RE: I-0436: Compliance Claims Against A Flawed PP

Subject: RE: I-0436: Compliance Claims Against A Flawed PP
From: "Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>
Date: Wed, 25 Jun 2003 08:52:03 -0400
Content-Type: text/plain; charset="iso-8859-1"


The CCEVS has issued a policy statement that previous evaluation results can
be reused to the extent it can be shown they are still valid. This policy
applies significantly to the evaluation of an ST that is conformant with an
evaluated PP. In fact, this is the primary value of evaluating PPs. Hence,
it is not clear how an evaluation team would find a flaw and even if they
did - the previous evaluation result would still be valid based on that
policy.

I certainly agree that flawed PPs should not hinder ST evaluation. However,
it seems as though this interpretation does. I don't have a problem with
recommending that an Observation Report should be submitted when problems
are identified, but I don't think it is reasonable to ask the ST evaluation
team to seek opinions of the PP authors in order to try to reconcile
problems in the ST. The PP author answers are subject to change over time
and author-to-author and the issue of conformance may be questionable in the
end.

Note that I think that this is really more an issue of policy and not one of
interpretation.


> -----Original Message-----
> From: NIAP Interpretations Board [mailto:ccevs-nib@nist.gov]
> Sent: Tuesday, May 13, 2003 1:50 PM
> To: Multiple recipients of list
> Subject: I-0436: Compliance Claims Against A Flawed PP
> 
> 
> [The following is the ASCII version of the proposal. A 
> pretty-printed PDF
> version is attached.]
> 
>   The following is a proposal for formal guidance related to 
> the  Common
>   Criteria and ancillary documents. It is being posted in 
> accordance with
>   the procedures of the IWG.
> 
>   Comments on this proposal are welcomed and should be posted to this
>   transaction chain.  If any party wishes to post a comment 
> anonymously,
>   the comment should be mailed to cc-cmt@nist.gov in a form 
> suitable for
>   posting.  All comments should be posted no later than 
> Tuesday, July 1,
>   2003.
> 
> 
>                       CCITSE/CEM  GUIDANCE (PROPOSED)
> 
> 
>      _________________________________________________________________
> 
>                  I-0436: Compliance Claims Against A Flawed PP
>      _________________________________________________________________
> 
> TYPE:                 Guidance
> NUMBER:               I-0436
> STATUS:               Ready for External Review
> 
> TITLE:                Compliance Claims Against A Flawed PP
> COMMENTS DUE BY:      Tuesday, July 1, 2003 to cc-cmt@nist.gov
> 
> SOURCE REFERENCE:     CC v2.1 Part 3 Subclause 5.5 ASE_PPC
>                       CEM v1.0 Part 2 Subclause 4.4.5 ASE_PPC.1
> RELATED TO:           <None>
> 
> ISSUE:
> 
>    What should be done when an ST claims compliance to a PP that the
>    evaluation team determines to be flawed?
> 
> STATEMENT
> 
>    When the PP underlying an ST is determined to be flawed, 
> the ST should
>    be appropriately corrected so that it (a) will pass evaluation, and
>    (b) is consistent with the objective and intent of the 
> underlying PP.
>    The PP Compliance Claim should provide justification 
> provided that the
>    corrections are consistent with the PP. The method of 
> determining the
>    appropriate correction should be based on the procedures 
> of the scheme
>    that issued the PP.
> 
> SPECIFIC INTERPRETATION
> 
>    As the ASE criteria are still in flux, a specific change is not
>    provided. However, the basic notion is to add something to the PP
>    compliance requirements along the lines of:
> 
>      Each PP claim shall identify any new errors identified in the
>      underlying PP, how they were corrected, and how the 
> correction does
>      not violate the intent of the PP.
> 
> SUPPORT:
> 
>    The basic notion underlying this guidance is that a flawed 
> PP should
>    not hinder the evaluation of STs. Thus, when such a problem is
>    identified, it should be corrected in such a manner as to 
> maintain the
>    intent of the PP while fixing the flawed words.
> 
>    For PPs issued or evaluated under the CCEVS evaluation scheme, such
>    problems should result in an Observation Report that is 
> submitted to
>    CCEVS. CCEVS will consult with the authors of the PP (if possible)
>    and/or the PP Review Board to determine the original 
> intent, and will
>    issue a decision on how to correct the problematic 
> requirements in the
>    context of the ST's evaluation. Such an OR then serves as
>    justification that the PP compliance claim is still valid even with
>    the change.
> 
> 
>

Follow-Ups:
- RE: I-0436: Compliance Claims Against A Flawed PP
  - From: "Daniel P. Faigin" <faigin@aero.org>

Prev by Date: RE: I-0470: FPT_AMT When There Are No Operational Environment Obj ectives
Next by Date: RE: I-0434: 3rd Party Hardware/Software And Assurance
Prev by thread: I-0436: Compliance Claims Against A Flawed PP
Next by thread: RE: I-0436: Compliance Claims Against A Flawed PP

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov