Docstoc

P2600-action-items-20070606

Document Sample
P2600-action-items-20070606 Powered By Docstoc
					                                                                                                                                                                                              Status
                                                                                                                                                                                           A=abandoned
                                   Planned date Actual date       Assignee                                                                                                                  C=complete
Action                 Original         of          of         [ -> others to                                                                                                                H=on hold
Item #   Entry date   Due date      completion completion      do the same]       Clause     Section Action                                                                                  P=partial   Disposition
   97    12/13/2005   1/16/2006                                    Group                             Decide how to get PPs certified and paid for                                               P        Estimates in hand from Coact,
                                                                                                     Talk to your company about funding $10000-$20000                                                    CSC, SAIC (see AI 312)

 174      4/3/2006    5/16/2006     2/22/2007     4/4/2007       Smithson          PPs                Reformat to IEEE Style Template                                                           P        PP-A done, others will be
                                                                                                                                                                                                         based on that one
 192     5/23/2006    6/19/2006                               Wright, Smithson     PP                 Develop list of benefits for those helping to pay to get the PPs certified.               P
 235     7/26/2006    8/30/2006                                 PP Editors /       PPs                Align definitions of the threats from PP with clause 7                                             depends on AI#344
                                                                  Thrasher
 240     7/26/2006    8/30/2006                  11/21/2006   Smithson, Nevo     PP-A, PP-            What is quality of password for FIA_SOS in CCV3.1? (WAS: add FIA_QAD                      P        leave open to ST writer -- add
                                                                                    B                 specifying at least 4 numeric characters for PP-B and at least 8 alphanumerics                     an AppNote
                                                                                                      for PP-A)
 246      9/6/2006    10/16/2006                                  Wright          general             Find out what copyright license terms could be offered on an IEEE std and what
                                                                                                      that means for a published Protection Profile
 268     10/23/2006   12/4/2006                                    Nevo            PP-B               create mapping for exisitng CIM, like Chen's mapping of PP-C                                       on hold until FPP decisions
 298     12/12/2006   2/15/2007                                    Aubry          clauses,            figure out how to handle validation of applets and software loading -- we thought         P        See AI #281. Use FTP_TST to
                                                                                    PPs               to use O.GENUINE, but O.GENUINE refers more to self-test -- need a clear                           accomplish this.
                                                                                                      objective and SFR(s)                                                                               * Keep O.Genuine objective ..
                                                                                                                                                                                                         Power-on CRC check
                                                                                                                                                                                                         * Downloading new firmware
                                                                                                                                                                                                         generally invalidates the
                                                                                                                                                                                                         certification
                                                                                                                                                                                                         * Consider the firmware part of
                                                                                                                                                                                                         the configuration data so that
                                                                                                                                                                                                         any threats against
                                                                                                                                                                                                         management data apply to the
                                                                                                                                                                                                         firmware?


 305     12/12/2006   2/15/2007                                  Smithson          PPs                remove references to blank paper/toner/etc from PPs                                       P        done in FPP-A 27c
 317      2/22/2007   4/17/2007                                   Volkoff          PPs                investigate whether we can/should enable user-downloadable applets in a                            How could we distinguish
                                                                                                      certified configuration and therefore handle threats of rogue applets                              among security-relevant and
                                                                                                                                                                                                         security-irrelevant applets?
 322     2/22/2007    4/17/2007                                   Volkoff          PPs                write up response to Sameer Yami's email about disk salvage (see Feb 2007                 P
                                                                                                      meeting notes under "Email issues")
 325     2/22/2007    4/17/2007                                  Smithson          PPs                look at how other PPs/STs handle credentials -- are they TSF data or User data?

 328     2/23/2007    4/17/2007                                  Smithson          PPs                shall we include ALC_FLR? Which one? In which PPs?                                        P        ALC_FLR.1 requires the
                                                                                                                                                                                                         company to have a way of
                                                                                                                                                                                                         tracking bugs in the product.
                                                                                                                                                                                                         (Yes at least for PP-A & PP-B)

 329     4/24/2007    5/23/2007                                  PP editors        PPs                remove DoS from treatment in PPs (any unique assets, threats, objectives, and             P        done in FPP-A 27c
                                                                                                      SFRs)
 332     4/24/2007    5/23/2007                                  PP editors        PPs                adopt FPP approach, with network as an option                                             P        PP-A done, others will be
                                                                                                                                                                                                         based on that one
 334     4/25/2007    5/23/2007                                    Petrie           all               consider/propose new definitions for which TSF Data cannot be disclosed and
                                                                                                      which TSF Data can be disclosed but should not be altered (current definitions in
                                                                                                      Smithson's proposal are not specific)
 335     4/25/2007    5/23/2007                                  PP editors        PPs                take out O.DELETE for management data                                                     P        done in FPP-A 27c
 336     4/25/2007    5/23/2007                                  Smithson          PPs                consider adding function to asset/threat/objective definitions (e.g.                      P        checking with schemes for their
                                                                                                      T.DOC.OUTPUT.DIS.PRT)                                                                              opinion
 339     5/30/2007     7/4/2007                                  Smithson          PPs                How are resources within the printer (i.e. downloaded fonts, images of signatures,
                                                                                                      etc.) protected?
 340     5/30/2007     7/4/2007                                  Smithson          PPs                What are NIAP's and IAP's views on including ITC and not including COP?
 341     5/31/2007     7/4/2007                                  Smithson          PPs                In the informal security requirements, which configuration items are secret?
                                                                                                      Which are unalterable? Identify the minimum set for each environment.

 342     5/31/2007     7/4/2007                                  Smithson          PPs                Related to FAU_GEN, what's the minimum set audited items for audit logs?
                                                                                                      Identify the minimum set for each environment.
 343     5/31/2007     7/4/2007                                  Smithson          PPs                Related to FMT_SMF, what's the minimum set of management functions?
                                                                                                      Identify the minimum set for each environment.
 344     5/31/2007     6/8/2007                                  Smithson          Main               Final list of assets and threats to Thrasher
 345     5/31/2007     6/8/2007                                  Thrasher          Main               Write up informal security requirements as prose.
 346     5/31/2007     7/4/2007                                   Cybuck           PP                 Are there newer versions of the drafts of the CIMs? If so, can we get copies?

 347     5/31/2007     7/4/2007                                  Everyone        Clause 2             Do we have any normative references? Everyone should consider any
                                                                                                      recommendations and forward to Thrasher.
 348     5/30/2007     7/4/2007                                     PPs          Smithson             add ALC_FLR.1 to PPA and PPB
 349     5/30/2007     7/4/2007                                     PPs          Smithson             get an opinion from NIAP CCEVS regarding our use of OSPs                                  C        appears to be OK with them
 350     5/30/2007     7/4/2007                                     PPs          Smithson             remove asset D.DOC.INPUT (because it has no threats assigned to it)
 351     5/30/2007     7/4/2007                                     PPs          Smithson             propose solution for T.DOC.OUTPUT.DIS in CPY (I&A session concept?)
 352     5/30/2007     7/4/2007                                     PPs          Smithson             make naming and meaning consistent between SENT/RECV assets and
                                                                                                      COMMS threats/objectives
 353     5/30/2007     7/4/2007                                     PPs          Smithson             change "Sources" (in SFR statements) to something else so that it is not a non-
                                                                                                      standard SFR statement
 354     5/30/2007     7/4/2007                                     PPs          Smithson             fix hierarchical SFR components
 355     5/30/2007     7/4/2007                                     PPs          Smithson             create TOE ACPs and FCPs based on informal security requirements, and place
                                                                                                      them in the beginning of the appropriate SFR sections
 356     5/30/2007     7/4/2007                                     PPs          Smithson             remove audit/mgmt recommendations from the SFR rationale tables; use only the
                                                                                                      direct and dependent SFRs, and add some explanatory text
 357     5/30/2007     7/4/2007                                     PPs          Smithson             remove the numbers in the UML composition relationships in PP diagrams
 358     5/30/2007     7/4/2007                                     PPs          Smithson             apply A.LOCATION.SECURE to PRT, SCN, FAX, CPY, and DSR




                                                                                             COMPLETED ITEMS APPEAR BELOW:
  1      5/19/2005    7/11/2005      8/1/2005     8/4/2005       Smithson                          post details for September meeting at Ricoh                                                  C
  2      4/12/2005    5/19/2005      9/1/2005     1/4/2006        Wright         2, annex          update bibliography                                                                          C
  3      4/12/2005    5/19/2005      9/1/2005    10/11/2005        Sukert        3, annex             add terms from section 2                                                                  C        draft in 2005-10
  4      4/12/2005    5/19/2005      9/1/2005     8/4/2005       Smithson            5                reference mitigation techniques in section 3 rather than using ones from NIST             C
                                                                                                      document
  5      4/12/2005    5/19/2005      9/1/2005     8/5/2005       Smithson            6                define assets (from section 3)                                                            C
  6      4/12/2005    5/19/2005      9/1/2005    10/11/2005        Sukert        3, annex             add acronyms from old sections 2 and 4                                                    C        draft in 2005-10
  7      4/12/2005    5/19/2005      9/1/2005     8/4/2005       Smithson            5                add explanatory text about choosing security env based on asset value rather              C
                                                                                                      than topology or name of env
  8      4/12/2005    5/19/2005                  9/15/2005       Haapanen            7                decide if we want to include security env columns in final doc                            A        restructuring of the presentation
                                                                                                                                                                                                         of threats removed this column.

  9      4/12/2005    5/19/2005      9/1/2005                    Haapanen            8                complete missing sections                                                                 C
  10     4/12/2005    5/19/2005      9/1/2005     8/5/2005       Smithson           8, 6              move asset section from section 3 to section 1                                            C
  11     4/12/2005    5/19/2005      9/1/2005                    Haapanen            8                finish actual recommendations, align with clause 7 threats                                C        aligned; recommendations
                                                                                                                                                                                                         largely complete
                                                                                                                                                                                             Status
                                                                                                                                                                                          A=abandoned
                                  Planned date Actual date       Assignee                                                                                                                  C=complete
Action                 Original         of          of        [ -> others to                                                                                                                H=on hold
Item #   Entry date   Due date     completion completion      do the same]      Clause     Section Action                                                                                   P=partial   Disposition
   12    5/19/2005    7/11/2005     9/16/2005   2/23/2006        Smithson       new PP             paste NIAP robustness level text into a new annex (see NIAP instruction #5);                C        consistency issues to be
                                                                                 annex             ensure that our definitions and theirs are consistent                                                discussed at March 06 meeting

  13     5/19/2005    7/11/2005                 6/12/2006       Smithson          PPs                consider NIAP instruction #3, modifying their text to suit our target environment         C        I suggest that we insert this
                                                                                                     (for NIAP environments)                                                                            block of text as a new section
                                                                                                                                                                                                        3.1 in each PP (choosing the
                                                                                                                                                                                                        appropriate robustness for each
                                                                                                                                                                                                        PP). See email discussion.


  14     5/19/2005    7/11/2005     9/1/2005    4/26/2006    Smithson-> Nevo      PP                 add ALC_FLR2 and AVA_MSU.1 per NIAP instruction #4                                        A        subsumed by AI#68
  15     5/19/2005    7/11/2005                              Smithson -> Nevo     PP                 reconcile NIAP's and our PP outline and naming; NIAP 6.2 would be new                     A        Dependent on new CEM for CC
                                                                                                                                                                                                        V3
  16     5/19/2005    7/11/2005                                 Smithson          PP                 make an alternate cover page for NIAP use only (per instruction #6)                       C        whoever writes the US Gov't
                                                                                                                                                                                                        version will create the
                                                                                                                                                                                                        appropriate cover page
  17     5/19/2005    7/11/2005                 7/12/2005       Smithson          PP                 consider name/content changes to our Assumptions, per NIAP instruction #7                 C        superceded by AI#60
                                                                                                     (example: A.PHYSICAL instead of A.LOCATION); maybe add
                                                                                                     A.NO_GENERAL_PURPOSE
  18     5/19/2005    7/11/2005                 7/12/2005         open            PP                 look at NIAP threats (per instruction #8) and consider using their suggested text;        C        superceded by AI#60
                                                                                                     also make sure our threats are appropriate according to their criteria (no threats
                                                                                                     "that the TOE cannot recognize")
  19     5/19/2005    7/11/2005                 7/12/2005         Ohta            PP                 go through all of NIAP instruction #9 (threats, policies, objectives, and                 C        superceded by AI#60
                                                                                                     requirements) and determine implications for our PP
  20     5/19/2005    7/11/2005                 9/15/2005     Cybuck, Ohta        PP                 determine what to do about NIAP instruction #10 (regarding IT requirements);              C        Cybuck reported that NIAP will
                                                                                                     see Toronto minutes page 7; may require asking NIAP and/or one or more PP                          look at our PP; use CC Version
                                                                                                     evaluators                                                                                         3.0
  21     5/19/2005    7/11/2005                 9/15/2005         Ohta            PP                 go through all of NIAP instruction #12 (rationale) and determine implications for         C        Use CC Version 3.0
                                                                                                     our PP
  22     5/19/2005    7/11/2005                 9/15/2005     Cybuck, Ohta        PP                 look at NIAP conventions (instruction #13) to see which NIAP refinements are              C        Use CC Version 3.0
                                                                                                     required; if there are some, we will then need to determine if NIAP refinements
                                                                                                     can be interpreted by evaluators outside of the US

  23     5/19/2005    7/11/2005                 10/24/2005     Smithson ->        PP                 consider what it means to define a "user" in general, per NIAP instruction #14            C        used definition of user from CC
                                                                 Sukert                                                                                                                                 V3
  24     5/19/2005    7/11/2005                 12/13/2005      Smithson          PP                 per NIAP instruction #15, specify "demonstrable" degree of compliance (and                C        Now goes into "Conformance
                                                                                                     define it) in the PP intro                                                                         Claims" in CC V3 - High is
                                                                                                                                                                                                        strict, others demonstrable

  25     5/19/2005    7/11/2005    9/15/2005    9/15/2005     Cybuck, Ohta        PP                 ask evaluators if FAU_GEN.1-NIAP-0407 (an explicit SFR, not a refinement) is              C        Use CC Version 3.0
                                                                                                     acceptable outside of US (per instruction #16); also NIAP interpretations of
                                                                                                     FAU_SEL (#17). FAU_STG (#18), and FDP-ACF (#22)
  26     5/19/2005    7/11/2005    9/15/2005    9/15/2005        Cybuck           PP                 per NIAP instruction #21, ask DAPS and/or NIAP about the FIPS 140-2                       C        Use CC Version 3.0
                                                                                                     requirement
  27     5/19/2005    7/11/2005                 9/15/2005         Ohta            PP                 look at FDP_IFF (NIAP instruction #23) and FIA_AFL (#24) and modify PP as                 C        Use CC Version 3.0
                                                                                                     appropriate
  28     5/19/2005    7/11/2005                 9/15/2005         open            PP                 determine how we can address the "US Government PP" requirement to follow                 C        Use CC Version 3.0
                                                                                                     their PP development process that is described in an additional document

  29     5/19/2005    7/11/2005     9/1/2005    8/25/2005      Smithson           all                reorganize document per agreement detailed in meeting slides                              C
  30     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 update Figure 1 with TIF file from Smithson (Toronto comment #2)                          C
                                                                 Aubry
  31     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 consistency of table 10 and 11 (see Toronto comment #3)                                   C
                                                                 Aubry
  32     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 consistency of table 11 and 12 (see Toronto comment #4)                                   C
                                                                 Aubry
  33     5/19/2005    7/11/2005     9/1/2005    12/13/2005    Ohta -> Nevo,       PP                 add to table 12 how FTA_SSL helps O.I&A (Toronto comment #5)                              C        Ohta and Nevo complete
                                                                 Aubry                                                                                                                                  Not sure if this is needed for
                                                                                                                                                                                                        SOHO
  34     5/19/2005    7/11/2005     9/1/2005     8/4/2005       Smithson           5                 change definition of HS env to exclude gov't classified environments (Toronto             C
                                                                                                     comment #7)
  35     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 change T.UD.IMP.* to T.UD.ALTER.* and change definition (Toronto comment                  C        Not relevant for SOHO
                                                                 Aubry                               #10)
  36     5/19/2005    7/11/2005     9/1/2005     8/4/2005      Smithson            5       1.3.5     clarify security issues in custom env (Toronto comment #11)                               C
  37     5/19/2005    7/11/2005    7/11/2005     7/4/2005         Yami             8       3.3.2.3.1 draft a table of recommended algorithms and key sizes                                     C
  38     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 change user and administrator "password" to "authentication data" throughout              C
                                                                 Aubry                               (Toronto comment #13)
  39     5/19/2005    7/11/2005    7/11/2005     7/1/2005     Ohta -> Nevo        PP                 add role of Auditor and apply where necessary (in HS and Enterprise only)                 C        Complete
                                                                                                     (Toronto comments #14 - #16)
  40     5/19/2005    7/11/2005    7/11/2005     7/1/2005      Ohta -> Nevo       PP                 elaborate on 4.5.1.3 subsections (Toronto comment #18)                                    C
  41     5/19/2005    7/11/2005    7/11/2005    9/15/2005      Ohta -> Nevo       PP                 various comments regarding crypto keys (Toronto comment #19)                              C        Ohta and Nevo complete
  42     5/19/2005    7/11/2005     9/1/2005     8/4/2005       Smithson           5                 add text saying that there can be other Custom envs but they are not further              C
                                                                                                     discussed (Toronto comment #20)
  43     5/19/2005    7/11/2005                 9/15/2005       Haapanen,         7,8                reconcile threat likelihood/risk/whatever between these two clauses (Toronto              C        awaiting threat analysis
                                                                 Thraster                            comment #21)                                                                                       completion; restructuring of
                                                                                                                                                                                                        document eliminates duplicate
                                                                                                                                                                                                        information getting out of sync.

  44     5/19/2005    7/11/2005                                 Haapanen           8                 make sure threat descriptions in clause 8 match the text in clause 7 (Toronto             C
                                                                                                     comment #22)
  45     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 threat description text changes (Toronto comments #23, #24, #25)                          C
                                                                  Aubry
  46     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,     7, 8, PP             change threat description of EA.PROXY and EA.DOS (Toronto comment #27)                    C        Not relevant for SOHO
                                                             Aubry, Haapanen,
                                                                 Thrasher

  47     5/19/2005    7/11/2005     9/1/2005    12/13/2005    Ohta -> Nevo,       PP                 threat description changes (Toronto comments #28 and #29)                                 C        Ohta and Nevo complete
                                                                 Aubry
  48     5/19/2005    7/11/2005     9/1/2005    9/15/2005     Ohta -> Nevo,       PP                 add intersection between T.TSF.SW and O.I&A (Toronto comment #31)                         C        Not relevant for SOHO
                                                                 Aubry
  49     5/20/2005    7/11/2005     9/1/2005                    Cybuck             5                 change Enterprise to asset value = M and give new examples (see Toronto                   C        examples need to be written
                                                                                                     minutes pg 16-17)
  50     5/20/2005    7/11/2005    7/11/2005    6/21/2005       Smithson,          -                 give directions and guidelines for performing risk assessment and re-run with new         C        insufficient response to collate
                                                                 w/Aubry                             Enterprise definition (and more participants), see Toronto minutes pg. 18-19 and                   meaningful results
                                                                                                     meeting slides ("Other")
  51     5/20/2005                              5/24/2005        Wright            -                 publish email comments database/resolutions                                               C
  52     5/20/2005    7/11/2005                 9/15/2005        Wright           PP                 find out from IEEE editors if PPs can be standalone documents referenced by the           C        Leave PPs in P2600 (at least
                                                                                                     P2600 standard, or must they be incorporated in a single P2600 document                            for now)

  53     7/11/2005    9/1/2005                  9/15/2005        Cybuck           PP                 if we have a US Govt PP, can another agency certify it, and will the US Govt              C        Per Peter's work with NIAP,
                                                                                                     accept that product certification?                                                                 under CC V3, yes.
  54     7/11/2005    9/1/2005                   8/1/2005       Smithson           1                 need to get original text back into scope and purpose, can have more but not              C
                                                                                                     change original (from PAR)
                                                                                                                                                                                                Status
                                                                                                                                                                                             A=abandoned
                                   Planned date Actual date        Assignee                                                                                                                   C=complete
Action                 Original         of           of         [ -> others to                                                                                                                 H=on hold
Item #   Entry date   Due date      completion completion       do the same]        Clause   Section Action                                                                                    P=partial   Disposition
   55    7/11/2005     9/1/2005                   8/2/2005         Smithson            4             1.4.2 use of the standard FOR EACH ROLE                                                      C
   56    7/11/2005    7/12/2005                  7/12/2005          Sukert          HS PP            review threat analysis output and propose common sense resolution to "yellow"                C
                                                                                                     items with rationale for their inclusion/exclusion
  57     7/11/2005    7/12/2005                  7/12/2005          Freas           Ent PP           review threat analysis output and propose common sense resolution to "yellow"                C
                                                                                                     items with rationale for their inclusion/exclusion
  58     7/11/2005    7/12/2005                  7/12/2005          Chen           SOHO PP           review threat analysis output and propose common sense resolution to "yellow"                C
                                                                                                     items with rationale for their inclusion/exclusion
  59     7/11/2005    7/12/2005                  7/12/2005        Happanen         Public PP         review threat analysis output and propose common sense resolution to "yellow"                C
                                                                                                     items with rationale for their inclusion/exclusion
  60     7/12/2005     9/1/2005                  9/15/2005        PP team            PPs             CIM instructions 7, 8, 9 (supercedes AI#17,18,19)                                            C        Dealt with under conversion to
                                                                                                                                                                                                           CC V3.
  61     7/12/2005     9/1/2005                                                                         define/distinguish device settings and security settings                                  A        Subsumed by #64
  62     7/12/2005     9/1/2005                  7/14/2005         Wright              -                combine and publish threat/environment results                                            C
  63     7/11/2005     9/1/2005                   8/1/2005        Smithson             4      x.4.3     add more specificity about different classes of users of the standard, i.e.               C
                                                                                                        manufacturers, end users, IT people
  64     7/11/2005     9/1/2005                  9/28/2005          Yami              all               propose complete descriptions of and distinctions between "security settings" and         C
                                                                                                        "device settings"
  65     7/11/2005     9/1/2005                  9/15/2005    Smithson -> Nevo,       PP                rewrite T.DOS objective so that it does not prohibit reboot as a recovery from            C        Nevo complete,
                                                                   Aubry                                attack                                                                                             Smithson:Complete
                                                                                                                                                                                                           Not relevant for SOHO
  66     7/11/2005     9/1/2005                  9/15/2005    Smithson -> Nevo,       PP                change T.DOS.PRT description to say "sending a print file that causes the                 C        Nevo complete,
                                                                   Aubry                                system processor to enter a continuous printing or program loop"                                   Smithson:Complete
                                                                                                                                                                                                           Not relevant for SOHO
  67     7/12/2005     9/1/2005                                     Nevo             PP-B               O.RESILIENT definition should be made consistent across the PPs -- Because of             C        HVA done
                                                                                                        a DoS attack, assets are not compromised. Need to add that assets are not                          Pub done
                                                                                                        compromised to the definition of O.Resilient                                                       SOHO n/a
  68     9/15/2005    10/13/2005                 10/20/2006   Smithson, Nevo,         PP                Convert PPs to CC Version 3 plus non-offensive CIM recommendations -                      C        Converted but with no
                                                                   Aubry                                open                                                                                               NIAP/CIM requirements;
                                                                                                        Add ALC_FLR.2 to Public PP and then to other PPs (old AI#124) - in C & D, not                      proposal to be discussed in
                                                                                                        A or B                                                                                             Lexington-23
                                                                                                        add ALC_FLR.2 and AVA_MSU.1 per NIAP instruction #4 (old AI#14) -
                                                                                                        AVA_MSU - not in CCV3                                                                                                                 x
  69     9/15/2005    10/24/2005                 10/24/2005       Thrasher            PP                at the next CS1 meeting, ask when CC V3 is going to be an international                   C        Expected 2007 time frame
                                                                                                        standard                                                                                           before it completes the
                                                                                                                                                                                                           International Standards Process

  70     9/15/2005    9/23/2005                  9/23/2005        Smithson            all               revise and publish "final" threat analysis output                                         C
  71     9/16/2005    10/13/2005                 10/24/2005       Thrasher            7                 review revised risk levels for each threat and change clause 7 as needed                  C

  72     9/16/2005    10/13/2005                 3/15/2006    Smithson, Nevo,        PPs                review revised threat inclusions and PPs as needed                                        C
                                                                   Aubry
  73     9/15/2005    10/13/2005                 10/24/2005     Smithson            HS PP     7.2.1     Add to this paragraph how FTA_SSL.3 helps achieve O.I&A. Justification:                   C        redundant with AI#33
                                                                                                        Completeness and consistency between Table 12 and corresponding text. (from
                                                                                                        comments database #5)
  74     9/15/2005    10/13/2005                 12/13/2005       Smithson          HS PP               Change the definition of the HS environment in section 1 to exclude government            C        We don't explicitly include govt
                                                                                                        classified environments. We could consider Adding "Commercial" in front of                         classified environments in the
                                                                                                        "High Security." (from comments database #7)                                                       PP.
  75     9/15/2005    10/6/2005                   2/8/2006        Smithson             7                write up threat analysis methodology, then include in clause 7 or an annex thereof        C        Turn bullet list of process into
                                                                                                                                                                                                           text and make an annex.
  76     9/15/2005    10/13/2005                 3/15/2006    Volkoff, Smithson,    6, PPs              redefine "external environment" in clause 6 and PPs: "external environment                C        clause 6 done
                                                                Nevo, Aubry                             consists of other IT equipment that is interconnected or interoperates with the                    "external environment" does not
                                                                                                        HCD"                                                                                               appear in any PPs
  77     9/16/2005    10/24/2005                 12/13/2005        Cybuck             all               get feedback from NIAP on our security environment naming proposal: High                  C        There is some confusuon about
                                                                                                        Value Asset Environment, General Enterprise Environment, Public Environment,                       "HIGH" because it might be
                                                                                                        and SOHO Environment                                                                               confused with EAL level 5 or 6
                                                                                                                                                                                                           but we don't have a better term.


  78     9/16/2005    9/19/2005                  9/16/2005       Smithson           SOHO                inform Carmen Aubry of the decision to move to CC V3                                      C
  79     9/16/2005    10/24/2005                 10/24/2005        Volkoff            -                 gather December meeting hotel/meeting info                                                C
  80     9/16/2005    10/24/2005                 10/24/2005   Cybuck,Sukert,Thr      PPs                discuss PP evaluation needs with labs                                                     C        CSC: $25-50K, COACT:
                                                                   asher                                                                                                                                   ~$25K (CCV3-ok), SAIC: ~15K

  81     10/24/2005   12/13/2005                  2/1/2006        Smithson           PPs                Try to set up a meeting with NIAP/NIST/NSA about the philosophy of our PPs                C        Cybuck invited them to March
                                                                                                        (who from group?)                                                                                  meeting; they have accepted

  82     10/24/2005   12/13/2005                 12/13/2005        Wright                               Difference between informative references and Bibliography??                              C        We only needed a "References"
                                                                                                                                                                                                           section and a "Bibliography"

  83     10/24/2005   12/13/2005                 12/13/2005        Sukert                               Table 2, Clause 3: Add SAR, change to US English, Add needed acronyms.                    C

  84     10/25/2005   12/13/2005                 1/13/2006         Sukert          Clause 8             Provide text and references for recommendations to manufacturers for                      C        new annex
                                                                                                        methodologies and processes for the development of secure HCDs
  85     10/25/2005   12/13/2005                  3/2/2006        Smithson         HVA PP               Ask NIAP to define how they are going to deal with encryption as they did in the          C        Answered in March Meeting
                                                                                                        CIM for CCv2.2
  86     10/25/2005   12/13/2005                  3/2/2006        Smithson         HVA PP               If we specify FIA_UAU.1, does that allow third-party authentication? .2                   C        NIAP provided information on
                                                                                                        REQUIRES third-party but does .1 prohibit third party?                                             how to do this at the March
                                                                                                                                                                                                           meeting.
  87     10/25/2005   12/13/2005    2/22/2007    5/31/2007    Smithson/Nevo            6                write up asset value methodology                                                          A        no longer needed
  88     10/24/2005   12/13/2005                 12/13/2005     Smithson            annexes             Is another annex "additional references" needed? Find out.                                C        No
  89     10/24/2005   12/13/2005                 12/13/2005      Thrasher              7                add Network threat to T.RESOURCE.COPY                                                     C
  90     10/24/2005   12/13/2005                 12/13/2005   Smithson, Nevo,         PPs               add Network threat to T.RESOURCE.COPY                                                     C
                                                               Aubry, Chen/
                                                                  Sukert
  91     10/24/2005   12/13/2005                 12/13/2005        Sukert              3                put OCTAVE (acronym and registered TM) in clause 3                                        C
  92     10/24/2005   12/13/2005                 12/13/2005       Thrasher             7                threat detail tables: change "see" to "observe", define these table entries at            C
                                                                                                        beginning of section, and change "end users" to "users"
  93     10/24/2005   12/13/2005                 12/13/2005       Thrasher             7                re-sync short threat descriptions in with short descriptions in detail tables             C

  94     10/24/2005   12/13/2005                 12/13/2005       Thrasher             7                re-sync symptoms between some items in threat detail tables                               C
                                                                                                                                                                                                    Status
                                                                                                                                                                                                 A=abandoned
                                   Planned date Actual date        Assignee                                                                                                                       C=complete
Action                 Original         of           of         [ -> others to                                                                                                                     H=on hold
Item #   Entry date    Due date     completion completion       do the same]        Clause     Section Action                                                                                      P=partial   Disposition
   95    10/25/2005   12/13/2005                 1/13/2006         Smithson          PPs               do we need security objectives for IT and non-IT in CCv3?                                      C        answer: we need SOs for the
                                                                                                                                                                                                               TOE, the development
                                                                                                                                                                                                               environment, and the
                                                                                                                                                                                                               operational environment. SOs
                                                                                                                                                                                                               for the TOE and DevEnv
                                                                                                                                                                                                               address threats and OSPs,
                                                                                                                                                                                                               SOs for the OpEnv address
                                                                                                                                                                                                               Threats, OSPs, and
                                                                                                                                                                                                               Assumptions. Therefore if we
                                                                                                                                                                                                               have assumptions we must
                                                                                                                                                                                                               have SOs for the OpEnv.
                                                                                                                                                                                                               OpEnv includes both non-IT
                                                                                                                                                                                                               and IT (external to the TOE).


  96     12/13/2005   1/16/2006                   1/7/2006         Sukert           Clause 3            Define Media                                                                                  C
  98     12/13/2005   1/16/2006                  1/11/2006        Smithson          All PPs             PP Section 2 conformance claims need to be re-written to conform to CCv3                      C
                                                                                                        guidance.
 99      12/13/2005   1/16/2006                   3/3/2006        Smithson          All PPs             Update PPs section 6 to match CCv3.                                                           A        Subsumed by AI #68
 100     12/14/2005   1/16/2006                  10/20/2006       Smithson          All PPs             Update the PPs in the area of Subjects, Objects and Operations as per                         C        proposal to be discussed in
                                                                                                        requirements of CCv3. Make consistant across PPs.                                                      Lexington-23
                                                                                                        need to reconcile naming conventions for subjects, objects, and operations (old
                                                                                                        AI#144)
                                                                                                        need to use D.* for subjects in section 6 of PPs (old AI#145)                                                                              x
 101      1/5/2006    1/16/2006                                     Nevo            All PPs             Review definitions in clause 3 (especially changes between 14a and 14b) and                   C
                                                                                                        update PP definitions if/as needed
 102      1/5/2006    1/16/2006                  1/11/2006        Smithson            HVA,              need to reflect these changes made in Enterprise PP between version 14b and                   C
                                                                                     SOHO,              14c
                                                                                    Pub PPs
 103      1/5/2006    1/16/2006                  2/23/2006        Smithson          All PPs             Figure 2: remove "External" Device Interface                                                  C
 104      1/5/2006    1/16/2006                  1/11/2006        Smithson          All PPs             remove/fix sentences which refer to "below" or "above" in reference to figures or             C
                                                                                                        tables
 105      1/5/2006    1/16/2006                  1/11/2006        Smithson          All PPs              fix bookmarks that have a leading paragraph                                                  C
 106      1/5/2006    1/16/2006                  1/11/2006        Smithson          All PPs              global check for "user document data" (correct) vs "user document", and "user                C
                                                                                                        function data" (correct) vs "user functional data"
 107      1/5/2006    1/16/2006                  3/15/2006        Smithson         HVA PP                make sure t.resource.copy is in HVA PP                                                       C
 108      1/5/2006    1/16/2006                  1/11/2006        Smithson          All PPs              refer to sections, not chapters (or clauses)                                                 C
 109      1/5/2006    1/16/2006                  3/15/2006        Smithson         HVA, Ent             Make T.UD.SNIFF.* consistant in HVA & ENT                                                     C        PP-B needs to change
                                                                                     PPs
 110      1/5/2006    1/16/2006                   3/2/2006        Thrasher         Clause 7              clause 7: remove t.tsf.conf.ab from Public PP threats                                        C        We decided to put this back in

 111      1/5/2006    1/16/2006                                  Nevo/Aubry        HVA, Ent,            should put "accounting events" in the other PPs in O.MONITOR as done in the                   C        PP-A, PP-B done
                                                                                   SOHO PPs             PUBLIC PP
 112      1/5/2006    1/16/2006                   1/6/2006      Chen, Sukert        Pub PP               fix numbering, heading styles, etc                                                           C
 113      1/5/2006    1/16/2006                  1/11/2006      Chen, Sukert        Pub PP               global change: vendor -> manufacturer                                                        C        Smithson chekced and
                                                                                                                                                                                                               changed all PPs
 114      1/5/2006    1/16/2006                                     Nevo            All PPs             add OE.NET_MANAGE and OE.NETWORK to T.DOS.NET threats (ALL                                    C        Doesn't apply to PP-D
                                                                                                        applicable profiles)
 115      1/5/2006    1/16/2006                                     Cybuck          Clause 5            update captions on figures                                                                    C
 116      1/5/2006    1/16/2006                                     Cybuck          Clause 5            change MFD to HCD                                                                             C
 117      1/5/2006    1/16/2006                   1/5/2006        Smithson          Clause 5            send word doc and graphics to Peter                                                           C
 118      1/5/2006    1/16/2006                   1/8/2006        Smithson             All              start posting doc files                                                                       C
 119      1/5/2006    1/16/2006                  1/17/2006      All clause/PP          All              all editors: enable change tracking                                                           C
                                                                    editors
 120     1/16/2006     3/2/2006                                   Smithson            PP                Implement AI #95                                                                              C        No action needed, we have
                                                                                                                                                                                                               SOs for the OpEnv
 121     1/16/2006     3/2/2006                                 Sukert/Aubry          PP                Correlate SFRs for the CIM V3 T., A.,P. from NIAP                                             A        Waiting for CCV3 CIM
 122     1/16/2006     3/2/2006                                  PP editors           PP                Analyze what is missing from PP based on results of AI 121                                    A                                            x
 123     1/16/2006     3/2/2006                   3/2/2006        Alan S.              3                Reformat definitions, acronyms, etc to match IEEE Style manual                                C
 124     1/17/2006     3/2/2006                  4/26/2006     Smithson/Nevo/      Public PP            Add ALC_FLR.2 to Public PP and then to other PPs                                              A        subsumed by AI#68
                                                                   Aubry
 124     1/17/2006     3/2/2006                  10/20/2006      Smithson          Public PP            In 6.1.2.4: Define the objects that the access control must be performed on.                  C        proposal to be discussed in
                                                                                                        Results apply to other PPs.                                                                            Lexington-23                        x
 125     1/17/2006     3/2/2006                   3/2/2006          Wright          Clause 9            Merge "clause 8 annexes" into clause 9. Make it informative.                                  C
 126     1/17/2006                                            Aubry/Thrasher/S     SOHO PP              Develop proposal for SoHo PP to deal with issue of requiring user identification to           C        See AI #159 for implementation
                                                                    mithson                             be able to print.
 127     1/17/2006     3/2/2006                   3/2/2006       Sukert/Chen       Public PP            Put .AB back into Public                                                                      C
 128     1/17/2006                                                   Aubry         SOHO PP              Add ALC class to SOHO                                                                         C
 129     1/18/2006     3/2/2006                  3/23/2006          Wright           Refs               look for references in Annexes                                                                C
 130     1/18/2006     3/2/2006                  3/23/2006          Wright           Refs               put references in IEEE citation style                                                         C
 131     1/18/2006     3/2/2006                  4/26/2006    all clause editors      All               Look for use of the word "media". It should refer to material on which printing and           A        subsumed by AI#180
                                                                                                        scanning is performed. For other uses, find another word or use a modifier like
                                                                                                        "storage media".
 132     1/18/2006     3/2/2006                  2/23/2006       PP editors         All PPs             make the definition of Firmware consistent with clause 3                                      C
 133     1/18/2006     3/2/2006                  3/23/2006        Wright              8,9               change Kbps to kb/s                                                                           C
 134     1/18/2006     3/2/2006                                   Sukert                3               put definitions in IEEE terms and definitions style                                           C
 135     1/18/2006     3/2/2006                  2/23/2006       Smithson           All PPs             change FAX to fax                                                                             C
 136     1/18/2006     3/2/2006                                   Cybuck                5               add description and graphic for "island" and/or small business example of HVA                 C
                                                                                                        environment
 137     1/18/2006     3/2/2006                                   Cybuck               5                Capitalize environment names (High Value Asset, etc.)                                         C
 138     1/18/2006     3/2/2006                  4/26/2006    Cybuck, Wright,       5, PPs              Change references to "profile" to either "Protection Profile" or "Operational                 A        subsumed by AI#180
                                                                Haapanen,                               Environment", as appropriate
                                                              Thrasher, Sukert
 139     1/18/2006     3/2/2006                  2/23/2006    clause editors and      All               change references to "Security Environment" to "Operational Environment"                      C
                                                                  PP editors
 140     1/18/2006     3/2/2006                  2/23/2006        Smithson         HVA, Ent,            apply changes made to SOHO PP 16a to other PPs                                                C
                                                                                    Pub PP
 141     1/23/2006     3/2/2006                  2/23/2006        Smithson         HVA, Ent,            apply changes made to Pub PP 16a 2.4 to other PPs                                             C
                                                                                   SOHO PPs
 142     1/23/2006     3/2/2006                   2/1/2006        Smithson         HVA, Ent,            put "Network Management" as parenthetical description of OE.NET_MANAGE                        C        HVA done
                                                                                   SOHO PPs                                                                                                                    SOHO n/a
                                                                                                                                                                                                               Enterprise - not defined??
 143     1/23/2006     3/2/2006                  4/28/2006       PP editors         All PPs             In the Threat description section, for all threats that represent several sub-threats,        C
                                                                                                        list each subthreat by name
 144     1/23/2006     3/2/2006                  4/26/2006          open            All PPs             need to reconcile naming conventions for subjects, objects, and operations                    A        subsumed by AI#100

 145     1/23/2006     3/2/2006                  4/26/2006       PP editors         All PPs             need to use D.* for subjects in section 6 of PPs                                              A        subsumed by AI#100
 146     1/23/2006     3/2/2006                   3/2/2006       Smithson           All PPs             find out (from NIAP) how FDP_ISA is used in real life                                         C        on the list for March meeting
                                                                                                                                                                                                               with NAP
 147     1/23/2006     3/2/2006                  8/23/2006    Smithson (contact     All PPs              apply what is learned from AI #146                                                           A        FDP_ISA isn't in v3.1, so this is
                                                                  Carmen)                                                                                                                                      no longer relevant (See
                                                                                                                                                                                                               FMT_MSA.3 in CCV3.1)
 148     1/23/2006     3/2/2006                   3/2/2006          open            All PPs             all PPs need ALC_FLR.2 for EAL 2 Extended                                                     C        subsumed by AI 124
                                                                                                                                                                                                    Status
                                                                                                                                                                                                 A=abandoned
                                  Planned date Actual date       Assignee                                                                                                                         C=complete
Action                Original         of          of         [ -> others to                                                                                                                       H=on hold
Item #   Entry date   Due date     completion completion      do the same]          Clause      Section Action                                                                                     P=partial   Disposition
  149    1/23/2006    3/2/2006                                     Nevo             All PPs             rationale section still has app notes -- need to move to where they are needed (at            C        PP-B still has a section 7
                                                                                                        least in Public PP, maybe others)
 150     1/23/2006    3/2/2006                   3/2/2006      Sukert/Chen         Public PP            ADV_ARC subheadings should be H4's (also ADV_TDS, PRE, etc)                                   C
 151     1/23/2006    3/2/2006                   2/1/2006       Smithson           HVA, Ent,             AI #150 applicable to others PPs?                                                            C        no, other PPs are OK
                                                                                   SOHO PPs
 152      3/2/2006    3/27/2006                 5/19/2006        Smithson           clause 7              Go through threats in clause 7 and propose more specific threat agents                      C
 153      3/2/2006    3/27/2006                 3/22/2006        Smithson           HVA/ENT               Propose solution to omission of T.TSF.CRED.DISK                                             C        see email
                                                                                                                                                                                                               needs to be applied to PP-B
 154      3/2/2006    3/27/2006                                    Aubry              PPs                 Section 2.1 of the PPs -- For CC V3 "strict conformance" is no longer                       C        PP-A, B, C done
                                                                                                          appropriate. See CCv3 part1 pg34-35 sec 9.4.

