The goal of an ST evaluation is to demonstrate that the ST is complete, consistent, technically sound, and hence suitable for use as the basis for the corresponding TOE evaluation.
Figure 5.1 shows the families within this class.
Objectives
The TOE description is an aid to the understanding of the TOE's security requirements. Evaluation of the TOE description is required to show that it is coherent, internally consistent and consistent with all other parts of the ST.
ASE_DES.1 Security Target, TOE description, Evaluation requirements
Dependencies:
ASE_ENV.1 Security Target, Security environment, Evaluation requirements
ASE_INT.1 Security Target, ST introduction, Evaluation requirements
ASE_OBJ.1 Security Target, Security objectives, Evaluation requirements
ASE_PPC.1 Security Target, PP claims, Evaluation requirements
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
ASE_TSS.1 Security Target, TOE summary specification, Evaluation requirements
Developer action elements:
ASE_DES.1.1D The developer shall provide a TOE description as part of the ST.
Content and presentation of evidence elements:
ASE_DES.1.1C The TOE description shall as a minimum describe the product or system type, and the scope and boundaries of the TOE in general terms both in a physical and a logical way.
Evaluator action elements:
ASE_DES.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_DES.1.2E The evaluator shall confirm that the TOE description is coherent and internally consistent.
ASE_DES.1.3E The evaluator shall confirm that the TOE description is consistent with the other parts of the ST.
Objectives
In order to determine whether the IT security requirements in the ST are sufficient, it is important that the security problem to be solved is clearly understood by all parties to the evaluation.
ASE_ENV.1 Security Target, Security environment, Evaluation requirements
Dependencies:
No dependencies.
Developer action elements:
ASE_ENV.1.1D The developer shall provide a statement of TOE security environment as part of the ST.
Content and presentation of evidence elements:
ASE_ENV.1.1C The statement of TOE security environment shall identify and explain any assumptions about the intended usage of the TOE and the environment of use of the TOE.
ASE_ENV.1.2C The statement of TOE security environment shall identify and explain any known or presumed threats to the assets against which protection will be required, either by the TOE or by its environment.
ASE_ENV.1.3C The statement of TOE security environment shall identify and explain any organisational security policies with which the TOE must comply.
Evaluator action elements:
ASE_ENV.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_ENV.1.2E The evaluator shall confirm that the statement of TOE security environment is coherent and internally consistent.
Objectives
The ST introduction contains identification and indexing material. Evaluation of the ST introduction is required to demonstrate that the ST is correctly identified and that it is consistent with all other parts of the ST.
ASE_INT.1 Security Target, ST introduction, Evaluation requirements
Dependencies:
ASE_DES.1 Security Target, TOE description, Evaluation requirements
ASE_ENV.1 Security Target, Security environment, Evaluation requirements
ASE_OBJ.1 Security Target, Security objectives, Evaluation requirements
ASE_PPC.1 Security Target, PP claims, Evaluation requirements
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
ASE_TSS.1 Security Target, TOE summary specification, Evaluation requirements
Developer action elements:
ASE_INT.1.1D The developer shall provide an ST introduction as part of the ST.
Content and presentation of evidence elements:
ASE_INT.1.1C The ST introduction shall contain an ST identification that provides the labelling and descriptive information necessary to control and identify the ST and the TOE to which it refers.
ASE_INT.1.2C The ST introduction shall contain an ST overview which summarises the ST in narrative form.
ASE_INT.1.3C The ST introduction shall contain a CC conformance claim that states any evaluatable claim of CC conformance for the TOE.
Evaluator action elements:
ASE_INT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_INT.1.2E The evaluator shall confirm that the ST introduction is coherent and internally consistent.
ASE_INT.1.3E The evaluator shall confirm that the ST introduction is consistent with the other parts of the ST.
Objectives
The security objectives are a concise statement of the intended response to the security problem. Evaluation of the security objectives is required to demonstrate that the stated objectives adequately address the security problem. The security objectives are categorised as security objectives for the TOE and as security objectives for the environment. The security objectives for both the TOE and the environment must be shown to be traced back to the identified threats to be countered and/or policies and assumptions to be met by each.
ASE_OBJ.1 Security Target, Security objectives, Evaluation requirements
Dependencies:
ASE_ENV.1 Security Target, Security environment, Evaluation requirements
Developer action elements:
ASE_OBJ.1.1D The developer shall provide a statement of security objectives as part of the ST.
ASE_OBJ.1.2D The developer shall provide the security objectives rationale.
Content and presentation of evidence elements:
ASE_OBJ.1.1C The statement of security objectives shall define the security objectives for the TOE and its environment.
ASE_OBJ.1.2C The security objectives for the TOE shall be clearly stated and traced back to aspects of the identified threats to be countered by the TOE and/or organisational security policies to be met by the TOE.
ASE_OBJ.1.3C The security objectives for the environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE and/or organisational security policies or assumptions not completely met by the TOE.
ASE_OBJ.1.4C The security objectives rationale shall demonstrate that the stated security objectives are suitable to counter the identified threats to security.
ASE_OBJ.1.5C The security objectives rationale shall demonstrate that the stated security objectives are suitable to cover all of the identified organisational security policies and assumptions.
Evaluator action elements:
ASE_OBJ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_OBJ.1.2E The evaluator shall confirm that the statement of security objectives is complete, coherent, and internally consistent.
Objectives
The goal of the evaluation of the Security Target PP claims is to determine whether the ST is a correct instantiation of the PP.
Application notes
The family applies only in the case of a PP claim. In all other cases, no developer action and no evaluator action is necessary.
Although additional evaluation activity is necessary when a PP claim is made, the ST evaluation effort is generally smaller than in cases where no PP is used because it is possible to reuse the PP evaluation results for the ST evaluation.
ASE_PPC.1 Security Target, PP claims, Evaluation requirements
Dependencies:
ASE_OBJ.1 Security Target, Security objectives, Evaluation requirements
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
Developer action elements:
ASE_PPC.1.1D The developer shall provide any PP claims as part of the ST.
ASE_PPC.1.2D The developer shall provide the PP claims rationale for each provided PP claim.
Content and presentation of evidence elements:
ASE_PPC.1.1C Each PP claim shall identify the PP for which compliance is being claimed, including qualifications needed for that claim.
ASE_PPC.1.2C Each PP claim shall identify the IT security requirements statements that satisfy the permitted operations of the PP or otherwise further qualify the PP requirements.
ASE_PPC.1.3C Each PP claim shall identify security objectives and IT security requirements statements contained in the ST that are in addition to those contained in the PP.
Evaluator action elements:
ASE_PPC.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_PPC.1.2E The evaluator shall confirm that the PP claims are a correct instantiation of the PP.
Objectives
The IT security requirements chosen for a TOE and presented or cited in an ST need to be evaluated in order to confirm that they are internally consistent and lead to the development of a TOE that will meet its security objectives.
This family presents evaluation requirements that permit the evaluator to determine that an ST is suitable for use as a statement of requirements for the corresponding TOE. The additional criteria necessary for the evaluation of explicitly stated requirements is covered in the ASE_SRE family.
Application notes
The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".
The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".
In the ASE_REQ.1 component, the word "appropriate" is used to indicate that certain elements allow options in certain cases. Which options are applicable depends on the given context in the ST. Detailed information for all these aspects is contained in Part 1, annex C.
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
Dependencies:
ASE_OBJ.1 Security Target, Security objectives, Evaluation requirements
Developer action elements:
ASE_REQ.1.1D The developer shall provide a statement of IT security requirements as part of the ST.
ASE_REQ.1.2D The developer shall provide the security requirements rationale.
Content and presentation of evidence elements:
ASE_REQ.1.1C The statement of TOE security functional requirements shall identify the TOE security functional requirements drawn from CC Part 2 functional requirements components.
ASE_REQ.1.2C The statement of TOE security assurance requirements shall identify the TOE security assurance requirements drawn from CC Part 3 assurance requirements components.
ASE_REQ.1.3C The statement of TOE security assurance requirements should include a CC Evaluation Assurance Level (EAL) as defined in CC Part 3.
ASE_REQ.1.4C The evidence shall justify that the statement of TOE security assurance requirements is appropriate.
ASE_REQ.1.5C The ST shall, if appropriate, identify any security requirements for the IT environment.
ASE_REQ.1.6C Operations on IT security requirements included in the ST shall be identified and performed.
ASE_REQ.1.7C Dependencies among the IT security requirements included in the ST should be satisfied.
ASE_REQ.1.8C The evidence shall justify why any non-satisfaction of dependencies is appropriate.
ASE_REQ.1.9C The ST shall include a statement of the minimum strength of function level for the TOE security functional requirements, either SOF-basic, SOF-medium or SOF-high, as appropriate.
ASE_REQ.1.10C The ST shall identify any specific TOE security functional requirements for which an explicit strength of function is appropriate, together with the specific metric.
ASE_REQ.1.11C The security requirements rationale shall demonstrate that the minimum strength of function level for the ST together with any explicit strength of function claim is consistent with the security objectives for the TOE.
ASE_REQ.1.12C The security requirements rationale shall demonstrate that the IT security requirements are suitable to meet the security objectives.
ASE_REQ.1.13C The security requirements rationale shall demonstrate that the set of IT security requirements together forms a mutually supportive and internally consistent whole.
Evaluator action elements:
ASE_REQ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_REQ.1.2E The evaluator shall confirm that the statement of IT security requirements is complete, coherent, and internally consistent.
Objectives
If, after careful consideration, none of the requirements components in CC Part 2 or CC Part 3 are readily applicable to all or parts of the IT security requirements, the ST author may state other requirements which do not reference the CC. The use of such requirements shall be justified.
This family presents evaluation requirements that permit the evaluator to determine that the explicitly stated requirements are clearly and unambiguously expressed. The evaluation of requirements taken from the CC in conjunction with valid explicitly stated security requirements is addressed by the ASE_REQ family.
Explicitly stated IT security requirements for a TOE presented or cited in an ST need to be evaluated in order to demonstrate that they are clearly and unambiguously expressed.
