CC:2022 says: "A security requirements rationale that directly maps the SFRs and any security objectives for the
operational environment to the SPD-elements is included. It is recommended that this part of the
security requirements rationale is located directly under each of the threats, OSPs and
assumptions in the SPD section. As in STs that contain security objectives for the TOE, the security
requirements rationale also needs to justify the absence of superfluous SFRs and any SFR
dependencies that are not satisfied; this part of the rationale is typically located after the
definition of the SFRs."
So mappings to SFRs and such should all be expressed in the SPD section amongst the Threats, Assumptions, etc.
The Security Requirements Rationale will be reserved for explaining the "absence of superfluous SFRs and any SFR
dependencies that are not satisfied." And the Implicitly Satisfied Requirements appendix can go away.
CC:2022 says: "A security requirements rationale that directly maps the SFRs and any security objectives for the operational environment to the SPD-elements is included. It is recommended that this part of the security requirements rationale is located directly under each of the threats, OSPs and assumptions in the SPD section. As in STs that contain security objectives for the TOE, the security requirements rationale also needs to justify the absence of superfluous SFRs and any SFR dependencies that are not satisfied; this part of the rationale is typically located after the definition of the SFRs."
So mappings to SFRs and such should all be expressed in the SPD section amongst the Threats, Assumptions, etc.
The Security Requirements Rationale will be reserved for explaining the "absence of superfluous SFRs and any SFR dependencies that are not satisfied." And the Implicitly Satisfied Requirements appendix can go away.