 155      3/2/2006    3/27/2006                 3/22/2006        Smithson             PPs                 Rewrite PP 3.3 to flow better.                                                              C        see also rewrite of PP 3.0
                                                                                                                                                                                                               need to apply to PP-B,C,D
 156      3/2/2006    3/27/2006                                   Sukert            Clause 3              Compare CIM term definitions versus clause 3 and make recommendation as to                  C
                                                                                                          how to handle any differences.
 157      3/2/2006    3/27/2006    7/26/2006    10/20/2006       Smithson            HVA                  Compare the Security Assurance Requirements (Sect. 6.2 in HVA PP) if written                C        proposal to be discussed in
                                                                                                          at EAL2 versus EAL3.                                                                                 Lexington-23                        x
 158      3/2/2006    3/27/2006    7/26/2006    10/20/2006       Smithson            HVA                  Compare the Security Functional Requirements (Sect 6.1 in HVA PP) if written                C        proposal to be discussed in
                                                                                                          to comply with CIM-Medium Robustness versus CIM Basic Robustness                                     Lexington-23

 159      3/3/2006    3/27/2006                 4/28/2006          Aubry             PP-D                 Remove T.UD, add EA.PROXY, add SW.UPDATE, make EAL1, low assurance                          C
                                                                                                          PP
 160      3/3/2006    3/27/2006                                Nevo/Aubry/            PPs                 update threat description tables to add subthreat column (see HVA 17a for                   C        PP-A done
                                                               Chen/Sukert                                example) but always list applicable subthreats even if all are included in the roll-
                                                                                                          up; if there are no subthreats to a roll-up, list the roll-up
 161      3/3/2006    3/27/2006                 4/28/2006      Nevo/Aubry/            PPs                 change environment names (see email instructions)                                           C
                                                               Chen/Sukert
 162      3/3/2006    3/27/2006                 4/28/2006      Nevo/Aubry/            PPs                 provide additional description of environment (see email instructions)                      C
                                                               Chen/Sukert
 163      4/3/2006    5/16/2006                 4/28/2006        Aubry               PP-D                 Put assumptions & threats back into PP-D                                                    C        Even though this is EAL 1 &
                                                                                                                                                                                                               threats are not required, the
                                                                                                                                                                                                               groups wants to provide this
                                                                                                                                                                                                               information.
 164      4/3/2006    5/16/2006    7/26/2006    8/29/2006          Aubry              All                 Should we use "credential" or "authentication data" ??                                      C        Use "authentication data"
                                                                                                                                                                                                               PP-A, PP-B, PP-C, PP-D done
 166      4/3/2006    5/16/2006                 4/26/2006    all clause editors,      All                 Remove "Internal Users" & "External Users" --- use "users" as appropriate                   A        subsumed by AI#180
                                                                all PP editors

 167      4/3/2006    5/16/2006                 5/12/2006       PP editors            PPs                 Use "Normal User(s)" when referring to non-administrative, non CE users. Use                C
                                                                                                          "Users" when you want to refer to ALL users.
 168      4/3/2006    5/16/2006                 4/10/2006        Sukert             Clause 3              Merge clauses 3.1 & 3.2                                                                     C        All definitions are now in 3.1
 169      4/3/2006    5/16/2006                                Chen/Sukert            PPs                 Change definitions of User Document Data and User Function Data to match                    C
                                                                                                          what is in clause 3.
 170      4/3/2006    5/16/2006                 4/17/2006      Chen/Sukert           Plain                Clean up both versions of the example SFR replacing "subject," "object," etc to             C
                                                                                    English               the actual subject and object. Send to Peter.
                                                                                     SFRs
 171      4/3/2006    5/16/2006                 5/16/2006         Cybuck             Plain                Ask NIAP's opinion of results of 170                                                        C        was discussed at May mtg
                                                                                    English
                                                                                     SFR
 172      4/3/2006    5/16/2006    7/26/2006    7/15/2006        Smithson             PP                  Complete references, update acronyms, harmonize PP glossary with clause 3                   C        done, done, done…
                                                                                   Annexes                including adding some missing terms.
 175      4/3/2006    5/16/2006    6/19/2006                       Aubry           PP Figure              Update figure to account for removal of Internal User, External User and Normal             C        needs to be put in PP-D
                                                                                       1                  User
 176      4/3/2006    5/16/2006    7/26/2006    10/20/2006       Smithson            PP-A                 Change SARs to CCV3 @ EAL3                                                                  C        proposal to be discussed in
                                                                                                                                                                                                               Lexington-23                        x
 177      4/3/2006    5/16/2006    7/26/2006    10/20/2006       Smithson            PP-B                 Change SARs to CCV3 @ EAL2                                                                  C        proposal to be discussed in
                                                                                                                                                                                                               Lexington-23                        x
 178      4/3/2006    4/24/2006                 4/26/2006        Smithson            admin                reconcile/correlate multiple action items on same subjects and remove duplicates            C

 179      4/3/2006    4/24/2006                 4/27/2006        Smithson            admin                send reminders to all assignees of action items                                             C
 180      4/3/2006    4/24/2006                 4/27/2006        Smithson            admin                remind editors about global search/replace items and filename changes in PPs                C        Look for use of the word
                                                                                                                                                                                                               "media". It should refer to
                                                                                                                                                                                                               material on which printing and
                                                                                                                                                                                                               scanning is performed. For
                                                                                                                                                                                                               other uses, find another word or
                                                                                                                                                                                                               use a modifier like "storage
                                                                                                                                                                                                               media". (PPs are OK, 3 & 7
                                                                                                                                                                                                               done)
                                                                                                                                                                                                               Change references to "profile"
                                                                                                                                                                                                               to either "Protection Profile" or
                                                                                                                                                                                                               "Operational Environment", as
                                                                                                                                                                                                               appropriate (HVA, ENT, Pub,
                                                                                                                                                                                                               SOHO PPs are OK)
                                                                                                                                                                                                               Change "Device Interface(s)" to
                                                                                                                                                                                                               "External Device Interface(s)"
                                                                                                                                                                                                               Remove "Internal Users" &
                                                                                                                                                                                                               "External Users" --- use "users"
                                                                                                                                                                                                               as appropriate




 181      4/3/2006    5/16/2006                  5/8/2006         Wright             admin                item for Paris agenda: PP-D EAL1/LAPP review, and consider if                               C
                                                                                                          threats/assumptions should be included in that PP
 182      4/3/2006    5/16/2006                 5/12/2006    Smithson, Nevo         PP-A,B                remove reference to media marking component from O.DELETE                                   C
 183      4/3/2006    5/16/2006                 5/12/2006    Smithson, Nevo,       PP-A,B,C               change objectives for T.UD.PHY.OUTPUT: remove O.I&A, O.ACCESS, and                          C
                                                              Chen/Sukert                                 O.MONITOR; add OE.LOCATION
 184      4/3/2006    5/16/2006                 5/15/2006         Aubry              PP-D                 remove T.UD.PHY.OUTPUT from threat table                                                    C
 185      4/4/2006    5/16/2006                 8/24/2006       Thrasher             3&5                  remove references to "Custom" environment, and refer only to "Public" (type C)              C
                                                                                                          environment
 186      5/4/2006    5/24/2006                                  Thrasher          3, annex A             FISMA is only cited in the Acronyms and Informative reference clauses but NOT               A        OK to leave it in
                                                                                                          anywhere in the text.
 187      5/4/2006    5/24/2006                                  Thrasher           annex A               The following Informative References aren't cited anywhere in the document: 3,              C        OK, remove 119 and renumber
                                                                                                          12, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 35, 42,
                                                                                                          43, 44, 45, 100, 105, (and 119 is a dup of 14).
 188      5/4/2006    5/24/2006                                    group            annex A               The new DoD 5220.22-M NISPOM document released in Feb. 2006 has                             C        The link provided in Annex A is
                                                                                                          removed the disk wiping mechanism that was in the 1995 version.....                                  the 1995 version with the 1997
                                                                                                                                                                                                               updates.
 189      5/4/2006    5/24/2006                                  Thrasher           annex A               We still have no references fo the German VSITR and Russian GOST disk                       C
                                                                                                          wiping standards.
 190      5/4/2006    5/24/2006                                  Thrasher           annex A               The IEEE Style Guide has a Bibliography instead of an Informative References                C        Change to "Bibliography"
                                                                                                          annex.
 191      5/4/2006    5/24/2006                                    group               2                  The IEEE Style Guide does not number the Normative References.....                          C        Leave them numbered
                                                                                                                                                                                          Status
                                                                                                                                                                                       A=abandoned
                                  Planned date Actual date       Assignee                                                                                                               C=complete
Action                 Original        of          of         [ -> others to                                                                                                             H=on hold
Item #   Entry date   Due date     completion completion      do the same]      Clause     Section Action                                                                                P=partial   Disposition
  193    5/23/2006    7/19/2006                                    Aubry          PP               Change PP 1.2 (TOE Overview) to make clear that the TOE must be the whole                C        "The Target of Evaluation
                                                                                                   product not just a subset or a feature.                                                           (TOE) of this Protection Profile
                                                                                                                                                                                                     is the entire Hardcopy Device
                                                                                                                                                                                                     (HCD) as available to end
                                                                                                                                                                                                     customers, i.e., the compliant
                                                                                                                                                                                                     configuration."
                                                                                                                                                                                                     PP-A, B, C done
 194     5/23/2006    6/19/2006                                   Thrasher         7                Add threat actors (definitions, within each threat, summary table)                      C
 195     5/23/2006    6/19/2006                 8/24/2006         Thrasher         8                Better background text for 8.3.5.2 (T.UD.ACC.HACK)                                      C
 196     5/23/2006    6/19/2006                                   Thrasher         8                We need a reference for EMSEC in 8.3.9.2                                                C
 197     5/24/2006    6/19/2006                              Thrasher/Wright/R     9                Try to find references to Russian and German disk wiping algorithms                     C        found reference to VISTR
                                                                     on                                                                                                                              found reference to GOST?
 198     5/24/2006    6/19/2006                                  PP editors    PP-A, PP-            Resolve and document the issue of mandating encryption on the network for PP-           C        proposal made for consideration
                                                                                  B                 A and PP-B                                                                                       at Camas
                                                                                                                                                                                                     DID we decide to remove
                                                                                                                                                                                                     T.UD.SNIFF.NET in
                                                                                                                                                                                                     Rochester?                      x
 199     5/24/2006    6/19/2006                 8/24/2006        Thrasher       clauses             list of editor items in                                                                 C
                                                                                                    http://grouper.ieee.org/groups/2600/presentations/Paris/P2600_1_to_9_editor_ac
                                                                                                    tion_items.txt
 200     5/23/2006    6/19/2006                 6/16/2006       Smithson          web               make participant list consistent with updated list from Thrasher                        C
 201     5/23/2006    6/19/2006                 6/13/2006       Smithson        annex E             go through old spreadsheets and figure out what changes are needed to make              C        see email
                                                                                                    T.DOS a moderate level priority for environment A
 202     5/23/2006    6/19/2006                 6/12/2006       Smithson         PPs                see if changing T.DOS.FAX.LOOP definition to "sending or receiving" makes a             C        T.DOS.FAX.LOOP doesn't
                                                                                                    difference in any PP                                                                             appear in any PPs
 203     5/24/2006    6/19/2006                 8/29/2006        Aubry           PP-D               update actor definitions to be consistent with PP-A                                     C
 204     5/24/2006    6/19/2006                  6/9/2006       PP editors       PPs                actor table (per new threat descriptions in clauses) should appear in PPs               A        mistaken entry
 205     5/24/2006    6/19/2006                 6/13/2006      Chen/Sukert,    PP-A,B,C             note after Actor table of PP-D should appear in PP-A,B,C                                C
                                                              Nevo, Smithson
 206     5/24/2006    6/19/2006                 6/13/2006     Smithson, Nevo    PP-A,B              need to update T.UD.PHY.OUTPUT in table 11 to correspond with changes                   C        see also email discussion about
                                                                                                    made in table 10                                                                                 T.UD.PHY.OUTPUT
 207     5/24/2006    6/19/2006                 6/12/2006       Smithson         PP-A               need to merge T.TSF.CRED.DISK in table 11 back into T.TSF.CRED                          C
 208     6/19/2006    7/26/2006                 7/24/2006         Wright          All               Submit revised PAR with new scope and purpose                                           C
 209     6/19/2006    7/19/2006                 8/29/2006         Aubry          PPs                Replace all instances of "/" with the word "or"                                         C        PP-A, B, C, D done
 210     6/19/2006    7/19/2006                 8/24/2006        Thrasher         5                 Correct the figures in clause 5 to make them consistent with the words                  C
 211     6/19/2006    7/19/2006                                 PP editors       PPs                Change clause 1.2 to read “The Target of Evaluation (TOE) of this Protection            A        was already an action item (see
                                                                                                    Profile is the entire Hardcopy Device (HCD) as available to end customers, i.e.,                 #193)
                                                                                                    the compliant configuration.”

 212     6/19/2006    7/19/2006                 8/30/2006      Nevo, Chen,     PP-B, PP-            Take basic robustness text (unmodified) from CIM instruction #3 and insert as           C
                                                                  Aubry         C, PP-D             clause 3.1.
 213     6/19/2006                                              Thrasher        Annex E             Update tables 61 and 63 to reflect DoS threat level elevations                          C
 214     6/20/2006    7/19/2006                                 Smithson        Annex E             Update Annex E to include T.EA.FAXBRIDGE                                                A        See AI #224
 215     6/20/2006    7/19/2006                                     ?              10               Create Compliance Clause                                                                A        see AI#260
 216     6/20/2006    7/19/2006                 7/18/2006     Smithson, Nevo   PP-A, PP-            Add T.EA.FAXBRIDGE                                                                      C        PP-A, B done, see email
                                                                                   B
 217     6/20/2006    7/19/2006                 8/29/2006         Aubry           PPs               Reflect modifications of term defs and threat defs into PPs                             C        PP Annexes done
                                                                                                                                                                                                     PP-A, B, C, D done
 218     6/19/2006    7/19/2006                                   Nevo             -                distribute copy or link to Air Force policy about fax/network separation                C
 219     6/19/2006    7/19/2006                 7/26/2006          all            all               consider T.UD.PHY.OUTPUT proposals (see June minutes and email of 6/30/06)              C        O.ACCESS for OpEnvA, not for
                                                                                                    and be prepared to decide at July meeting                                                        others
                                                                                                                                                                                                     OE.LOCATION, OE.TRAIN for
                                                                                                                                                                                                     B
                                                                                                                                                                                                     OE.TRAIN for C
                                                                                                                                                                                                     No requirement for D
 220     6/19/2006    7/19/2006                 7/26/2006           all           all               consider T.DOS.FAX proposal (see June minutes and email of 6/30/06) and be              C        Accepted without objection
                                                                                                    prepared to decide at July meeting                                                               Also, include an application
                                                                                                                                                                                                     note that recovery may not be
                                                                                                                                                                                                     fully automatic if such attacks
                                                                                                                                                                                                     result in exhausted
                                                                                                                                                                                                     consummables
 221     6/20/2006    7/19/2006                 8/29/2006         Aubry          PPs                short description changes for T.DOS.FAX and other threats; also long description        C        not T.DOS.FAX yet (see AI
                                                                                                    changes; see clause 7 changes                                                                    #220), but do the others
                                                                                                                                                                                                     PP-A, B, C, D done
 222     6/20/2006    7/19/2006                 7/15/2006       PP editors      PPs                 add TR 15446 reference?                                                                 C
 223     6/19/2006    7/19/2006                                 PP editors      PPs                 asset description changes from clause 6 update                                          C        PP-A, B, C & Ddone
 224     6/20/2006    7/19/2006                 8/23/2006       Smithson       Annex E              Add T.EA.FAXBRIDGE to Annex E tables (shoot for low score) and give to                  C
                                                                                                    Thrasher
 225     6/19/2006    7/19/2006                 7/27/2006           all          PPs                consider changes proposed by Smithson for PP threat/objective changes (see              C        Proposals 1,3, and 4 accepted
                                                                                                    June minutes and email of 6/16/2006)                                                             Proposal 2 rejected

 226     7/26/2006    8/30/2006                 11/21/2006      PP editors     PP-A, PP-            Add SFRs for T.EA.FAXBRIDGE                                                             C        ADV_ARC.1
                                                                                   B
 227     7/26/2006    8/30/2006                 8/30/2006    Smithson, Nevo,   PP-A, PP-            "HCD Availability" is an asset in PP-A, PP-B, PP-C. Update these PPs to reflect         C        PP-A,B,C and glossary done
                                                                  Chen          B, PP-C             the concept and name change. "HCD Availability" == "TOE Availability"
                                                                                                    (Glossary as well)
 228     7/26/2006    8/30/2006                 8/24/2006        Thrasher        6.2.5              Split Firmware out as 6.2.5.1 and Applet as 6.2.5.2                                     C
 229     7/26/2006    8/30/2006                 8/30/2006       PP editors      All PPs:            Change box entitled "Application Software" to two parallel boxes entitled               C        Figure done and distributed
                                                                                 Fig 1              "Firmware" and "Applets"                                                                         PP-A,B,C,D done
 230     7/26/2006    8/30/2006                 8/30/2006       PP Editors      All PPs:            Add "External Environment" cloud                                                        C        Figure done and distributed
                                                                                Fig 1 &                                                                                                              PP-A,B,C,D done
                                                                                Table 1
 231     7/26/2006    8/30/2006                 8/24/2006       Thrasher       Clause 2             Add "RIP" acronym -- Raster Image Processor                                             C
 232     7/26/2006    8/30/2006                 10/19/2006      Smithson         PPs                Resolve issue of FPT_RIP.1 and FPT_RIP.2 as per David Freas' e-mail of July             C        RIP.1 and RIP.2 have new
                                                                                                    16                                                                                               definitions in CCv3.1 (RIP.1 is
                                                                                                                                                                                                     subset, RIP.2 is full)
                                                                                                                                                                                                     Addressed in proposal lexington-
                                                                                                                                                                                                     23
 233     7/26/2006    8/30/2006                                 Smithson         PPs                Definition of "user security properties" from FIA_URE2 and ""other user" from           A        FIA_URE not in CCv3.1
                                                                                                    FIA_UAU.2
 234     7/26/2006    8/30/2006                 10/18/2006      Smithson         PPs                Investigate need for A.NO_GENERAL_PURPOSE                                               C        Cannot make the assumption,
                                                                                                                                                                                                     because it would require
                                                                                                                                                                                                     OE.NO_GENERAL_PURPOS
                                                                                                                                                                                                     E
 236     7/26/2006    8/30/2006                                 All editors       All               Change "SNMP triggers" to "SNMP traps"                                                  C        Not a problem in PP-A,B,C, or
                                                                                                                                                                                                     D
 237     7/26/2006    8/30/2006                 8/24/2006       Thrasher       Clauses              Change the asset "Availability" to "HCD Availability" where appropriate                 C
 238     7/27/2006    8/30/2006                 8/23/2006       Smithson          PP                add (i.e. duplicate) definitions from PP tables into the Glossary appendix              C
                                                                               glossary
                                                                               appendix
 241     7/27/2006    8/30/2006                 8/23/2006       Smithson       Annex E              make necessary tweaks to threat analysis to support changes for                         C        SEE ALSO AI#198 (See AI
                                                                                                    T.UDSNIFF.NET and T.TSF.AUD.ACCESS in PP-B, and give markup to                                   #244)
                                                                                                    Thrasher
                                                                                                                                                                                        Status
                                                                                                                                                                                     A=abandoned
                                   Planned date Actual date        Assignee                                                                                                           C=complete
Action                 Original         of           of         [ -> others to                                                                                                         H=on hold
Item #   Entry date    Due date     completion completion      do the same]     Clause Section Action                                                                                  P=partial   Disposition
  242     9/6/2006    10/16/2006                12/11/2006          Sukert        PPs          Proposal for methodology to mitigate command injection attacks                             A
  243     9/6/2006    10/16/2006                 12/4/2006           Nevo        PP-B          Remove T.UD.SNIFF.NET from PP-B                                                            C
  244     9/6/2006    10/16/2006                11/13/2006    Thrasher/Smithso Annex-E &       Keep T.TSF.AUD.ACCESS in PP-B, update annex E                                              C
                                                                       n        Clause 7

 245      9/6/2006    10/16/2006                 5/30/2007         Wright           general         Find out what kind of acknowledgement can be put on an IEEE std.                      C        Don will work with IEEE staff to
                                                                                                                                                                                                   craft the words. SASB ProCom
                                                                                                                                                                                                   will provide general guidance
                                                                                                                                                                                                   on this at its meeting in June.

