Re: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
- Subject: Re: PD-0101: Level of Detail Necessary for Assurance Requirements on Third Party Products
- From: "Dr.Ir. D.J. Out" <out@itsef.tno.nl>
- Date: Mon, 08 Mar 2004 19:27:26 +0100
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii; format=flowed
- Organization: TNO-ITSEF BV
- References: <404C3E73.3003.76FFB2B9@localhost>
- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408
Technically, this interpretation implies that, if my TOE is e.g. a
Hardware Security Module that I'm evaluating on EAL4, I also have to
apply ACM/ALC/ADO and perform a site audit on the manufacturer of:
A) the Intel 80386 inside the security module
B) the standard dime-a-dozen RAM chips used in the module
C) the purposefully developed PCB used in the module
D) the Walmart screws used to screw the PCB to the box
A may or may not be reasonable, D is not.
Should some sort of "reasonableness" be inserted in this, or should it
be applied to the last screw?
Dirk-Jan Out
Observation Decisions Review Board wrote:
>
> This decision represents a long-term technical decision based on a
> previously issued OD, and may not be the same as the final results of
> the source OD. It provides suggested guidance on evaluation direction,
> but is not the authoritative final answer. Authoritative final answers
> are provided through the published criteria documents and published
> scheme and international interpretations thereof.
>
>
> Decision Date: 2003-12-22
> Last Modified 2004-03-08
>
> Issue
>
> Must all the development assurance requirements specified for a
> product be met for all parts of the TOE? This question includes
> hardware and software as well as parts of a TOE supplied by third
> parties who cannot or will not supply the required documentation,
> thereby leaving the sponsor of the evaluation unable to completely
> meet the development requirements.
>
> Resolution
>
> All portions of the TOE, hardware or software, purchased or developed,
> must comply with the assurance requirements. If they cannot, the TOE
> boundary must be moved to exclude from the TOE those components for
> which there is inadequate assurance evidence, and the ST made
> consistent with it.
>
> Alternatively, a "least common denominator" EAL may be chosen that can
> be met by the entire TOE, additional augmented assurance components
> being provided for those components that can provide additional
> assurance. This additional assurance could be highlighted in the ETR
> and VR.
>
> Note that either excluding components from the TOE, or reducing the
> overall EAL of the TOE, will likely have an impact on the ability of
> the TOE to cover threats, OSPs, and objectives. It will also likely
> have an impact on any claims of PP compliance.
>
> Support
>
> When an EAL is claimed for a TOE that means that the entire TOE meets
> those assurance requirements. This includes hardware, software, third
> party products, peripheral devices, mechanical arrangements -- in
> general whatever TOE components may be mentioned in the TOE
> description. If those requirements prove too onerous for a sponsor to
> meet, then that sponsor will either have to:
>
> 1. Descope what is included in the TOE until adequate assurance
> evidence, at the level detailed in the ST, can be provided for all
> TOE components.
>
> 2. Make the necessary arrangements with third-party vendors to
> provide adequate assurance evidence.
>
> 3. Take the assurance level for the TOE as a whole to the lowest
> common denominator, and then provide additional (explicitly
> specified) assurance components that specify a scope applying them
> to those TOE components for which additional assurance can be
> provided.
>
> The following interpretations have been approved that agree with the
> idea that all portions of the TOE are to be described at the same
> level in the ST and in evaluation evidence.
>
> * CCIMB-INTERP-0025 - Level of detail required for hardware
> descriptions
>
> * CCIMB-INTERP-0037 - ACM on Product or TOE?
>
> * I-0434 Treatment Of TSF Components Provided By A Third-Party.
>
> References:
>
> * CEM v1.0 Part 2, August 1999, CEM-99/045
> * CEM Part 2: Evaluation Methodology, Supplement: ALC_FLR - Flaw
> Remediation, Version 1.1, February 2002, CEM-2001/0015R
> * RI # 25 - Level of detail required for hardware descriptions,
> dictates that ADV design decomposition for hardware must be
> determined by the impact that the hardware features have upon the
> security functions and assurances being claimed.
> * RI # 37 - ACM on Product or TOE? States: "The ACM requirements
> cover the TOE and information related to the TOE."
> * I-0434 Treatment of TSF Components Provided By A Third-Party
> states "Third-party components included in the TSF are treated no
> differently from components provided directly by the developer
> unless the PP or ST includes explicitly stated assurance
> components or refinements to assurance components that indicate
> otherwise"
> * PD-0002: Level of Detail about Hardware and Firmware incorporated
> into RI # 25
>
> Related NIs:
>
> * I-0434: Treatment Of TSF Components Provided By A Third-Party
>
> Related CCIMB-INTERPs:
>
> * None
>
>
>
>
>
>
--
TNO ITSEF BV
P.O. Box 96864 tel +31 70 374 0304
2509 JG The Hague fax +31 70 374 0651
The Netherlands www.commoncriteria.nl
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov