Draft Interpretation for RI 192 - Sequencing of sub-activities

[RJBotto@missi.ncsc.mil]

With the demise of commoncriteria.org, there is no place currently available
to post Draft Interpretations for comment. Until a new permanent website is
established, they will be shared on this discussion list; they are also
being temporarily posted on the CCEVS website
(http://niap.nist.gov/cc-scheme/interpretations.html). 

Readers are encouraged to provide their comments to this draft by replying
to this message.
----------------------------------------------------

Issue 
The CEM is misleading on whether a pass verdict on a sub-activity can be
assigned if all sub-activities on which it has a dependency are successfully
completed. This leads to trouble with sequencing ASE_INT and ASE_DES who
have a circular dependency. 
CEM para 1801 and further: "Dependencies identified between components in CC
Part 3 have to be considered by the evaluator. An example for this kind of
dependency is AVA_VLA.1. This component claims dependencies on ADV_FSP.1,
ADV_HLD.1, AGD_ADM.1 and AGD_USR.1. A sub-activity can be assigned a pass
verdict normally only if all those sub-activities are successfully completed
on which it has a dependency. For example, a pass verdict on AVA_VLA.1 can
normally only be assigned if the sub-activities related to ADV_FSP.1,
ADV_HLD.1, AGD_ADM.1 and AGD_USR.1 are assigned a pass verdict too." 
Consider the following example (VLA): Two evaluators are both given a
functional specification, a high-level design, the administrator and user
guidance and are asked to evaluate AVA_VLA.1 based on these documents. One
evaluator is told that all sub-activities related to ADV_FSP.1, ADV_HLD.1,
AGD_ADM.1 and AGD_USR.1 are assigned a pass verdict. The other evaluator is
told that they haven't been assigned a pass verdict. Why can't the second
pass the sub-activity as the document input is the same? 

Interpretation 
Performing a sub-activity can be done regardless of the pass/fail status of
other sub-activities that that sub-activity has a dependency on. However,
given that:
- evaluation of an input may uncover errors in that input 
- errors in that input will normally lead to changes in that input 
- the sub-activity may have to be redone whenever one of the inputs from
dependencies changes 
some sequences of sub-activities may have to be repeated. 

Specific Changes 
CEM, Annex B.4.2 is changed as follows: 
*	Paragraphs 1801-1804 are replaced with the following: 
Dependencies identified between components in CC Part 3 have to be
considered by the evaluator. An example for this kind of dependency is
AVA_VLA.1. This component claims dependencies on ADV_FSP.1, ADV_HLD.1,
AGD_ADM.1 and AGD_USR.1. 

A sub-activity can be assigned a pass verdict normally only if all those
sub-activities are successfully completed on which it has a dependency. For
example, a pass verdict on AVA_VLA.1 can normally only be assigned if the
sub-activities related to ADV_FSP.1, ADV_HLD.1, AGD_ADM.1 and AGD_USR.1 are
assigned a pass verdict too. 

So when determining whether a sub-activity will impact another sub-activity,
the evaluator should consider whether this activity depends on potential
evaluation results from any dependent sub-activities. Indeed, it may be the
case that a dependent sub-activity will impact this sub-activity, requiring
previously completed evaluator actions to be performed again. A significant
dependency effect occurs in the case of evaluator-detected flaws. If a flaw
is identified as a result of conducting one sub-activity, the assignment of
a pass verdict to a dependent sub-activity may not be possible until all
flaws related to the sub-activity upon which it depends are resolved.