PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
- Subject: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
- From: "Observation Decisions Review Board" <email@example.com>
- Date: Mon, 08 Mar 2004 09:35:47 -0800
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-To: firstname.lastname@example.org
This decision represents a long-term technical decision based on a
previously issued OD, and may not be the same as the final results of
the source OD. It provides suggested guidance on evaluation direction,
but is not the authoritative final answer. Authoritative final answers
are provided through the published criteria documents and published
scheme and international interpretations thereof.
Decision Date: 2003-12-22
Last Modified 2004-03-08
Must all the development assurance requirements specified for a
product be met for all parts of the TOE? This question includes
hardware and software as well as parts of a TOE supplied by third
parties who cannot or will not supply the required documentation,
thereby leaving the sponsor of the evaluation unable to completely
meet the development requirements.
All portions of the TOE, hardware or software, purchased or developed,
must comply with the assurance requirements. If they cannot, the TOE
boundary must be moved to exclude from the TOE those components for
which there is inadequate assurance evidence, and the ST made
consistent with it.
Alternatively, a "least common denominator" EAL may be chosen that can
be met by the entire TOE, additional augmented assurance components
being provided for those components that can provide additional
assurance. This additional assurance could be highlighted in the ETR
Note that either excluding components from the TOE, or reducing the
overall EAL of the TOE, will likely have an impact on the ability of
the TOE to cover threats, OSPs, and objectives. It will also likely
have an impact on any claims of PP compliance.
When an EAL is claimed for a TOE that means that the entire TOE meets
those assurance requirements. This includes hardware, software, third
party products, peripheral devices, mechanical arrangements -- in
general whatever TOE components may be mentioned in the TOE
description. If those requirements prove too onerous for a sponsor to
meet, then that sponsor will either have to:
1. Descope what is included in the TOE until adequate assurance
evidence, at the level detailed in the ST, can be provided for all
2. Make the necessary arrangements with third-party vendors to
provide adequate assurance evidence.
3. Take the assurance level for the TOE as a whole to the lowest
common denominator, and then provide additional (explicitly
specified) assurance components that specify a scope applying them
to those TOE components for which additional assurance can be
The following interpretations have been approved that agree with the
idea that all portions of the TOE are to be described at the same
level in the ST and in evaluation evidence.
* CCIMB-INTERP-0025 - Level of detail required for hardware
* CCIMB-INTERP-0037 - ACM on Product or TOE?
* I-0434 Treatment Of TSF Components Provided By A Third-Party.
* CEM v1.0 Part 2, August 1999, CEM-99/045
* CEM Part 2: Evaluation Methodology, Supplement: ALC_FLR - Flaw
Remediation, Version 1.1, February 2002, CEM-2001/0015R
* RI # 25 - Level of detail required for hardware descriptions,
dictates that ADV design decomposition for hardware must be
determined by the impact that the hardware features have upon the
security functions and assurances being claimed.
* RI # 37 - ACM on Product or TOE? States: "The ACM requirements
cover the TOE and information related to the TOE."
* I-0434 Treatment of TSF Components Provided By A Third-Party
states "Third-party components included in the TSF are treated no
differently from components provided directly by the developer
unless the PP or ST includes explicitly stated assurance
components or refinements to assurance components that indicate
* PD-0002: Level of Detail about Hardware and Firmware incorporated
into RI # 25
* I-0434: Treatment Of TSF Components Provided By A Third-Party
Date Index |
Thread Index |
Problems or questions? Contact email@example.com