Final Interpretation for RI # 49 - Threats met by environment

Date: 02/16/2001
Subject: Threats met by environment
CC Part #1 Reference: CC Part 1, Annex B.2.5
CC Part 1, Annex C.2.5
CC Part #2 Reference: 
CC Part #3 Reference: CC Part 3, Section 4.4 (APE_OBJ)
CC Part 3, Section 5.4 (ASE_OBJ)
CEM Reference: 

Issue:

CC Part 1 B.2.5 and C.2.5 state that:

security objectives for the environment shall be clearly stated and traced back to aspects of identified threats not completely countered by the TOE [...].


In the case where the PP/ST environment contains only threats, and no OSPs or assumptions, is it allowed for a security objective for the environment to counter a threat by itself, or should it always do so in conjunction with one or more security objectives for the TOE?



Interpretation

CC Part 1 paras 196 b) and 212 b) state:

A description of threats shall include all threats against which specific protection within the TOE or its environment is required.


This statement is interpreted to permit the inclusion of threats countered entirely by measures within the environment. The CC is interpreted as detailed in the specific changes below.

Specific Changes

The following text is inserted in CC Part 1, paras 198 and 214, after the third sentence:

A threat may be countered by one or more objectives for the TOE, one or more objectives for the environment, or a combination of these.


The following text is inserted as a new para after paras 172 and 355 in the CEM:

A threat may therefore be addressed entirely by one or more objectives for the environment. An extreme case would be where there are no security objectives for the TOE. Whilst this remains a valid use of the PP/ST construct, a TOE for which all threats and OSPs are addressed by the environment would be of questionable utility, as for such a TOE there would be no security functional requirements for the TOE. Certification/validation of such a TOE is a scheme issue.


Rationale

Threats should be included in a PP/ST where they are relevant to secure TOE operation. A threat may therefore be addressed entirely by an objective for the environment. An extreme case would be where there were no security objectives for the TOE. Whilst this remains a valid use of the PP/ST construct, a TOE for which all threats and OSPs are addressed by the environment would be of questionable utility, as for such a TOE there would be no security functional requirements for the TOE. Certification/validation of such a TOE is a scheme issue.