Re: How to write assumptions

Subject: Re: How to write assumptions
From: "NIAP Interpretations Board" <faigin@aero.org>
Date: Thu, 31 Jul 2003 19:30:08 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal
Reply-to: cc-cmt@nist.gov


The NIB understands well why there are questions about assumptions.

The CC does not define a unique role for assumptions.  They do not have to be 
related back to threats.  They may simply "stand on their own" as statements 
about what the environment should be or should provide (which is actually the 
more proper use of the word "assumption").  However, the CC also states that 
assumptions may be related to threats.  Such associations do little more than 
convey to the reader the fact that the ST or PP author has thought about the 
threat.  Note also that the assumption need not completely cover the threat.  

In the example in the email thread, the function of the non-IT assumption "The 
TOE assumes that the root administrator is trusted and trained" could be to 
counter a stated threat, or it may merely serve to explain the absence of any 
objectives referring to root administrators (and therefore the absence of any 
TOE capabilities in that area).

Prev by Date: Re: I-0436: Compliance Claims Against A Flawed PP
Next by Date: Re: Error check of Input message using IFC
Prev by thread: Re: How to write assumptions
Next by thread: =?euc-kr?B?KLGksO0pILy8sOggw9aw7SDH5riuv+y15SC757/uteXAxyDB+Lz2uKYgurg=?= =?euc-kr?B?v6m15biztM+02S4=?=

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov