| Date: | 02/16/2001 |
| Subject: | Threats met by environment |
| CC Part #1 Reference: | CC Part 1, Annex B.2.5 CC Part 1, Annex C.2.5 |
| CC Part #2 Reference: | |
| CC Part #3 Reference: | CC Part 3, Section 4.4 (APE_OBJ) CC Part 3, Section 5.4 (ASE_OBJ) |
| CEM Reference: |
CC Part 1 B.2.5 and C.2.5 state that:
security objectives for the environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE [...].
CC Part 1 paras 196 b) and 212 b) state:
A description of threats shall include all threats against which specific protection within the TOE or its environment is required.
The following text is inserted in CC Part 1, paras 198 and 214, after the third sentence:
A threat may be countered by one or more objectives for the TOE, one or more objectives for the environment, or a combination of these.
A threat may therefore be addressed entirely by one or more objectives for the environment. An extreme case would be where there are no security objectives for the TOE. Whilst this remains a valid use of the PP/ST construct, a TOE for which all threats and OSPs are addressed by the environment would be of questionable utility, as for such a TOE there would be no security functional requirements for the TOE. Certification/validation of such a TOE is a scheme issue.
Threats should be included in a PP/ST where they are relevant to secure TOE operation. A threat may therefore be addressed entirely by an objective for the environment. An extreme case would be where there were no security objectives for the TOE. Whilst this remains a valid use of the PP/ST construct, a TOE for which all threats and OSPs are addressed by the environment would be of questionable utility, as for such a TOE there would be no security functional requirements for the TOE. Certification/validation of such a TOE is a scheme issue.