The goal of a PP evaluation is to demonstrate that the PP is complete, consistent and technically sound. An evaluated PP is suitable for use as the basis for the development of STs. Such a PP is eligible for inclusion in a registry.
Figure 4.1 shows the families within this class.
Figure 4.1 - Protection Profile evaluation class decomposition
Objectives
The TOE description is an aid to the understanding of the TOE's security requirements. Evaluation of the TOE description is required to show that it is coherent, internally consistent and consistent with all other parts of the PP.
APE_DES.1 Protection Profile, TOE description, Evaluation requirements
Dependencies:
APE_ENV.1 Protection Profile, Security environment, Evaluation requirements
APE_INT.1 Protection Profile, PP introduction, Evaluation requirements
APE_OBJ.1 Protection Profile, Security objectives, Evaluation requirements
APE_REQ.1 Protection Profile, IT security requirements, Evaluation requirements
Developer action elements:
APE_DES.1.1D The PP developer shall provide a TOE description as part of the PP.
Content and presentation of evidence elements:
APE_DES.1.1C The TOE description shall as a minimum describe the product type and the general IT features of the TOE.
Evaluator action elements:
APE_DES.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_DES.1.2E The evaluator shall confirm that the TOE description is coherent and internally consistent.
APE_DES.1.3E The evaluator shall confirm that the TOE description is consistent with the other parts of the PP.
Objectives
In order to determine whether the IT security requirements in the PP are sufficient, it is important that the security problem to be solved is clearly understood by all parties to the evaluation.
APE_ENV.1 Protection Profile, Security environment, Evaluation requirements
Dependencies:
No dependencies.
Developer action elements:
APE_ENV.1.1D The PP developer shall provide a statement of TOE security environment as part of the PP.
Content and presentation of evidence elements:
APE_ENV.1.1C The statement of TOE security environment shall identify and explain any assumptions about the intended usage of the TOE and the environment of use of the TOE.
APE_ENV.1.2C The statement of TOE security environment shall identify and explain any known or presumed threats to the assets against which protection will be required, either by the TOE or by its environment.
APE_ENV.1.3C The statement of TOE security environment shall identify and explain any organisational security policies with which the TOE must comply.
Evaluator action elements:
APE_ENV.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_ENV.1.2E The evaluator shall confirm that the statement of TOE security environment is coherent and internally consistent.
Objectives
The PP introduction contains document management and overview information necessary to operate a PP registry. Evaluation of the PP introduction is required to demonstrate that the PP is correctly identified and that it is consistent with all other parts of the PP.
APE_INT.1 Protection Profile, PP introduction, Evaluation requirements
Dependencies:
APE_DES.1 Protection Profile, TOE description, Evaluation requirements
APE_ENV.1 Protection Profile, Security environment, Evaluation requirements
APE_OBJ.1 Protection Profile, Security objectives, Evaluation requirements
APE_REQ.1 Protection Profile, IT security requirements, Evaluation requirements
Developer action elements:
APE_INT.1.1D The PP developer shall provide a PP introduction as part of the PP.
Content and presentation of evidence elements:
APE_INT.1.1C The PP introduction shall contain a PP identification that provides the labelling and descriptive information necessary to identify, catalogue, register, and cross reference the PP.
APE_INT.1.2C The PP introduction shall contain a PP overview which summarises the PP in narrative form.
Evaluator action elements:
APE_INT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_INT.1.2E The evaluator shall confirm that the PP introduction is coherent and internally consistent.
APE_INT.1.3E The evaluator shall confirm that the PP introduction is consistent with the other parts of the PP.
Objectives
The security objectives is a concise statement of the intended response to the security problem. Evaluation of the security objectives is required to demonstrate that the stated objectives adequately address the security problem. The security objectives are categorised as security objectives for the TOE and as security objectives for the environment. The security objectives for both the TOE and the environment must be shown to be traced back to the identified threats to be countered and/or policies and assumptions to be met by each.
APE_OBJ.1 Protection Profile, Security objectives, Evaluation requirements
Dependencies:
APE_ENV.1 Protection Profile, Security environment, Evaluation requirements
Developer action elements:
APE_OBJ.1.1D The PP developer shall provide a statement of security objectives as part of the PP.
APE_OBJ.1.2D The PP developer shall provide the security objectives rationale.
Content and presentation of evidence elements:
APE_OBJ.1.1C The statement of security objectives shall define the security objectives for the TOE and its environment.
APE_OBJ.1.2C The security objectives for the TOE shall be clearly stated and traced back to aspects of the identified threats to be countered by the TOE and/or organisational security policies to be met by the TOE.
APE_OBJ.1.3C The security objectives for the environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE and/or organisational security policies or assumptions not completely met by the TOE.
APE_OBJ.1.4C The security objectives rationale shall demonstrate that the stated security objectives are suitable to counter the identified threats to security.
APE_OBJ.1.5C The security objectives rationale shall demonstrate that the stated security objectives are suitable to cover all of the identified organisational security policies and assumptions.
Evaluator action elements:
APE_OBJ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_OBJ.1.2E The evaluator shall confirm that the statement of security objectives is complete, coherent, and internally consistent.
Objectives
The IT security requirements chosen for a TOE and presented or cited in a PP need to be evaluated in order to confirm that they are internally consistent and lead to the development of a TOE that will meet its security objectives.