Application notes
Formulation of the explicitly stated requirements in a structure comparable to those of existing CC components and elements involves choosing similar labelling, manner of expression, and level of detail.
Using the CC requirements as a model means that the requirements can be clearly identified, that they are self-contained, and that the application of each requirement is feasible and will yield a meaningful evaluation result based on a compliance statement of the TOE for that particular requirement.
The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".
The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".
ASE_SRE.1 Security Target, Explicitly stated IT security requirements, Evaluation requirements
Dependencies:
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
Developer action elements:
ASE_SRE.1.1D The developer shall provide a statement of IT security requirements as part of the ST.
ASE_SRE.1.2D The developer shall provide the security requirements rationale.
Content and presentation of evidence elements:
ASE_SRE.1.1C All TOE security requirements that are explicitly stated without reference to the CC shall be identified.
ASE_SRE.1.2C All security requirements for the IT environment that are explicitly stated without reference to the CC shall be identified.
ASE_SRE.1.3C The evidence shall justify why the security requirements had to be explicitly stated.
ASE_SRE.1.4C The explicitly stated IT security requirements shall use the CC requirements components, families and classes as a model for presentation.
ASE_SRE.1.5C The explicitly stated IT security requirements shall be measurable and state objective evaluation requirements such that compliance or noncompliance of a TOE can be determined and systematically demonstrated.
ASE_SRE.1.6C The explicitly stated IT security requirements shall be clearly and unambiguously expressed.
ASE_SRE.1.7C The security requirements rationale shall demonstrate that the assurance requirements are applicable and appropriate to support any explicitly stated TOE security functional requirements.
Evaluator action elements:
ASE_SRE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_SRE.1.2E The evaluator shall determine that all of the dependencies of the explicitly stated IT security requirements have been identified.
Objectives
The TOE summary specification provides a high-level definition of the security functions claimed to meet the functional requirements and of the assurance measures taken to meet the assurance requirements.
Application notes
The relationship between the IT security functions and the TOE security functional requirements can be a "many to many" relationship. Nevertheless, every security function shall contribute to the satisfaction of at least one security requirement in order be able to clearly define the TSF. Security functions that do not fulfil this requirement should normally not be necessary. Note, however, that the requirement that a security function contributes to the satisfaction of at least one security requirement is worded in a quite general manner, so that all the security functions found to be useful for the TOE should be justifiable.
The statement of assurance measures is of specific relevance in all those cases where assurance requirements not taken from the CC are included in the ST. If the TOE security assurance requirements in the ST are exclusively based on CC evaluation assurance levels or other CC assurance components, then the assurance measures could be presented in the form of a reference to the documents that show that the assurance requirements are met.
In the ASE_TSS.1 component, the word "appropriate" is used to indicate that certain elements allow options in certain cases. Which options are applicable depends on the given context in the ST. Detailed information for all these aspects is contained in Part 1, annex C.
ASE_TSS.1 Security Target, TOE summary specification, Evaluation requirements
Dependencies:
ASE_REQ.1 Security Target, IT security requirements, Evaluation requirements
Developer action elements:
ASE_TSS.1.1D The developer shall provide a TOE summary specification as part of the ST.
ASE_TSS.1.2D The developer shall provide the TOE summary specification rationale.
Content and presentation of evidence elements:
ASE_TSS.1.1C The TOE summary specification shall describe the IT security functions and the assurance measures of the TOE.
ASE_TSS.1.2C The TOE summary specification shall trace the IT security functions to the TOE security functional requirements such that it can be seen which IT security functions satisfy which TOE security functional requirements and that every IT security function contributes to the satisfaction of at least one TOE security functional requirement.
ASE_TSS.1.3C The IT security functions shall be defined in an informal style to a level of detail necessary for understanding their intent.
ASE_TSS.1.4C All references to security mechanisms included in the ST shall be traced to the relevant security functions so that it can be seen which security mechanisms are used in the implementation of each function.
ASE_TSS.1.5C The TOE summary specification rationale shall demonstrate that the IT security functions are suitable to meet the TOE security functional requirements.
ASE_TSS.1.6C The TOE summary specification rationale shall demonstrate that the combination of the specified IT security functions work together so as to satisfy the TOE security functional requirements.
ASE_TSS.1.7C The TOE summary specification shall trace the assurance measures to the assurance requirements so that it can be seen which measures contribute to the satisfaction of which requirements.
ASE_TSS.1.8C The TOE summary specification rationale shall demonstrate that the assurance measures meet all assurance requirements of the TOE.
ASE_TSS.1.9C The TOE summary specification shall identify all IT security functions that are realised by a probabilistic or permutational mechanism, as appropriate.
ASE_TSS.1.10C The TOE summary specification shall, for each IT security function for which it is appropriate, state the strength of function claim either as a specific metric, or as SOF-basic, SOF-medium or SOF-high.
Evaluator action elements:
ASE_TSS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ASE_TSS.1.2E The evaluator shall confirm that the TOE summary specification is complete, coherent, and internally consistent.