PD 0148: Excluded Functionality and Policy 13

["Observation Decisions Review Board" <faigin@aero.org>]

In response to a product that exhibited the characteristics of multiple
Technology Types, a question arose about whether both technology types
must be included in the ST. Based on the resulting decision, the ODRB is
issuing the following PD: 


TITLE
Excluded Functionality and Policy 13

ISSUE
When a product exhibits features of multiple Technology Types, is it
necessary to include the appropriate security functionality of all of
those Technology Types in the Security Target? 


RESOLUTION
In the case that a product can be used as one of multiple Technology
Types, the vendor may satisfy Policy 13 by including only the security
functionality appropriate to a single one of those Technology Types, if
so desired. If there is a dispute about whether a particular implemented
Technology Type must be included within the Security Target, the author
of the Letter of Intent should be contacted to determine if the
evaluated functionality meets their requirements as a customer.  This PD
is applicable only if the Technology Type that a product operates can be
selected by configuration - if the product comprises multiple Technology
Types and none can be disabled, then all Technology Types shall be
included. 


RATIONALE
Policy 13 requires that the logical boundary of a non-component TOE be
determined either as including all functionality that would commonly be
regarded as security functionality for that product type by the user
community, or by compliance to a validated Protection Profile.  The
rationale for this requirement in Policy 13 is to prevent TOEs whose
security claims are reduced to such an extent that the utility of the
evaluated TOE is limited.  A TOE's security claims can be limited to the
appropriate set for a single supported technology type without violating
the goal of Policy 13, namely to produce more meaningful evaluation
results.