this interpretation, the following changes are made to CC v2.1, Part 3 (additions marked _thusly_; deletions marked _[DEL:_ thusly _:DEL]_ ): * Reword Subclause 3.1, paragraph 133, as follows: These criteria _[DEL:_ are the first requirements presented in this Part 3 because the PP and ST evaluation will normally be performed before the TOE evaluation. They _:DEL]_ play a special role in that information about the TOE is assessed and the functional and assurance requirements are evaluated in order to find out whether the PP or ST is a meaningful basis for a TOE evaluation. PROJECTED IMPACT: Negligible impact anticipated. SUPPORT: This interpretation recognizes the real world situation. The position taken by this interpretation is supported by CEM v1.0 Section B.4.1, paragraph 1800, which says: For some cases the different assurance classes may recommend or even require a sequence for the related activities. A specific instance is the ST activity. The ST evaluation activity is started prior to any TOE evaluation activities since the ST provides the basis and context to perform them. However, a final verdict on the ST evaluation may not be possible until the TOE evaluation is complete, since changes to the ST may result from activity findings during the TOE evaluation. This interpretation requires the ST to be substantially complete. This means that: 1. All sections of the ST are substantially complete. 2. A preliminary assessment of the ST against the ASE requirements uncovers no significant failures. This interpretation does not place a specific metric on "substantially complete". The setting of such a metric, as well as defining "substantially complete", is an evaluation scheme issue. The appropriate value is a business decision that weights the risks to an evaluation's schedule against the reasonability of finalizing ST details during TOE evaluation.