Remove me from this list
Justin E. Creech
Information Assurance Specialist
SRA International
703-558-7680
-----Original Message-----
From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Daniel P. Faigin
Sent: Thursday, July 15, 2004 12:19 PM
To: Multiple recipients of list
Subject: Clarification of rules when incorporating NIAP interps
On Thu, 15 Jul 2004 12:05:16 -0400 (EDT), Tom Benkart <teb@coact.com> said:
> NIAP interps are considered recommended but not required. This policy
> does
> not clearly state the rules by which the labs should evaluate PPs/STs when
> they include NIAP interps. Hopefully the following questions clarify the
> issues - they all assume at least 1 NIAP interp is included in the PP/ST.
Hopefully, my answers will help; they are based on my experience as a validator and a NIB member.
> 1. Is the PP/ST author required to incorporate relevant all NIAP
> interps as
> of a specified date (presumably the date of the kick-off meeting), similar
> to the requirement for international interps?
Required? Not under current CCEVS policy. However, the policy is that if you choose not to incorporate an interpretation (or a PD, by the way), you should provide justification as to why it was not necessary to follow it (i.e., they are treated as normative "shoulds": you do them unless you can provide convincing justification as to why they were unnecessary). I believe this was captured in a PD.
> 2. If the author is free to pick and choose individual NIAP interps
> (i.e.,
> the answer to question 1 is no), is it permissible to reference a NIAP
> interp that has been superseded by another NIAP interp? The time required
> to produce the document may be lengthy (especially for PPs), and the
> superseding may occur long after the author finished specifying the SFRs.
I'm not sure what you are asking, but if you are indicating that the reason for not following a specific interpretation is that it has been superseded, and you are following the replacement, that seems sufficient justification.
> 3. The specific instance prompting this email is inclusion of
> FAU_GEN.1.2-NIAP-0410. NIAP-0347 relabels this SFR as
> FAU_GEN.1.2-NIAP-0347, in effect superseding just a part of NIAP-0410. Is
> it Ok to still identify the SFR as FAU_GEN.1.2-NIAP-0410, or is it required
> to reference the more recent NIAP interp affecting that SFR? A further
> complication is that NIAP-0347 does not supersede NIAP-0410, since
> NIAP-0347 only addresses a subset of the SFRs addressed by NIAP-0410. One
> can argue that NIAP-0347 is flawed and should be redone so that NIAP-0410
> could be superseded, but that is not an immediate solution.
The NIB has discovered that this notation we thought would simplify things actually make it worse. I'd focus on the words, not the tags. However, I do feel you should make a list of all applicable NIs and PDs, and indicate where they are addressed, or why they were not addressed.
> I favor a simple rule - if any NIAP interps are incorporated into a
> PP/ST,
> then the author must incorporate all relevant NIAP interps as of the date
> of the kick-off meeting.
You need to address, either through incorporating or providing a rationale for non-incorporation, all applicable interps and PDs as of the kickoff meeting.
Daniel