I-0427: Identification Of Standards
- Subject: I-0427: Identification Of Standards
- From: "Interpretations Working Group" <iwg@gibraltar.ncsc.mil>
- Date: Thu, 1 Mar 2001 15:31:42 -0800
- Content-type: Multipart/Mixed; boundary=Message-Boundary-6808
- Priority: normal
This transaction consists of a proposal for a National Interpretation of
a Common Criteria document. It is being posted in accordance with the
procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to IWG@gibraltar.ncsc.mil in a form
suitable for posting. All comments should be posted no later than
Monday, April 9, 2001.
CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
_________________________________________________________________
I-0427: Identification Of Standards
_________________________________________________________________
NUMBER: I-0427
STATUS: Ready for External Review
TYPE: NIAP Interpretation
TITLE: Identification Of Standards
WOULD SUPERSEDE:
I-0385 Identification Of Standards
SOURCE REFERENCE: CC v2.1 Part 3 Subclause 4.5 APE_REQ
CC v2.1 Part 3 Subclause 5.6 ASE_REQ
CEM v1.0 Part 2 Subclause 3.4.5.2.1 APE_REQ.1.1E
CEM v1.0 Part 2 Subclause 4.4.6.3.1 ASE_REQ.1.1E
RELATED TO:
I-0385 Identification Of Standards
ISSUE:
Claims about use of a standard may be ambiguous with respect to the
source of a metric and the meaning of compliance.
STATEMENT OF INTERPRETATION:
Claims about use of a standard must be unambiguous with respect to the
source of a metric and the meaning of compliance. If a compliance
claim is made, the PP/ST author must provide an indication of how
compliance is to be determined.
SPECIFIC INTERPRETATION:
To address this interpretation, the following changes are made to CC
v2.1, and to the CEM, v1.0:
* The following paragraphs are added to CC Part 3 following
paragraph 157 of Application notes in Section 4.5:
In some instances, it is appropriate for a PP to claim compliance
with an external standard, such as the definition of an encryption
algorithm. When the standards document provides only one mode of
operation of the algorithm, or level of use of the algorithm, the
compliance claim is clear. However, some standards define multiple
approaches, and a simple citation is insufficient. Citations of an
external standard should be unambiguous with respect to what is
being required. If the standard specifies multiple modes or manners
of operations, the citation should be specific enough to determine
which mode or manner of operation applies to the TSF.
Additionally, there are many ways of determining compliance with a
standard. Compliance may be verified as part of the TOE evaluation,
it might be claimed by a developer, or it might be verified by an
independent party. In order to have consistency across evaluations,
the PP author should specify the means of determining compliance,
so that consistency across all uses of the PP is achieved.
* APE_REQ.1 is relabeled as APE_REQ.1-NIAP-0427. Unless otherwise
noted in these changes, all normative and informative material
associated with APE_REQ.1 is incorporated unchanged into
APE_REQ.1-NIAP-0427, and all references to APE_REQ.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to APE_REQ.1-NIAP-0427.
* The following elements are added to CC Part 3 component
APE_REQ.1.1:
APE_REQ.1.NIAP-0427-1C: All requirements that claim compliance with
an external standard shall be unambiguous with respect to the
source of the metric and the meaning of compliance.
APE_REQ.1.NIAP-0427-2C: All requirements that claim compliance with
an external standard shall stipulate how compliance is ascertained.
* The following paragraphs are added to CC Part 3 following
paragraph 178 of Application notes in Section 5.6:
In some instances, it is appropriate for an ST to claim compliance
with an external standard, such as the definition of an encryption
algorithm. When the standards document provides only one mode of
operation of the algorithm, or level of use of the algorithm, the
compliance claim is clear. However, some standards define multiple
approaches, and a simple citation is insufficient. Citations of an
external standard should be unambiguous with respect to what is
being required. If the standard specifies multiple modes or manners
of operations, the citation should be specific enough to determine
which mode or manner of operation applies to the TSF.
Additionally, there are many ways of determining compliance with a
standard. Compliance may be verified as part of the TOE evaluation,
it might be claimed by a developer, or it might be verified by an
independent party. In order to have consistency across evaluations,
the ST author should specify the means of determining compliance,
so that consistency across all uses of the ST is achieved.
* ASE_REQ.1 is relabeled as ASE_REQ.1-NIAP-0427. Unless otherwise
noted in these changes, all normative and informative material
associated with ASE_REQ.1 is incorporated unchanged into
ASE_REQ.1-NIAP-0427, and all references to ASE_REQ.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to ASE_REQ.1-NIAP-0427.
* The following elements are added to component CC Part 3 component
ASE_REQ.1:
ASE_REQ.1.NIAP-0427-1C: All requirements that claim compliance with
an external standard shall be unambiguous with respect to the
source of the metric and the meaning of compliance.
ASE_REQ.1.NIAP-0427-2C: All requirements that claim compliance with
an external standard shall stipulate how compliance is ascertained.
* The following is added to CEM Part 2 following paragraph 265:
APE_REQ.1.NIAP-0427-1C
APE_REQ.1-NIAP-0427-1 The evaluator shall check that any standard
external to the PP to which functional or assurance requirements
are claiming compliance is unambiguously specified, and that the
meaning of compliance is clear.
If the PP does not include any compliance claims to an external
standard, this work unit is not applicable and therefore considered
to be satisfied.
The evaluator determines that any external standards to which
compliance is being claimed are specified in such a way that it may
be seen to which standard, or which parts of a standard, the
compliance claim is being made. The evaluator determines that the
standard, or portion of the standard, is clearly and unambiguously
specified, and that the meaning of compliance is clear and
unambiguous.
APE_REQ.1.NIAP-0427-2C
APE_REQ.1-NIAP-0427-2 The evaluator shall examine the PP to
determine that it stipulates how compliance to an external standard
is ascertained.
If the PP does not include any compliance claims to an external
standard, this work unit is not applicable and therefore considered
to be satisfied.
The evaluator determines that it is clear how compliance to an
external standard is achieved. This may be specified by a
refinement of an element of the PP. The refinement should make
clear if the standard compliance is met through evaluator actions,
or by having a third party independent laboratory show compliance
(e.g., by use of the results produced by an accredited FIPS-140
laboratory).
* The following is added to CEM Part 2 following paragraph 454:
ASE_REQ.1.NIAP-0427-1C
ASE_REQ.1-NIAP-0427-1 The evaluator shall check that any standard
external to the ST to which functional or assurance requirements
are claiming compliance is unambiguously specified, and that the
meaning of compliance is clear.
If the ST does not include any compliance claims to an external
standard, this work unit is not applicable and therefore considered
to be satisfied.
The evaluator determines that any external standards to which
compliance is being claimed are specified in such a way that it may
be seen to which standard, or which parts of a standard, the
compliance claim is being made. The evaluator determines that the
standard, or portion of the standard, is clearly and unambiguously
specified, and that the meaning of compliance is clear and
unambiguous.
ASE_REQ.1.NIAP-0427-2C
ASE_REQ.1-NIAP-0427-2 The evaluator shall examine the ST to
determine that it stipulates how compliance to an external standard
is ascertained.
If the ST does not include any compliance claims to an external
standard, this work unit is not applicable and therefore considered
to be satisfied.
The evaluator determines that it is clear how compliance to an
external standard is achieved. This may be specified by a
refinement of an element of the ST. The refinement should make
clear if the standard compliance is met through evaluator actions,
or by having a third party independent laboratory show compliance
(e.g., by use of the results produced by an accredited FIPS-140
laboratory).
PROJECTED IMPACT:
Negligible impact anticipated.
SUPPORT:
In some instances, it is appropriate for a PP/ST to claim compliance
with an external standard, such as the definition of an encryption
algorithm. When the standards document provides only one mode of
operation of the algorithm, or level of use of the algorithm, this is
not a problem. However, some standards define multiple approaches, and
a simple citation is insufficient. This interpretation requires
citations of an external standard to be unambiguous with respect to
what is being required. If the standard specifies multiple modes or
manners of operations, the citation must be specific enough to
determine which mode or manner of operation applies to the TSF.
Additionally, there are many ways of determining compliance with a
standard. It may be performed as part of the TOE evaluation, it might
be a developer claim, or it might be verified by an independent party.
In order to have consistency across evaluations, the PP/ST author
should specify the means of determining compliance, so that
consistency of interpretation across all uses of the PP/ST is
achieved.
Note: This interpretation is superseding a previously-approved formal
interpretation primarily to reflect modifications to the
interpretation format. The intent of the interpretation has not been
changed, although some specifics of the criteria changes or the
support may have been clarified or corrected.
0427.pdf
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov