Final Interpretation for RI # 140 - Guidance Includes AGD_ADM, AGD_USR, ADO, and ALC_FLR

Date: 07/15/2003
Subject: Guidance Includes AGD_ADM, AGD_USR, ADO, and ALC_FLR
CC Part #1 Reference: 
CC Part #2 Reference: 
CC Part #3 Reference: CC Part 3, Section 11 AGD
CEM Reference: 

Issue:

The CC defines the TOE as the IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation. In turn, the CC explicitly defines two guidance document types: User Guidance and Administrator Guidance, however, these two documents do not include all the information that constitutes guidance to the users and administrators of the TOE.

 

This raises the issue of 1) who are the users of the TOE that require guidance, 2) where does the delivery, installation, and startup guidance and the flaw remediation guidance fit into the overall scheme of guidance document requirements?

 

The definition of the TOE should not single out specific 'types' of users. Guidance documentation is required by 'all' users of the TOE to ensure the secure delivery, installation, configuration, operation, management, and use of the TOE. As an example, that includes general users, privileged users, integrators, installers, maintainers - and the scope of such documentation covers guidance for installation, configuration, operation, general use, management use, error reporting, recovery, etc.

 

The TOE should be defined in terms of 1) the product or system to be evaluated and
2) the guidance documentation that supports the application and use of the TOE.



Interpretation

The TOE is defined as the IT product or system and its associated guidance documentation that is the subject of an evaluation. The scope of guidance documentation is that which is required to securely deliver, install, configure, operate, maintain and use the TOE for its intended purpose.



Specific Changes

The following changes are made to CC Part 1, Glossary:

Target of Evaluation - An IT product or system and its associated guidance documentation that is the subject of an evaluation.

Guidance Documentation - Guidance documentation describes the delivery, installation, configuration, operation, management and use of the TOE as these activities apply to the users, administrators, and integrators of the TOE. The requirements on the scope and contents of guidance documents are defined in a PP or ST.

 

Additionally, the following text is appended to Part 3, Clause 11, paragraph 370:

Guidance documentation includes user and administrator guidance and, when included in the assurance package, the specific guidance for users and administrators resulting from the requirements in the ADO class and the ALC_FLR family.

Rationale

No additional rationale is required, the interpretation speaks for itself.