Provide the location of the issue
Individual SFRs as listed below
What is the correction request for the cPP? Please describe.
APE_REQ.2-8 requires correct formatting of refinements. At the same time, CC:2022 changed the wording of some Part 2 SFRs such that the current SFR wording is not accurate. In these cases, either the SFR wording should be corrected or refinements should be used to indicate the difference from CC Part 2 (the former is generally recommended). The following updates are needed:
o FAU_GEN.1.1 – The SFR says “The TSF shall be able to generate an audit record” – CC Part 2 says “The TSF shall be able to generate audit data”
o FAU_GEN.1.2 – The SFR says “The TSF shall record within each audit record” – CC Part 2 says “The TSF shall record within the audit data”
o FAU_GEN.1.2 part a – The SFR says “Date and time of the event” – CC Part 2 says “Date and time of the audit event”
o FAU_GEN.1.2 part b – The SFR says “For each audit event type, For each audit event type, based on the auditable event definitions of the functional components included in the cPP/ST” – CC Part 2 says “For each auditable event type, based on the auditable event definitions of the functional components included in the PP, PP-Module, functional package or ST”
o FCS_COP.1.1/Hash – It would be cleaner to write this with “cryptographic key” refined to “message digest” and then have the selection replace the assignment rather than striking out the entire assignment which is what is currently done.
o FTA_SSL.4.1 – it is sufficient to substitute “Administrator” in for “user” and not have “Administrator” struck out. Generally it’s sufficient for the ‘removal’ refinement to be used only when there is no alternate text to replace it (though there isn’t a hard and fast requirement either way, minimizing the use of strikethrough is preferred for easier navigation of the document)
o FTA_TAB.1.1 – CC Part 2 rewrote this entire requirement and it is recommended to switch to the Part 2 wording as a base and then refine as needed. Note in particular that it added both a selection and an assignment which were not present in the CC 3.1 version of it.
o FTP_TRP.1.3/Admin – the SFR says “initial Administrator authentication” – CC Part 2 says “initial user authentication.” It’s fine to keep this as-is but Administrator should be bolded.
o FTP_TRP.1.1/Join – the SFR says “modification and [selection: disclosure, no other mechanisms” but CC Part 2 doesn’t have ‘and’ in it. This is a grammatical refinement but it would be preferred to bold it (since it deviates from the SFR) or simply remove it (to partially complete the selection verbatim).
Describe the solution you'd like
Requested updates listed above
Describe alternatives you've considered
N/A
Additional context
NIAP requested review of PP/SD against CC:2022 and for us to provide guidance and recommendations on changes that will be needed for compatibility with the updated version of the CC.
Provide the location of the issue Individual SFRs as listed below
What is the correction request for the cPP? Please describe. APE_REQ.2-8 requires correct formatting of refinements. At the same time, CC:2022 changed the wording of some Part 2 SFRs such that the current SFR wording is not accurate. In these cases, either the SFR wording should be corrected or refinements should be used to indicate the difference from CC Part 2 (the former is generally recommended). The following updates are needed: o FAU_GEN.1.1 – The SFR says “The TSF shall be able to generate an audit record” – CC Part 2 says “The TSF shall be able to generate audit data” o FAU_GEN.1.2 – The SFR says “The TSF shall record within each audit record” – CC Part 2 says “The TSF shall record within the audit data” o FAU_GEN.1.2 part a – The SFR says “Date and time of the event” – CC Part 2 says “Date and time of the audit event” o FAU_GEN.1.2 part b – The SFR says “For each audit event type, For each audit event type, based on the auditable event definitions of the functional components included in the cPP/ST” – CC Part 2 says “For each auditable event type, based on the auditable event definitions of the functional components included in the PP, PP-Module, functional package or ST” o FCS_COP.1.1/Hash – It would be cleaner to write this with “cryptographic key” refined to “message digest” and then have the selection replace the assignment rather than striking out the entire assignment which is what is currently done. o FTA_SSL.4.1 – it is sufficient to substitute “Administrator” in for “user” and not have “Administrator” struck out. Generally it’s sufficient for the ‘removal’ refinement to be used only when there is no alternate text to replace it (though there isn’t a hard and fast requirement either way, minimizing the use of strikethrough is preferred for easier navigation of the document) o FTA_TAB.1.1 – CC Part 2 rewrote this entire requirement and it is recommended to switch to the Part 2 wording as a base and then refine as needed. Note in particular that it added both a selection and an assignment which were not present in the CC 3.1 version of it. o FTP_TRP.1.3/Admin – the SFR says “initial Administrator authentication” – CC Part 2 says “initial user authentication.” It’s fine to keep this as-is but Administrator should be bolded. o FTP_TRP.1.1/Join – the SFR says “modification and [selection: disclosure, no other mechanisms” but CC Part 2 doesn’t have ‘and’ in it. This is a grammatical refinement but it would be preferred to bold it (since it deviates from the SFR) or simply remove it (to partially complete the selection verbatim).
Describe the solution you'd like Requested updates listed above
Describe alternatives you've considered N/A
Additional context NIAP requested review of PP/SD against CC:2022 and for us to provide guidance and recommendations on changes that will be needed for compatibility with the updated version of the CC.