SFR to objective mapping

[kgal]

The current schema doesn't provide a place to include rationale for justifying SFR-to-objective mapping. The mapping itself is present, but there should also be a place to put rationale to satisfy the APE_OBJ.2 workunits (similar to the threat-objective mapping rationale that is already present).

[kgal]

This has never been required, so until NIAP specifically asks for it, we will not add it.

[dmhale1]

This is required per the CC so we need it added.

[dmhale1]

Hi Kevin - Could this be fixed within the next week or so? We are unable to post new PP-Modules without this section. Thanks. Dianne

[kgal]

I envision after each SO mapping (https://commoncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#SecurityObjectivesTOE), there's going to a section for Rationale, is that what you are thinking? Rationale per SO, but not per requirement? It won't take me long.

[dmhale1]

See - https://www.niap-ccevs.org/Documents_and_Guidance/view_td.cfm?TD=0498

We need both.

On Mon, Feb 10, 2020 at 4:10 PM kgal notifications@github.com wrote:

I envision after each SO mapping ( https://commonncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#SecurityObjectivesTOE https://commoncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#SecurityObjectivesTOE), there's going to a section for Rationale, is that what you are thinking? Rationale per SO, but not per requirement? It won't take me long.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/commoncriteria/transforms/issues/14?email_source=notifications&email_token=AGLFK74MYZ6VCGG6GTUZRFLRCG6IRA5CNFSM4J563X52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELKIHPQ#issuecomment-584352702, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGLFK76Z4E5X3DNN4G2WV3DRCG6IRANCNFSM4J563X5Q .

[dmhale1]

But the first one is already in the transforms

On Mon, Feb 10, 2020 at 4:21 PM Dianne Hale diannemhale@gmail.com wrote:

See - https://www.niap-ccevs.org/Documents_and_Guidance/view_td.cfm?TD=0498

We need both.

On Mon, Feb 10, 2020 at 4:10 PM kgal notifications@github.com wrote:

I envision after each SO mapping ( https://commonncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#SecurityObjectivesTOE https://commoncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#SecurityObjectivesTOE), there's going to a section for Rationale, is that what you are thinking? Rationale per SO, but not per requirement? It won't take me long.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/commoncriteria/transforms/issues/14?email_source=notifications&email_token=AGLFK74MYZ6VCGG6GTUZRFLRCG6IRA5CNFSM4J563X52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELKIHPQ#issuecomment-584352702, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGLFK76Z4E5X3DNN4G2WV3DRCG6IRANCNFSM4J563X5Q .

[kgal]

I think I have the table you want: https://commoncriteria.github.io/pp/pp-template/pp-template-release.html#SecurityObjectivesTOE It's not in the right place and I deleted another section (the Objective definitions) that I have to put back in, but as far as the table itself, how does the content look? I also have to stylize it a bit better too.

[dmhale1]

Yes, that looks good.

On Tue, Feb 11, 2020 at 4:55 PM kgal notifications@github.com wrote:

I think I have the table you want:

https://commoncriteria.github.io/pp/pp-template/pp-template-release.html#SecurityObjectivesTOE It's not in the right place and I deleted another section (the Objective definitions) that I have to put back in, but as far as the table itself, how does the content look? I also have to stylize it a bit better too.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/commoncriteria/transforms/issues/14?email_source=notifications&email_token=AGLFK77DFLCVA7FIF4T7ETTRCMLYJA5CNFSM4J563X52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELOGBVI#issuecomment-584868053, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGLFK72UM3V6WXSFLDK7QG3RCMLYJANCNFSM4J563X5Q .

[kgal]

Okay how does it look now? I moved it to 4.3 which already has the other table with assumptions/threats/OSPs.

[dmhale1]

Looks good but it has to be moved to Section 5 under the SFRs. The title need to be "TOE Security Requirements Rationale" and the sentence that describes it should read "The following rationale provides justification for each security objective for the TOE, showing that the SFRs are suitable to meet and achieve the security objectives:" Thank you.

[kgal]

See if these look okay: https://commoncriteria.github.io/pp/pp-template/pp-template-release.html#obj_map https://commoncriteria.github.io/pp/pp-template/ModuleTemplate-release.html#obj-req-map

[dmhale1]

I think the SFR rationale should go after all the SFRs are listed. And, for PP-Modules we may need to have this for each “Base-PP Direction” section since often there are different SFRs added for different Base-PPs. But, let me discuss with one of our Senior validators and get back to you on that.

[kgal]

For the pp-template, it's now after the SFRs. Waiting for guidance on modules.

[dmhale1]

Ok, So, I think it should be the next section 5.2 and move the SAR (current 5.2) to 5.3 in the pp-template. For the Module-Template, it should be moved after the current section 5.4. I think that will work.

[kgal]

One more time... I think I've got it.

[dmhale1]

Looks good. Thank you.