Sort out where crypto reqs should be, for apps which provide their own DAR

[jeffblank]

Need to take action per DISA FSO comment: FMT_MEC_EXT.1.2: Strike this requirement or provide additional explantion of its objectives in an application note. This requirement seems to preclude apps that provide FIPS-validated data storage containers when the OS does not provide FIPS-validated cryptographic modules for data-at-rest. Such apps may be among the most important to have NIAP-evaluated. FPT_API_EXT.1 includes the phrase "unless providing cryptographic services is the purpose of the application" but a similar exception is lacking here.

Note: We need to sync with FE PP developers on this, in case this will be covered in other PP.

[jeffblank]

Other commenters also raised this issue. Need to get with Cara.

[kgal]

What about apps that make SSL keys and the like?

[bourdett]

got with cara and i think we have all the crypto requirements included now