Date: | 07/31/2001 |
Subject: | Confusion over refinement |
CC Part #1 Reference: | CC Part 1, Annex B.2.6 CC Part 1, Annex C.2.6 |
CC Part #2 Reference: | |
CC Part #3 Reference: | |
CEM Reference: |
With respect to requirements already identified as applying to the IT environment, is changing "The TSF shall" to "The IT environment shall" a refinement or an extension?
With respect to requirements already identified as applying to the IT environment, changing "The TSF shall" to "The IT environment shall" is a refinement.
RationaleCC Part 1, subclause B.2.6 paragraph 199b) is changed to:
The optional statement of security requirements for the IT environment shall identify the IT security requirements that are to be met by the IT environment of the TOE. The requirements in this part of the PP may be drawn from CC Part 2 and Part 3 and, if so, should be rephrased to clearly indicate that the IT environment, not the TOE, must meet the requirement. Such rephrasing is a special case of refinement and not subject to the assessment requirements associated with modified CC components. If the TOE has no asserted dependencies on the IT environment, this part of the PP may be omitted.CC Part 1, subclause C.2.6 paragraph 215b) is changed to:The optional statement of security requirements for the IT environment shall identify the IT security requirements that are to be met by the IT environment of the TOE. The requirements in this part of the ST may be drawn from CC Part 2 and Part 3 and if so should be rephrased to clearly indicate that the IT environment, not the TOE, must meet the requirement. Such rephrasing is a special case of refinement and not subject to the assessment requirements associated with modified CC components. If the TOE has no asserted dependencies on the IT environment, this part of the ST may be omitted.CC Part 2, paragraph 1 is changed to:
Security functional components, as defined in this CC Part 2, are the basis for the security functional requirements expressed in a Protection Profile (PP) or a Security Target (ST). These requirements describe the desired security behaviour expected of a Target of Evaluation (TOE) or the IT environment of the TOE and are intended to meet the security objectives as stated in a PP or an ST. These requirements describe security properties that users can detect by direct interaction (i.e. inputs, outputs) with the IT or by the IT response to stimulus.
null