Revised Final Interpretation for RI # 51 - Use of documentation without C & P elements.

Date: 10/25/2002
Subject: Use of documentation without C & P elements.
Revision: 1
Reason for revision: Changes in CC Part 3 required corresponding CEM changes
CC Part #1 Reference: 
CC Part #2 Reference: 
CC Part #3 Reference: CC Part 3, Section 9.2 (ADO_IGS)
CC Part 3, Section 14.4 (AVA_VLA)
CEM Reference: CEM, Section 6.9.2 (AVA_VLA.1)
CEM, Section 7.10.3 (AVA_VLA.1)
CEM, Section 8.10.3 (AVA_VLA.2)

Issue:

There are two instances where the CC does not expand on which documentation must meet the content and presentation requirements: ADO_IGS and AVA_VLA. Do these refer to the same documentation in the developer action elements?



Interpretation

The content and presentation elements of ADO_IGS and AVA_VLA families apply to the documentation identified in the developer action elements of these families.



Specific Changes

The following changes are made to CC Part 3:

ADO_IGS.*.1C is replaced with:

The installation, generation and start-up documentation shall describe all the steps necessary for secure installation, generation and start-up of the TOE.

ADO_IGS.2.2C is replaced with:

The installation, generation and start-up documentation shall describe procedures capable of creating a log containing the generation options used to generate the TOE in such a way that it is possible to determine exactly how and when the TOE was generated.

The developer action elements for AVA_VLA.* are replaced with:

AVA_VLA.*.1D The developer shall perform a vulnerability analysis.AVA_VLA.*.2D The developer shall provide vulnerability analysis documentation.

The content and presentation elements for AVA_VLA.1 are replaced with:

AVA_VLA.1.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for obvious ways in which a user can violate the TSP.

AVA_VLA.1.2C The vulnerability analysis documentation shall describe the disposition of obvious vulnerabilities.

AVA_VLA.1.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.

The content and presentation elements for AVA_VLA.2 are replaced with:

AVA_VLA.2.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.

AVA_VLA.2.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.

AVA_VLA.2.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.

AVA_VLA.2.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks.

The content and presentation elements for AVA_VLA.3 are replaced with:

AVA_VLA.3.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.

AVA_VLA.3.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.

AVA_VLA.3.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.

AVA_VLA.3.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks.

AVA_VLA.3.5C The vulnerability analysis documentation shall show that the search for vulnerabilities is systematic.

The content and presentation elements for AVA_VLA.4 are replaced with:

AVA_VLA.4.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.

AVA_VLA.4.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.

AVA_VLA.4.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.

AVA_VLA.4.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks. AVA_VLA.4.5C The vulnerability analysis documentation shall show that the search for vulnerabilities is systematic.

AVA_VLA.4.6C The vulnerability analysis documentation shall provide a justification that the analysis completely addresses the TOE deliverables.

The following changes are made to the CEM:

The reference to AVA_VLA.1.1C just below the section heading 6.9.2.4.1 is replaced with :

AVA_VLA.1.1C, AVA_VLA.1.2C and AVA_VLA.1.3C.

The reference to AVA_VLA.1.1C just below the section heading 7.10.3.4.1 is replaced with :

AVA_VLA.1.1C, AVA_VLA.1.2C and AVA_VLA.1.3C.

The reference to AVA_VLA.2.1C and AVA_VLA.2.2C just below the section heading 8.10.3.4.1 is replaced with :

AVA_VLA.2.1C, AVA_VLA.2.2C, AVA_VLA.2.3C and AVA_VLA.2.4C.

Rationale

N/A