I-0393: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts

Subject: I-0393: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts
From: "Interpretations Working Group" <iwg@gibraltar.ncsc.mil>
Date: Thu, 11 Jan 2001 15:13:46 -0800
Content-type: Multipart/Mixed; boundary=Message-Boundary-5232
Priority: normal
[The following is the ASCII version of the proposal as posted on Gibraltar. A
pretty-printed PDF version is attached.]

  [NOTE: This proposal is being re-posted after being updated to reflect
  comments the IWG received on its previous posting, or comments arising
  from further IWG discussion of the proposal.]

  This transaction consists of a proposal for a National Interpretation of
  a Common Criteria document. It is being posted in accordance with the
  procedures of the IWG.

  Comments on this proposal are welcomed and should be posted to this
  transaction chain.  If any party wishes to post a comment anonymously,
  the comment should be mailed to IWG@gibraltar.ncsc.mil in a form
  suitable for posting.  All comments should be posted no later than
  Monday, February 5, 2001.


                 CCITSE/CEM  NIAP INTERPRETATION (PROPOSED)


     _________________________________________________________________

 I-0393: A Completely Evaluated ST Is Not Required When TOE Evaluation Starts
     _________________________________________________________________

NUMBER:               I-0393
STATUS:               IWG Reworked External Post in IWG Review
TYPE:                 NIAP Interpretation

TITLE:                A Completely Evaluated ST Is Not Required When TOE
                      Evaluation Starts

SOURCE REFERENCE:     CC v2.1 Part 1 Figure 4.4
                      CC v2.1 Part 1 Figure 5.1
                      CC v2.1 Part 1 Subclause 4.2.2
                      CC v2.1 Part 1 Subclause 4.5.3
                      CC v2.1 Part 3 Subclause 3.1
RELATED TO:           <None>

ISSUE:

   In an ideal world, a Security Target (ST) would be completely
   evaluated before a TOE evaluation starts. In order for this to happen,
   however, there would need to be a finalized TOE configuration (down to
   version and patch numbers), and no aspects of evaluation (including
   testing) would result in changes to the TOE.

   In the real world, this never happens. Instead, there may be nuances
   of the hardware or software platform that are finalized during the TOE
   evaluation. Further, the evaluation activities, such as testing and
   analysis, may uncover areas where the ST requires correction,
   especially in the TOE summary specification.

STATEMENT OF INTERPRETATION:

   A completely-evaluated ST is not required before TOE evaluation may
   start, although a substantially complete ST is required.

SPECIFIC INTERPRETATION:

   In order to address this interpretation, the following changes are
   made to CC v2.1, Part 1 (additions marked _thusly_; deletions marked
   _[DEL:_ thusly _:DEL]_ ):


     * Correct Figure 4.4 to change the circle labeled "Evaluate TOE" to
       "Evaluate _ST and_ TOE".

     * Reword Subclause 4.2.2, paragraph 110, as follows:

     The TOE evaluation process, as described in Figure 4.4 may be
     carried out in parallel with development, or it may follow. _The
     process of TOE evaluation includes the evaluation of the ST against
     the ASE requirements in Part 3._ The principal inputs to TOE
     evaluation are:

     a) the set of TOE evidence, which includes _[DEL:_ the evaluated
     _:DEL]_ _a substantially complete_ ST as the basis for TOE
     evaluation _(a "substantially complete" ST is an ST where all
     sections have been completed to an extent acceptable by the
     evaluation scheme and for which no significant evaluation hurdles
     are foreseen)_;

     b) the TOE for which the evaluation is required;

     c) the evaluation criteria, methodology, and scheme.

     * Reword Subclauses 4.5.2 and 4.5.3 as follows:

     4.5.2 _[DEL:_ ST _:DEL]_ _TOE_ evaluation

     _TOE evaluation involves two tasks: evaluation of an ST against the
     ST evaluation criteria contained in Part 3, and evaluation of the
     TOE against the evaluation criteria in Part 3 using the ST as a
     basis._

     The evaluation of the ST for the TOE is carried out against the
     evaluation criteria for STs contained in Part 3. The goal of such
     an evaluation is twofold: first to demonstrate that the ST is
     complete, consistent, and technically sound and hence suitable for
     use as the basis for the corresponding TOE evaluation; second, in
     the case where an ST claims conformance to a PP, to demonstrate
     that the ST properly meets the requirements of the PP.

     _[DEL:_ 4.5.3 TOE evaluation _:DEL]_

     The TOE evaluation is carried out against the evaluation criteria
     contained in Part 3 using _[DEL:_ an evaluated _:DEL]_ _the_ ST as
     the basis. The goal of such an evaluation is to demonstrate that
     the TOE meets the security requirements contained in the ST. _The
     TOE evaluation may commence against a ST that is substantially
     complete, provided that the ST evaluation is fully complete prior
     to completion of the TOE evaluation._

     * Change all references in the CC to subclause 4.5.3 to refer
       instead to subclause 4.5.2.

     * Correct Figure 5.1 to have the arrow go from the "Evaluated PP"
       square to the current "Evaluate TOE" circle, the latter being
       relabeled as "Evaluate ST and TOE". The "Evaluate ST" circle and
       the "ST evaluation results" rectangle would be eliminated.

   In order to address this interpretation, the following changes are
   made to CC v2.1, Part 3 (additions marked _thusly_; deletions marked
   _[DEL:_ thusly _:DEL]_ ):


     * Reword Subclause 3.1, paragraph 133, as follows:

     These criteria _[DEL:_ are the first requirements presented in this
     Part 3 because the PP and ST evaluation will normally be performed
     before the TOE evaluation. They _:DEL]_ play a special role in that
     information about the TOE is assessed and the functional and
     assurance requirements are evaluated in order to find out whether
     the PP or ST is a meaningful basis for a TOE evaluation.

PROJECTED IMPACT:

   Negligible impact anticipated.

SUPPORT:

   This interpretation recognizes the real world situation. The position
   taken by this interpretation is supported by CEM v1.0 Section B.4.1,
   paragraph 1800, which says:

     For some cases the different assurance classes may recommend or
     even require a sequence for the related activities. A specific
     instance is the ST activity. The ST evaluation activity is started
     prior to any TOE evaluation activities since the ST provides the
     basis and context to perform them. However, a final verdict on the
     ST evaluation may not be possible until the TOE evaluation is
     complete, since changes to the ST may result from activity findings
     during the TOE evaluation.

   This interpretation requires the ST to be substantially complete. This
   means that:

    1. All sections of the ST are substantially complete.

    2. A preliminary assessment of the ST against the ASE requirements
       uncovers no significant failures.

   This interpretation does not place a specific metric on "substantially
   complete". The setting of such a metric, as well as defining
   "substantially complete", is an evaluation scheme issue. The
   appropriate value is a business decision that weights the risks to an
   evaluation's schedule against the reasonability of finalizing ST
   details during TOE evaluation.
0393.pdf
Prev by Date: I-0375: Elements Requiring Authentication Mechanism
Next by Date: I-0406: Automated Or Manual Recovery Is Acceptable
Prev by thread: I-0406: Automated Or Manual Recovery Is Acceptable
Next by thread: I-0397: Iteration On Assurance Components/Elements
Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov