The following is a proposal for formal guidance related to the Common Criteria and ancillary documents. It is being posted in accordance with the procedures of the IWG. Comments on this proposal are welcomed and should be posted to this transaction chain. If any party wishes to post a comment anonymously, the comment should be mailed to email@example.com in a form suitable for posting. All comments should be posted no later than Tuesday, October 28, 2003. CCITSE/CEM GUIDANCE (PROPOSED) _________________________________________________________________ I-0434: Treatment Of TSF Components Provided By A Third-Party _________________________________________________________________ TYPE: Guidance NUMBER: I-0434 STATUS: Ready for External Repost after Interpretations Board Rework/Review TITLE: Treatment Of TSF Components Provided By A Third-Party PREVIOUS POSTING: [cc-cmt 00558] COMMENTS DUE BY: Tuesday, October 28, 2003 to firstname.lastname@example.org RELATED TO: <None> CCIMB ENTRY: CCIMB-INTERP-0240 ISSUE: How are components provided by a 3rd party to be addressed with respect to the assurance requirements? Consider requirements such as ACM or ALC. There are aspects of these requirements that are not visible to a vendor incorporating a 3rd party item (for example, the configuration management mechanisms used by the 3rd party vendor, or the development site security or compiler options)? STATEMENT Third-Party components included in the TSF are treated no differently from components provided directly by the developer, unless the PP or ST explicitly indicates otherwise. SUPPORT: The TOE is the TOE. The definitions of TOE and TSF make no distinction based on who is providing a component of the TOE, nor do flaws go away simply because the component is developed by someone other than the direct developer of the TOE. If assurance cannot be provided for a 3rd-party component, that component should be relegated to the IT environment, with the SFRs being adjusted accordingly. Note that movement of a component may have an impact on the ability to comply with a PP, if the 3rd party component is required to address an element allocated to the TSF. In such cases, a business decision must be made about the value of PP compliance vs. the cost of evaluation of the 3rd-party component.