Re: I-0434: Treatment Of TSF Components Provided By A Third-Party

Subject: Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
From: "NIAP Interpretations Board" <faigin@aero.org>
Date: Thu, 31 Jul 2003 19:45:12 -0700
Content-type: Multipart/Mixed; boundary=Message-Boundary-3889
Priority: normal
Reply-to: cc-cmt@nist.gov


  The following is a proposal for formal guidance related to the  Common
  Criteria and ancillary documents. It is being posted in accordance with
  the procedures of the IWG.

  Comments on this proposal are welcomed and should be posted to this
  transaction chain.  If any party wishes to post a comment anonymously,
  the comment should be mailed to cc-cmt@nist.gov in a form suitable for
  posting.  All comments should be posted no later than Tuesday, October
  28, 2003.


                      CCITSE/CEM  GUIDANCE (PROPOSED)


     _________________________________________________________________

         I-0434: Treatment Of TSF Components Provided By A Third-Party
     _________________________________________________________________

TYPE:                 Guidance
NUMBER:               I-0434
STATUS:               Ready for External Repost after Interpretations Board
                      Rework/Review

TITLE:                Treatment Of TSF Components Provided By A Third-Party
PREVIOUS POSTING:      [cc-cmt 00558]
COMMENTS DUE BY:      Tuesday, October 28, 2003 to cc-cmt@nist.gov

RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0240

ISSUE:

   How are components provided by a 3rd party to be addressed with
   respect to the assurance requirements? Consider requirements such as
   ACM or ALC. There are aspects of these requirements that are not
   visible to a vendor incorporating a 3rd party item (for example, the
   configuration management mechanisms used by the 3rd party vendor, or
   the development site security or compiler options)?

STATEMENT

   Third-Party components included in the TSF are treated no differently
   from components provided directly by the developer, unless the PP or
   ST explicitly indicates otherwise.

SUPPORT:

   The TOE is the TOE. The definitions of TOE and TSF make no distinction
   based on who is providing a component of the TOE, nor do flaws go away
   simply because the component is developed by someone other than the
   direct developer of the TOE.

   If assurance cannot be provided for a 3rd-party component, that
   component should be relegated to the IT environment, with the SFRs
   being adjusted accordingly. Note that movement of a component may have
   an impact on the ability to comply with a PP, if the 3rd party
   component is required to address an element allocated to the TSF. In
   such cases, a business decision must be made about the value of PP
   compliance vs. the cost of evaluation of the 3rd-party component.

0434.pdf

Follow-Ups:
- Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
  - From: Ken Elliott III <elliott@godzilla.aero.org>

Prev by Date: Introductory Message for July Postings
Next by Date: Re: I-0436: Compliance Claims Against A Flawed PP
Prev by thread: Re: I-0451: When To Use IFF/IFC And AFF/AFC
Next by thread: Re: I-0434: Treatment Of TSF Components Provided By A Third-Party

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov