Re: Multiple PP conformance conflicts

["NIAP Interpretations Board" <faigin@aero.org>]

The NIB expects that sponsors will want to make claims of compliance to 
multiple PPs. In cases of conflicting PPs, the evaluator may need to guide the 
vendor in choosing the correct PP for the conformance claim. However, one or 
more of the following suggestions might avoid this problem, or at least 
mitigate it.

1.  The ST authors might choose to use multiple refinements to scope the
    subjects (e.g.) so as not to conflict. 

2.  The sponsor might choose to configure each product to avoid the
    conflict. For example, not allowing an administrator for Product Two
    to perform a conflicting operation, and shifting that responsibility
    to an administrator for Product One. 

3.  The vendor may be able to make modifications to the product that
    would allow a configuration that would meet both PPs. 

4.  The evaluators may write notes in the evaluation documents to
    indicate the fact that PP compliance would have been achieved except
    for the conflicting entities. 

5.  The evaluators may pursue an OR against one (or both) of the PPs.
    This is an especially good course to follow if it is obvious that
    the PPs should work together and the conflict is due to a PP author
    attempting to cover more territory than was really necessary. 

6.  The evaluators may choose to recommend that two evaluations be
    pursued, each claiming conformance to a different PP. 

It should also be noted that even if one or more of the above might seem to 
solve the conflict, there may be a deeper problem. Specifically,the threats and 
objectives of the two profiles may be seriously out-of-alignment, indicating 
that the two PPs really should not be used together at all.

In any case, it is paramount to focus on what is most important for the 
customer. Those requirements are what really matter.