 247      9/7/2006    10/16/2006                 12/8/2006       PP editors        PP-B,C,D         change definition of Temporary Data per PP-A 22b                                      C
 248      9/7/2006    10/16/2006                 12/8/2006       PP editors        PP-B,C,D         change definition of Stored Data per PP-A 22b                                         C
 249      9/7/2006    10/16/2006                 12/8/2006       PP editors         PP-B,D          change definition of Management Data per PP-A 22b                                     C
 250      9/7/2006    10/16/2006                 12/8/2006         Aubry             PP-D           change O.NETWORK per PP-A 22b                                                         C
 251      9/7/2006    10/16/2006                 12/8/2006       PP editors          PPs            make sure line numbers are turned on for entire document                              C
 252      9/7/2006    10/16/2006                 12/8/2006       PP editors        PP-B,C,D         change table 11 to 10pt typeface                                                      C
 253      9/7/2006    10/16/2006                 12/11/2006     Chen/Sukert,        PP-C,D          one reference to "section 0" in 4.4: change it to point to section 1.2.1              C        C is done
                                                                   Aubry                            other reference to "section 0" should point to section 4
 254      9/7/2006    10/16/2006                 12/11/2006     Chen/Sukert          PP-C           reference to NIST EAL should be Common Criteria EAL                                   C
 255      9/7/2006    10/16/2006                 12/11/2006        Aubry             PPs            make sure all headers/footers update (problems due to section breaks)                 C        A, B & C are done
 256      9/7/2006    10/16/2006                 12/8/2006         Aubry             PP-D           some assumptions need review/rewording/deletion (like A.ADMIN, A.USER)                C

 257      9/7/2006    10/16/2006                 12/8/2006          Aubry            PP-D           add (back) the objectives and rationales (with a PP app note about using them,        C
                                                                                                    and the threats, to allow an ST writer to create an EAL2 ST)
 258      9/7/2006    10/16/2006                 10/20/2006       Smithson            PPs           refine the top-down SFR approach, identifying policies and using PP app notes         C        discuss at Lexington
                                                                                                    for specifics
 259      9/7/2006    10/16/2006                 9/24/2006        Smithson            PPs           get Freas comments on likelihood/value of getting PP-A and/or B adopted in            C        David Freas is attempting to get
                                                                                                    some form as a US govt PP                                                                      in contact with Audrey Dale at
                                                                                                                                                                                                   NIAP
 260      9/7/2006    10/16/2006                 10/18/2006        Nevo               PPs           draft a strawman compliance clause                                                    C        discuss at Lexington
 261      9/7/2006    10/16/2006                 10/20/2006       Smithson            PPs           ask Freas about PPs for production printing                                           C        discuss at Lexington
 262     10/24/2006   11/15/2006                 11/6/2006        Smithson            PPs           Schedule PP editors' face-to-face to work on CCV3.1 PPs                               A        decided not to
 263     10/23/2006   12/4/2006                                    Sukert             PPs           report on possibility of PP eval performed by CSC                                     C        impacted by NIAP directive on
                                                                                                                                                                                                   non-EAL 4, 5, 6, 7 PPs
 264     10/23/2006   12/4/2006                  12/11/2006        Cybuck             PPs           report on possibility of PP eval performed by SAIC, BAH                               C        SAIC=Canada, maybe UK
                                                                                                                                                                                                   BAH= unknown
 265     10/23/2006   12/4/2006                  12/11/2006       Thrasher            PPs           report on possibility of PP eval performed by COACT                                   C        COACT does not
 266     10/23/2006   12/4/2006                                   Thrasher          Clauses         evaluate (and implement?) restructuring of main body as standalone std                C
 267     10/23/2006   12/4/2006                  2/21/2007         Nevo                10           restate the PP objectives (not in CC terminology) and provide references to           C        Compliance Clause covers this
                                                                                                    example mitigatioin techniques, O.* for manufacturers and OE.* for IT
                                                                                                    professionals (see meeting #23 slide 20 for more detail)
 269     10/23/2006   12/4/2006                  5/25/2007         Sukert            PP-A           create mapping for exisitng CIM, like Chen's mapping of PP-C                          C        Sukert's mapping of PP-A will
                                                                                                                                                                                                   be reviewed during the May
                                                                                                                                                                                                   meeting.
 270     10/24/2006   12/4/2006                  12/11/2006     Thrasher, PP          PPs           add O.NETWORK to T.DOS.NET.CONNECT|CRAFT\FLOOD (rationale: flow                       C        threat/objective worksheets
                                                                   Editors                          control helps mitigate the threat)                                                             done
                                                                                                                                                                                                   PP-A, B, C done
 271     10/24/2006   12/4/2006                  12/11/2006     Thrasher, PP          PPs           remove O.PROTECT from all threats except T.UD.SALVAGE and                             C        threat/objective worksheets
                                                                   Editors                          T.TSF.SALVAGE                                                                                  done
                                                                                                                                                                                                   PP-A, B, C done
 272     10/24/2006   12/4/2006                                  PP Editors           PPs           remove O.ACCESS, O.NETWORK, and O.MONITOR from                                        A        handled by new threat/objective
                                                                                                    T.TSF.CRED.GUESS, and to add OE.TRAIN to T.TSF.CRED.GUESS                                      model
 273     10/24/2006   12/4/2006                  12/11/2006     Thrasher, PP          PPs           add O.DELETE to T.TSF.SALVAGE (rationale: consistent with T.UD.SALVAGE)               C        threat/objective worksheets
                                                                   Editors                                                                                                                         done
                                                                                                                                                                                                   PP-A, B, C done
 274     10/24/2006   12/4/2006                  11/21/2006       Smithson           SFRs           review SFRs and look for audit and management recommendations in CC Part 2;           C        see audit-notes and mgmt-
                                                                                                    consider adding audit/mgmt SFRs as needed                                                      notes for meeting 24
 275     10/24/2006   12/4/2006                  12/11/2006       Smithson           SFRs           add FCS_COP.1 (and related dependencies) to O.NETWORK for environments                C        added to SFR worksheet
                                                                                                    A (user and mgmt data) and B|C (mgmt data only)                                                PP-A done
 276     10/24/2006   12/4/2006                  11/21/2006       Smithson           SFRs           add FDP_UCT.1 and FDP_UIT.1 to O.NETWORK for environment A                            A        we decided "no" on this and
                                                                                                                                                                                                   they are not specified for the
                                                                                                                                                                                                   equivalent new objectives

 277     10/24/2006   12/4/2006                  11/21/2006       Smithson           SFRs           should we add FMT_MOF.1 to O.ACCESS to environment A and maybe B|C (for               A        we decided "no" on this and it is
                                                                                                    CIM)?                                                                                          not specified for the equivalent
                                                                                                                                                                                                   new objectives
 278     10/24/2006   12/4/2006                                   Smithson           SFRs           should we add FMT_MSA.3 for O.ACCESS for A|B and maybe C?                             A        we decided "yes" on this and
                                                                                                                                                                                                   the dependency is already
                                                                                                                                                                                                   fulfilled for the equivalent new
                                                                                                                                                                                                   objectives
 279     10/24/2006   12/4/2006                  11/21/2006       Smithson           SFRs           should we add FMT_REV.1 for O.ACCESS (would this be used for such things              A        we decided "no" on this, and it
                                                                                                    as deleting a user?)?                                                                          is not specified for the new
                                                                                                                                                                                                   equivalent objectives
 280     10/24/2006   12/4/2006                  11/21/2006       Smithson           SFRs           should we add FRU_FLT.1 and its dependency FPT_FLS.1 for O.RESILIENT                  A        we decided "no" on this, and
                                                                                                    (instead of ATE_FUN.1)?                                                                        they are not specified for the
                                                                                                                                                                                                   new equivalent objectives

 281     10/24/2006   12/4/2006                               Smithson / Volkoff     SFRs           should we expand the definition of O.GENUINE to include validation (trust) of         A        we reversed the "yes" decision
                                                                                                    software updates and applet loads?                                                             on this in subsequent meetings

 282     10/24/2006   12/4/2006                                   Smithson           SFRs           should we add FTP_ITC.1 for O.GENUINE (if we decide on #281)                          A        ITC is not the correct SFR but
                                                                                                                                                                                                   we do use TRP for network-
                                                                                                                                                                                                   loaded software updates

 283     10/24/2006   12/4/2006                  2/15/2007        Smithson           SFRs           complete the proposed example entity model                                            C        covered in the new PP-A
                                                                                                                                                                                                   diagrams
 284     10/24/2006   12/4/2006                                Smithson/Aubry        PP-D           is it OK to remove T.TSF.SW.UPDATE from PP-D?                                         A        we reversed the "yes" decision
                                                                                                                                                                                                   on this in subsequent meetings;
                                                                                                                                                                                                   it will be added to PP-D driven
                                                                                                                                                                                                   by AI#344

 285     12/11/2006   2/15/2007                                   Smithson         Clause 7 &       T.EA.FAXBRIDGE removed from PP-C, updated as appropriate                              A        threat has been replaced in new
                                                                                    Annex E                                                                                                        model
 286     12/11/2006   2/15/2007                                   Smithson            PPs           analyze CIM instructions, recommend what to include as requirements and what          A        we cannot recommend CIM
                                                                                                    to put in an informative annex                                                                 items for ST authors because it
                                                                                                                                                                                                   will not result in a CIM-
                                                                                                                                                                                                   compliant ST; an ST is CIM-
                                                                                                                                                                                                   compliant only if it is based on
                                                                                                                                                                                                   a CIM-compliant PP
                                                                                                                                                                                                    Status
                                                                                                                                                                                                 A=abandoned
                                  Planned date Actual date       Assignee                                                                                                                         C=complete
Action                 Original        of           of        [ -> others to                                                                                                                       H=on hold
Item #   Entry date   Due date     completion completion      do the same]      Clause      Section Action                                                                                         P=partial   Disposition
  287    12/11/2006   2/15/2007                 4/24/2007          ALL           PPs                invited comments for next meeting, regarding T.DOS and T.EA:                                      C
                                                                                                    which threats are not testable?
                                                                                                    which threats are never covered by other PPs or STs?
                                                                                                    which threats are not mitigatable
                                                                                                    what other details are needed in the threat or objective descriptions to make them
                                                                                                    more clearly understood and testable?
                                                                                                    what SFRs or SARs would apply?

