Final Interpretation for RI # 202 - Selecting One or More items in a selection operation and using "None" in an assignment

Date: 8/26/2003
Subject: Selecting One or More items in a selection operation and using "None" in an assignment
CC Part #1 Reference: CC Part 1, Section 4.4.1
CC Part #2 Reference: CC Part 2, FAU_GEN
CC Part 2, FAU_STG
CC Part 2, FMT_MSA
CC Part 2, FPR_PSE
CC Part 2, Annex C.2 (FAU_GEN)
CC Part 2, Annex C.6 (FAU_STG)
CC Part 2, Annex H.2 (FMT_MSA)
CC Part 2, Annex I.2 (FPR_PSE)
CC Part #3 Reference: 
CEM Reference: 

Issue:

It is unclear if, in a selection operation, selection of multiple items is permissible.

It should be clear that more than one selection from a selection list may be made, unless it is expressly prohibited. It should also be clarified in those selection lists where selecting multiple options would introduce an internal contradiction.

It was unclear when "None" would be a valid completion in an assignment.



Interpretation

The Part 2 Annexes provide the guidance on the valid completion of selections and assignments. This guidance provides normative instructions on how to complete operations, and those instructions shall be followed unless the PP/ST author justify the deviation.

The lists provided for the completion of selections must be non-empty. If a "None" option is chosen, no additional selection options may be chosen. If "None" is not given as an option in a selection, it is permissible to combine the choices in a selection with "and"s and "or"s, unless the selection explicitly states "choose one of".

Selection operations may be combined by iteration where needed. In this case, the applicability of the option chosen for each iteration should not overlap the subject of the other iterated selection, since they are intended to be exclusive.



Specific Changes

The following change is made to CC v2.1, Part 1.

Insert the following paragraphs before paragraph 149:

The Part 2 Annexes provide the guidance on the valid completion of selections and assignments. This guidance provides normative instructions on how to complete operations, and those instructions shall be followed unless the PP/ST author justify the deviation.

The lists provided for the completion of selections must be non-empty. If a "None" option is chosen, no additional selection options may be chosen. If "None" is not given as an option in a selection, it is permissible to combine the choices in a selection with "and"s and "or"s, unless the selection explicitly states "choose one of".

Selection operations may be combined by iteration where needed. In this case, the applicability of the option chosen for each iteration should not overlap the subject of the other iterated selection, since they are intended to be exclusive.

The following changes are made to CC v2.1, Part 2..

Annexes B through M : all the brackets of the titles are deleted.

Paragraph 10 of CC part 2, section 1.2 is changed as follows:

Annexes B through M provide the application notes for the functional classes. This material must be seen as normative instructions on how to apply relevant operations and select appropriate audit or documentation information; the use of the auxiliary verb should means that the instruction is strongly preferred, but others may be justifiable. Where different options are given, the choice is left to the PP/ST author.

Subclause 3.2, FAU_GEN.1.1 is replaced with the following:

FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events:

a) Start-up and shutdown of the audit functions;

b) All auditable events for the [selection: choose one of: minimum, basic, detailed, not specified] level of audit; and

c) [assignment: other specifically defined auditable events].

For FAU_GEN.1.1b, the PP/ST author should select the level of auditable events called out in the audit section of other functional components included in the PP/ST. This level is one of the following: "minimum", "basic", "detailed" or "not specified".

Subclause C.2, FAU_GEN.1, paragraph 568, is replaced with the following:

For FAU_GEN.1.1c, the PP/ST author should assign a list of other specifically defined auditable events to be included in the list of auditable events. The assignment may comprise none, or events that could be auditable events of a functional requirement that are of a higher audit level than requested in FAU_GEN.1.1b, as well as the events generated through the use of a specified Application Programming Interface (API).

Subclause C.2, FAU_GEN.1, paragraph 569, is replaced with the following:

For FAU_GEN.1.1c, the PP/ST author should assign, for each auditable events included in the PP/ST, either a list of other audit relevant information to be included in audit events records or none.

If there are no additional rules that the TSF should use in the analysis of the audit trail, this assignment can be completed with none.

If there are no additional rules upon which audit selectivity is based, this assignment can be completed with none.

FAU_STG.1.2 The TSF shall be able to [selection: choose one of: prevent, detect] modifications to the audit records in the audit trail.

In FAU_STG.1.2, the PP/ST author should specify whether the TSF shall prevent or only be able to detect modifications of the audit trail. Only one of these options may be chosen.

FAU_STG.2.2 The TSF shall be able to [selection: choose one of: prevent, detect] modifications to the audit records in the audit trail.

In FAU_STG.2.2, the PP/ST author should specify whether the TSF shall prevent or only be able to detect modifications of the audit trail. Only one of these options may be chosen.

This condition can be any of the following: audit storage exhaustion, failure, attack.

FAU_STG.4.1 The TSF shall [selection: choose one of: "ignore auditable events", "prevent auditable events, except those taken by the authorised user with special rights", "overwrite the oldest stored audit records"] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full.

Only one of these options may be chosen.

If there is no other action to be taken in case of audit storage failure, this assignment can be completed with none.

FMT_MSA.3.1 The TSF shall enforce the [assignment: access control SFP, information flow control SFP] to provide [selection: choose one of: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP.

Only one of these options may be chosen.

FPR_PSE.1.3 The TSF shall [selection: choose one of: determine an alias for a user, accept the alias from the user] and verify that it conforms to the [assignment: alias metric].

Only one of these options may be chosen.

FPR_PSE.2.3 The TSF shall [selection: choose one of: determine an alias for a user, accept the alias from the user] and verify that it conforms to the [assignment: alias metric].

Only one of these options may be chosen.

FPR_PSE.3.3 The TSF shall [selection: choose one of: determine an alias for a user, accept the alias from the user] and verify that it conforms to the [assignment: alias metric].

Only one of these options may be chosen.

Rationale

There some confusion arises from a misunderstanding of the use of the term "normative". RI-222 addresses the question of the meaning of "normative".