PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products

Subject: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
From: "Observation Decisions Review Board" <ccevs-odrb@nist.gov>
Date: Mon, 08 Mar 2004 09:35:47 -0800
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal
Reply-To: faigin@aero.org



   This decision represents a long-term technical decision based on a
   previously issued OD, and may not be the same as the final results of
   the source OD. It provides suggested guidance on evaluation direction,
   but is not the authoritative final answer. Authoritative final answers
   are provided through the published criteria documents and published
   scheme and international interpretations thereof.


   Decision Date: 2003-12-22
   Last Modified  2004-03-08

Issue

   Must all the development assurance requirements specified for a
   product be met for all parts of the TOE? This question includes
   hardware and software as well as parts of a TOE supplied by third
   parties who cannot or will not supply the required documentation,
   thereby leaving the sponsor of the evaluation unable to completely
   meet the development requirements.

Resolution

   All portions of the TOE, hardware or software, purchased or developed,
   must comply with the assurance requirements. If they cannot, the TOE
   boundary must be moved to exclude from the TOE those components for
   which there is inadequate assurance evidence, and the ST made
   consistent with it.

   Alternatively, a "least common denominator" EAL may be chosen that can
   be met by the entire TOE, additional augmented assurance components
   being provided for those components that can provide additional
   assurance. This additional assurance could be highlighted in the ETR
   and VR.

   Note that either excluding components from the TOE, or reducing the
   overall EAL of the TOE, will likely have an impact on the ability of
   the TOE to cover threats, OSPs, and objectives. It will also likely
   have an impact on any claims of PP compliance.

Support

   When an EAL is claimed for a TOE that means that the entire TOE meets
   those assurance requirements. This includes hardware, software, third
   party products, peripheral devices, mechanical arrangements -- in
   general whatever TOE components may be mentioned in the TOE
   description. If those requirements prove too onerous for a sponsor to
   meet, then that sponsor will either have to:

    1. Descope what is included in the TOE until adequate assurance
       evidence, at the level detailed in the ST, can be provided for all
       TOE components.

    2. Make the necessary arrangements with third-party vendors to
       provide adequate assurance evidence.

    3. Take the assurance level for the TOE as a whole to the lowest
       common denominator, and then provide additional (explicitly
       specified) assurance components that specify a scope applying them
       to those TOE components for which additional assurance can be
       provided.

   The following interpretations have been approved that agree with the
   idea that all portions of the TOE are to be described at the same
   level in the ST and in evaluation evidence.

     * CCIMB-INTERP-0025 - Level of detail required for hardware
       descriptions

     * CCIMB-INTERP-0037 - ACM on Product or TOE?

     * I-0434 Treatment Of TSF Components Provided By A Third-Party.

References:

     * CEM v1.0 Part 2, August 1999, CEM-99/045
     * CEM Part 2: Evaluation Methodology, Supplement: ALC_FLR - Flaw
       Remediation, Version 1.1, February 2002, CEM-2001/0015R
     * RI # 25 - Level of detail required for hardware descriptions,
       dictates that ADV design decomposition for hardware must be
       determined by the impact that the hardware features have upon the
       security functions and assurances being claimed.
     * RI # 37 - ACM on Product or TOE? States: "The ACM requirements
       cover the TOE and information related to the TOE."
     * I-0434 Treatment of TSF Components Provided By A Third-Party
       states "Third-party components included in the TSF are treated no
       differently from components provided directly by the developer
       unless the PP or ST includes explicitly stated assurance
       components or refinements to assurance components that indicate
       otherwise"
     * PD-0002: Level of Detail about Hardware and Firmware incorporated
       into RI # 25

Related NIs:

     * I-0434: Treatment Of TSF Components Provided By A Third-Party

Related CCIMB-INTERPs:

     * None

Follow-Ups:
- Re: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
  - From: "Dr.Ir. D.J. Out" <out@itsef.tno.nl>

Prev by Date: Re: I-0473: Ability To Obtain The Unique Identifier Of The TOE
Next by Date: Re: Clarification of Term in Assurance Continuity Requirements Document
Prev by thread: PD-0102: CIMC PP Compliance for Iterated Requirements that are Satisfied by the IT Environment
Next by thread: Re: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov