| Date: | 10/25/2002 |
| Subject: | Use of documentation without C & P elements. |
| Revision: | 1 |
| Reason for revision: | Changes in CC Part 3 required corresponding CEM changes |
| CC Part #1 Reference: | |
| CC Part #2 Reference: | |
| CC Part #3 Reference: | CC Part 3, Section 9.2 (ADO_IGS) CC Part 3, Section 14.4 (AVA_VLA) |
| CEM Reference: | CEM, Section 6.9.2 (AVA_VLA.1) CEM, Section 7.10.3 (AVA_VLA.1) CEM, Section 8.10.3 (AVA_VLA.2) |
There are two instances where the CC does not expand on which documentation must meet the content and presentation requirements: ADO_IGS and AVA_VLA. Do these refer to the same documentation in the developer action elements?
The content and presentation elements of ADO_IGS and AVA_VLA families apply to the documentation identified in the developer action elements of these families.
The following changes are made to CC Part 3:
ADO_IGS.*.1C is replaced with:
The installation, generation and start-up documentation shall describe all the steps necessary for secure installation, generation and start-up of the TOE.ADO_IGS.2.2C is replaced with:
The installation, generation and start-up documentation shall describe procedures capable of creating a log containing the generation options used to generate the TOE in such a way that it is possible to determine exactly how and when the TOE was generated.The developer action elements for AVA_VLA.* are replaced with:
AVA_VLA.*.1D The developer shall perform a vulnerability analysis.AVA_VLA.*.2D The developer shall provide vulnerability analysis documentation.The content and presentation elements for AVA_VLA.1 are replaced with:
AVA_VLA.1.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for obvious ways in which a user can violate the TSP.
AVA_VLA.1.2C The vulnerability analysis documentation shall describe the disposition of obvious vulnerabilities.
AVA_VLA.1.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.
The content and presentation elements for AVA_VLA.2 are replaced with:
AVA_VLA.2.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.
AVA_VLA.2.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.
AVA_VLA.2.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.
AVA_VLA.2.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks.
The content and presentation elements for AVA_VLA.3 are replaced with:
AVA_VLA.3.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.
AVA_VLA.3.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.
AVA_VLA.3.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.
AVA_VLA.3.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks.
AVA_VLA.3.5C The vulnerability analysis documentation shall show that the search for vulnerabilities is systematic.
The content and presentation elements for AVA_VLA.4 are replaced with:
AVA_VLA.4.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables performed to search for ways in which a user can violate the TSP.
AVA_VLA.4.2C The vulnerability analysis documentation shall describe the disposition of identified vulnerabilities.
AVA_VLA.4.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the intended environment for the TOE.
AVA_VLA.4.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities, is resistant to obvious penetration attacks. AVA_VLA.4.5C The vulnerability analysis documentation shall show that the search for vulnerabilities is systematic.
AVA_VLA.4.6C The vulnerability analysis documentation shall provide a justification that the analysis completely addresses the TOE deliverables.
The following changes are made to the CEM:
RationaleThe reference to AVA_VLA.1.1C just below the section heading 6.9.2.4.1 is replaced with :
AVA_VLA.1.1C, AVA_VLA.1.2C and AVA_VLA.1.3C.The reference to AVA_VLA.1.1C just below the section heading 7.10.3.4.1 is replaced with :
AVA_VLA.1.1C, AVA_VLA.1.2C and AVA_VLA.1.3C.The reference to AVA_VLA.2.1C and AVA_VLA.2.2C just below the section heading 8.10.3.4.1 is replaced with :
AVA_VLA.2.1C, AVA_VLA.2.2C, AVA_VLA.2.3C and AVA_VLA.2.4C.
N/A