0 ... 15 16 17 19 20
level shall be consistent with the identified security objectives for the TOE. Optionally, specific strength of function metrics may be defined for selected functional requirements, in order to meet certain security objectives for the
As part of the strength of TOE security functions evaluation (AVASOF.1), it will be assessed whether the strength claims made for individual TOE security functions and the overall minimum strength level are met by the TOE.
2) The statement of TOE security assurance requirements should state the assurance requirements as one of the EALs optionally augmented by Part 3 assurance components. The ST may also extend the EAL by explicitly stating additional assurance requirements not taken from Part 3.
b)The optional statement of security requirements for the IT environment shall identify the IT security requirements that are to be met by the IT environment of the TOE. If the TOE has no asserted dependencies on the IT environment, this part of the ST may be omitted.
Note that security requirements for the non-IT environment, while often useful in practice, are not required to be a formal part of the ST as they do not relate directly to the implementation of the TOE.
c)The following common conditions shall apply equally to the expression of security functional and assurance requirements for the TOE and its IT environment:
1)All IT security requirements should be stated by reference to security requirements components drawn from Part 2 or Part 3 where applicable. Should none of the Part 2 or Part 3 requirements components be readily applicable to all or part of the security requirements, the ST may state those requirements explicitly without reference to the CC.
2)Any explicit statement of TOE security functional or assurance requirements shall be clearly and unambiguously expressed such that evaluation and demonstration of compliance is feasible. The level of detail and manner of expression of existing CC functional or assurance requirements shall be used as a model.
3)Any required operations shall be used to amplify the requirements to the level of detail necessary to demonstrate that the security objectives are met. All specified operations on the requirements components shall be performed.
4)All dependencies among the IT security requirements should be satisfied. Dependencies may be satisfied by the inclusion of the relevant requirement within the TOE security requirements, or as a requirement on the environment.
c.2.7 toe summary specification
The TOE summary specification shall define the instantiation of the security requirements for the TOE. This specification shall provide a description of the security functions and assurance
measures of the TOE that meet the TOE security requirements. Note that the functional information provided as part of the TOE summary specification could be identical in some cases to the information to be provided for the TOE as part of the ADVFSP requirements.
The TOE summary specification contains the following:
a)The statement of TOE security functions shall cover the IT security functions and shall specify how these functions satisfy the TOE security functional requirements. This statement shall include a bi-directional mapping between functions and requirements that clearly shows which functions satisfy which requirements and that all requirements are met. Each security function shall, as a minimum, contribute to the satisfaction of at least one TOE security functional requirement.
1)The IT security functions shall be defined in an informal style to a level of detail necessary for understanding their intent.
2)All references to security mechanisms included in the ST shall be traced to the relevant security functions so that it can be seen which security mechanisms are used in the implementation of each function.
3)When AVASOF.1 is included in the TOE assurance requirements, all IT security functions that are realised by a probabilistic or permutational mechanism (e.g. a password or hash function), shall be identified. The likelihood to breach the mechanisms of such functions by deliberate or accidental attack is of relevance to the security of the TOE. A strength of TOE security function analysis shall be provided for all these functions. The strength of each identified function shall be determined and claimed as either SOF-basic, SOF-medium or SOF-high, or as the optionally defined specific metric. The evidence provided about the strength of function shall be sufficient to allow the evaluators to make their independent assessment and to confirm that the strength claims are adequate and correct.
b)The statement of assurance measures specifies the assurance measures of the TOE which are claimed to satisfy the stated assurance requirements. The assurance measures shall be traced to the assurance requirements so that it can be seen which measures contribute to the satisfaction of which requirements.
If appropriate, the definition of assurance measures may be made by reference to relevant quality plans, life cycle plans, or management plans.
c.2.8 pp claims
The ST may optionally make a claim that the TOE conforms with the requirements of one (or possibly more than one) PP. For any PP conformance claims made, the ST shall include a PP claims statement that contains the explanation, justification, and any other supporting material necessary to substantiate the claims.
The content and presentation of the ST statements of TOE objectives and requirements could be affected by PP claims made for the TOE. The impact on the ST can be summarised by considering the following cases for each PP claimed:
a)If there is no claim of PP compliance made, then the full presentation of the TOE objectives and requirements should be made as described in this annex. No PP claims are included.
b)If the ST claims only compliance with the requirements of a PP without need for further qualification, then reference to the PP is sufficient to define and justify the TOE objectives and requirements. Restatement of the PP contents is unnecessary.
c)If the ST claims compliance with the requirements of a PP, and that PP requires further qualification, then the ST shall show that the PP requirements for qualification have been met. Such a situation would typically arise where the PP contains uncompleted operations. In such a situation, the ST may refer to the specific requirements but complete the operations within the ST. In some circumstances, where the requirements to complete operations are substantial, it may be preferable to restate the PP contents within the ST as an aid to clarity.
d)If the ST claims compliance with the requirements of a PP but extends that PP by the addition of further objectives and requirements, then the ST shall define the additions, whereas a PP reference may be sufficient to define the PP objectives and requirements. In some circumstances, where the additions are substantial, it may be preferable to restate the PP contents within the ST as an aid to clarity.
e)The case where an ST claims to be partially conformant to a PP is not admissible for CC evaluation.
The CC is not prescriptive with respect to the choice of restating or referencing PP objectives and requirements. The fundamental requirement is that the ST content be complete, clear, and unambiguous such that evaluation of the ST is possible, the ST is an acceptable basis for the TOE evaluation, and the traceability to any claimed PP is clear.
If any PP conformance claim is made, the PP claims statement shall contain the following material for each PP claimed.
a)The PP reference statement shall identify the PP for which compliance is being claimed plus any amplification that may be needed with respect to that claim. A valid claim implies that the TOE meets all the requirements of the PP.
b)The PP tailoring statement shall identify the IT security requirements statements that satisfy the permitted operations of the PP or otherwise further qualify the PP requirements.
c)The PP additions statement shall identify the TOE objectives and requirements statements that are additional to the PP objectives and requirements.
This part of the ST presents the evidence used in the ST evaluation. This evidence supports the claims that the ST is a complete and cohesive set of requirements, that a conformant TOE would provide an effective set of IT security countermeasures within the security environment, and that
0 ... 15 16 17 19 20