Not all of the security objectives expressed in a PP may be met by a compliant TOE, as some TOEs may depend on certain IT security requirements to be met by the IT environment. When this is the case, the environmental IT security requirements must be clearly stated and evaluated in context with the TOE requirements.
This family presents evaluation requirements that permit the evaluator to determine that a PP is suitable for use as a statement of requirements for an evaluatable TOE. The additional criteria necessary for the evaluation of explicitly stated requirements is covered in the APE_SRE family.
Application notes
The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".
The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".
In the APE_REQ.1 component, the word "appropriate" is used to indicate that certain elements allow options in certain cases. Which options are applicable depends on the given context in the PP. Detailed information for all these aspects is contained in Part 1, annex B.
APE_REQ.1 Protection Profile, IT security requirements, Evaluation requirements
Dependencies:
APE_OBJ.1 Protection Profile, Security objectives, Evaluation requirements
Developer action elements:
APE_REQ.1.1D The PP developer shall provide a statement of IT security requirements as part of the PP.
APE_REQ.1.2D The PP developer shall provide the security requirements rationale.
Content and presentation of evidence elements:
APE_REQ.1.1C The statement of TOE security functional requirements shall identify the TOE security functional requirements drawn from CC Part 2 functional requirements components.
APE_REQ.1.2C The statement of TOE security assurance requirements shall identify the TOE security assurance requirements drawn from CC Part 3 assurance requirements components.
APE_REQ.1.3C The statement of TOE security assurance requirements should include a CC Evaluation Assurance Level (EAL) as defined in CC Part 3.
APE_REQ.1.4C The evidence shall justify that the statement of TOE security assurance requirements is appropriate.
APE_REQ.1.5C The PP shall, if appropriate, identify any security requirements for the IT environment.
APE_REQ.1.6C All completed operations on IT security requirements included in the PP shall be identified.
APE_REQ.1.7C Any uncompleted operations on IT security requirements included in the PP shall be identified.
APE_REQ.1.8C Dependencies among the IT security requirements included in the PP should be satisfied.
APE_REQ.1.9C The evidence shall justify why any non-satisfaction of dependencies is appropriate.
APE_REQ.1.10C The PP shall include a statement of the minimum strength of function level for the TOE security functional requirements, either SOF-basic, SOF-medium or SOF-high, as appropriate.
APE_REQ.1.11C The PP shall identify any specific TOE security functional requirements for which an explicit strength of function is appropriate, together with the specific metric.
APE_REQ.1.12C The security requirements rationale shall demonstrate that the minimum strength of function level for the PP, together with any explicit strength of function claim, is consistent with the security objectives for the TOE.
APE_REQ.1.13C The security requirements rationale shall demonstrate that the IT security requirements are suitable to meet the security objectives.
APE_REQ.1.14C The security requirements rationale shall demonstrate that the set of IT security requirements together forms a mutually supportive and internally consistent whole.
Evaluator action elements:
APE_REQ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_REQ.1.2E The evaluator shall confirm that the statement of IT security requirements is complete, coherent, and internally consistent.
Objectives
If, after careful consideration, none of the requirements components in CC Part 2 or CC Part 3 are readily applicable to all or parts of the IT security requirements, the PP author may state other requirements which do not reference the CC. The use of such requirements shall be justified.
This family presents evaluation requirements that permit the evaluator to determine that the explicitly stated requirements are clearly and unambiguously expressed. The evaluation of requirements taken from the CC in conjunction with valid explicitly stated security requirements is addressed by the APE_REQ family.
Explicitly stated IT security requirements for a TOE presented or cited in a PP need to be evaluated in order to demonstrate that they are clearly and unambiguously expressed.
Application notes
Formulation of the explicitly stated requirements in a structure comparable to those of existing CC components and elements involves choosing similar labelling, manner of expression, and level of detail.
Using the CC requirements as a model means that the requirements can be clearly identified, that they are self-contained, and that the application of each requirement is feasible and will yield a meaningful evaluation result based on a compliance statement of the TOE for that particular requirement.
The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".
The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".
APE_SRE.1 Protection Profile, Explicitly stated IT security requirements, Evaluation requirements
Dependencies:
APE_REQ.1 Protection Profile, IT security requirements, Evaluation requirements
Developer action elements:
APE_SRE.1.1D The PP developer shall provide a statement of IT security requirements as part of the PP.
APE_SRE.1.2D The PP developer shall provide the security requirements rationale.
Content and presentation of evidence elements:
APE_SRE.1.1C All TOE security requirements that are explicitly stated without reference to the CC shall be identified.
APE_SRE.1.2C All security requirements for the IT environment that are explicitly stated without reference to the CC shall be identified.
APE_SRE.1.3C The evidence shall justify why the security requirements had to be explicitly stated.
APE_SRE.1.4C The explicitly stated IT security requirements shall use the CC requirements components, families and classes as a model for presentation.
APE_SRE.1.5C The explicitly stated IT security requirements shall be measurable and state objective evaluation requirements such that compliance or noncompliance of a TOE can be determined and systematically demonstrated.
APE_SRE.1.6C The explicitly stated IT security requirements shall be clearly and unambiguously expressed.
APE_SRE.1.7C The security requirements rationale shall demonstrate that the assurance requirements are applicable and appropriate to support any explicitly stated TOE security functional requirements.
Evaluator action elements:
APE_SRE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
APE_SRE.1.2E The evaluator shall determine that all of the dependencies of the explicitly stated IT security requirements have been identified.