                                                                                                      POST TO MAILING LIST ASAP!!
                                                                                                                                                                                                                                                    x
 288     12/11/2006   2/15/2007                                 Smithson          PPs                 unroll threat categories and create new tables for PP-A - use FULL descriptions                 A        we have new threats
                                                                                                      from the clauses, not short descriptions
 289     12/11/2006   2/15/2007                                  Nevo,         PP B,C,D               use tables from AI#288 to unroll threats (remove threats that do not apply to your              A        we have new threats
                                                              Chen/Sukert,                            PP)
                                                                 Aubry
 290     12/11/2006   2/15/2007                                 Smithson          PPs                 propose objective names to resolve the problem of same name / different                         A        new objectives model doesn't
                                                                                                      meaning in different environments                                                                        have this problem
 291     12/11/2006   2/15/2007                 2/19/2007      JBMIA study        PPs                 contact IPA and ask if explicit statement of which SFRs apply to functions is                   C        IPA: requires multiple individual
                                                                 group                                acceptable, or is a family of PPs required?                                                              PPs or a family of PPs

 292     12/11/2006   2/15/2007                 5/30/2007        Cybuck           PPs                 contact NIAP and ask if explicit statement of which SFRs apply to functions is                  A        will verify "unofficial" answer
                                                                                                      acceptable, or is a family of PPs required?                                                              from Howard Cohen.

 293`    12/11/2006   2/15/2007                                 Smithson          PPs                 add TOE availability to 1.2.3.3, clarify that it does not apply to external factors like        A        availability no longer an asset in
                                                                                                      fires, floods, etc.                                                                                      new model
 294     12/11/2006   2/15/2007                                 Smithson          PPs                 add EA to 1.2.3.3                                                                               A        EA no longer an asset in new
                                                                                                                                                                                                               model
 295     12/11/2006   2/15/2007                                 PP Editors        PPs                 change definition of UDD asset to NOT include hardcopy input                                    A        UDD states in new model are
                                                                                                                                                                                                               specific and input is not
                                                                                                                                                                                                               considered in PPs
 296     12/12/2006   2/15/2007                                 Smithson          PPs                 update SFR worksheet per sfr-notes24b.txt                                                       A        we have a new SFR worksheet
                                                                                                                                                                                                               based on new model

 297     12/12/2006   2/15/2007                 5/30/2007         Sukert          PPs                 check with CSC to see if FTP_ITC is sufficient and FCS_COP is not needed                        C        Some schemes may require
                                                                                                                                                                                                               COP (1 & 2) if ITC is used.
                                                                                                                                                                                                               * Check NIAP policy letter #9
 299     12/12/2006   2/15/2007                 2/19/2007       Smithson          PPs                 further research on interpretation of "unspecified" audit, including IPA                        C        question forwarded to people
                                                                                                      interpretation                                                                                           visiting IPA on 2/19/07:
                                                                                                                                                                                                               We can use unspecified in the
                                                                                                                                                                                                               PP but ST writers would have
                                                                                                                                                                                                               to pick one of the standard ones
                                                                                                                                                                                                               or justify something unique.


                                                                                                                                                                                                                                                    x
 300     12/12/2006   2/15/2007                                 Smithson          PPs                 identify which threats are mitigated by O.MONITOR, and propose to keep them                     A        new model accounts for audit
                                                                                                      and create audit requirement, or remove them and rely on other objectives                                recommendations of all SFRs

 301     12/12/2006   2/15/2007                 5/30/2007         Sukert        clauses,              share what you can about mitigating T.DOS.PRT.DELETE                                            A        See also AI #287
                                                                                  PPs
 302     12/12/2006   2/15/2007                  2/2/2007       Thrasher          main                extract text that should be placed in "guide to PPs" and save in a new document                 C        Document is available from
                                                                                                      for the new editor of that document                                                                      Thrasher.
 303     12/12/2006   2/15/2007                 4/25/2007     guide to PPs     PP guide               add T.DOS.FAX threats to PP threat table, if we decide to retain those DOS                      C        decided against DOS threats
                                                                  editor                              threats
 304     12/12/2006   2/15/2007                              Aubry and other      all                 resolve discrepancies in definitions of UFD, MD, and TSF data, and associated                   A        new model has no such
                                                               PP Editors                             threats                                                                                                  discrepancies
 306     12/12/2006   2/15/2007                 5/30/2007        Sukert           PPs                 ask a CC evaluator about having unused terminology that is defined in a PP (like                C        not a problem
                                                                                                      "auditor" in PP-C, or "maintenance port" in PP-D)
 307     12/12/2006   2/15/2007                  4/4/2007       Smithson        clauses,              write up assets, threats, objectives to clarify protection of external environment,             C        used OSPs in P2600.1-26d
                                                                                  PPs                 look at Océ STs for example                                                                                                                   x
 308     12/12/2006   2/15/2007                                 Smithson         SFRs                 look at T.UD.ACC.HACK interfaces (on worksheet) -- should be different                          A        new model doesn't have this
                                                                                                      interfaces than "normal"                                                                                 issue
 309     12/12/2006   2/15/2007                  2/2/2007       Thrasher        clause 3              check definitions of volatile and non-volatile storage                                          C        erased and "lost" might not be
                                                                                                                                                                                                               the right words to use here.
                                                                                                                                                                                                               Check NIST document on
                                                                                                                                                                                                               media sanitation (sp800-88)


 310     12/12/2006   2/15/2007                 2/21/2007         Nevo         clause 10              Use "network administrator" since we haven't defined a "security administrator."                C

 311     12/12/2006   2/17/2007                                 Smithson          PPs                 clarify that .EM threats refer to emissions from the wire, not from the device                  A        abandoned, new model doesn't
                                                                                                                                                                                                               care how you sniff the netork, it
                                                                                                                                                                                                               only cares what you can smell

 312     2/22/2007    4/17/2007                              Smithson/Cybuck     admin                Invite Labs to come to our NJ meeting to talk about alternate business plans to                 C        SAIC, Infogard, COACT,
                                                                                                      get PP certified.                                                                                        Cygnacom, Corsec, EWA
                                                                                                                                                                                                               Canada, CC Consulting, BAH,
                                                                                                                                                                                                               atsec invited
 313     2/22/2007    4/17/2007                 5/17/2007    Smithson/Cybuck     admin                Invite/confirm NIAP to attend May meeting in DC                                                 C        cannot attend but will respond
                                                                                                                                                                                                               to questions and will review
                                                                                                                                                                                                               FPP
 314     2/22/2007    4/17/2007                  3/1/2007        Farrell         admin                find out if MS will host PWG in July                                                            C        yes they will
 315     2/22/2007    4/17/2007                                 Smithson         admin                confirm Ricoh hosting October meeting in Cupertino                                              C        yes they will
 316     2/22/2007    4/17/2007                  4/5/2007       Smithson         admin                send individual action item reminders                                                           C
 318     2/22/2007    4/17/2007                                  Cybuck           PPs                 confirm with NIAP that they do or do not require individual PPs for HCD functions               C        NIAP does not require (related
                                                                                                                                                                                                               to AI #292)
 319     2/22/2007    4/17/2007                 3/15/2007         Ueda            PPs                 post a copy of the IPA meeting minutes to stds-2600 list (in Japanese is OK)                    C

 320     2/22/2007    4/17/2007                                Nevo/Cybuck        PPs                 prepare draft of alternative proposal for PP structure                                          C
 321     2/22/2007    4/17/2007                               Farrell, Chen,      PPs                 review Nevo/Cybuck draft proposal for PP structure                                              C
                                                                  Sukert
 323     2/22/2007    4/17/2007                               UNASSIGNED          PPs                 modify PP objectives as needed to correspond with changes in compliance                         A        we have new PP objectives
                                                                                                      clause 25a 1.2.1.1, 1.2.1.4, and 1.2.2.2
 324     2/22/2007    4/17/2007                               UNASSIGNED          PPs                 DoS mitigation objective (compliance clause 1.1.1.6) should not protect ALL                     A        DoS objectives removed from
                                                                                                      assets; needs to be redefined                                                                            PPs and therefore from
                                                                                                                                                                                                               compliance clause
 326     2/22/2007    4/17/2007                                   Nevo         compliance             include a statement instructing vendors on how to claim compliance with P2600,                  C        In clause 10
                                                                                 clause               for example "This product conforms to IEEE Std. 2600 for Operational
                                                                                                      Environment A"
 327     2/23/2007    4/17/2007                                 Smithson          PPs                 revisit Demonstrable vs. Strict conformance on mailing list                                     C        Use demonstrable
 329     2/23/2007    4/17/2007                  3/2/2007        Ueda             PPs                 post a copy of the DOS/DDOS slides to the mailing list                                          C
 330     2/23/2007    4/17/2007                                   ALL             PPs                 review DoS issues, discuss, and be prepared to make decision in April 07                        C

 330a    4/24/2007    5/23/2007                 5/15/2007         Nevo            PPs                 verify that using an SAR to fulfill an objective of an OSP is acceptable to IPA                 C        It is not acceptable. See CC
                                                                                                                                                                                                               part 1, A.9.1.2.1 and A.9.2
                                                                                                                                                                                Status
                                                                                                                                                                             A=abandoned
                                  Planned date Actual date      Assignee                                                                                                      C=complete
Action                 Original        of           of       [ -> others to                                                                                                    H=on hold
Item #   Entry date   Due date     completion completion     do the same]     Clause   Section Action                                                                          P=partial   Disposition
  331    4/24/2007    5/23/2007                 5/14/2007       Smithson       PPs             restructure the FPP so that each contained PP is standalone, not relying on        C
                                                                                               rationale tables
 333     4/24/2007    5/23/2007                 5/14/2007      Smithson        PPs             create mapping for new asset/threat model to old one                               C
 337     4/25/2007    5/23/2007                 5/22/2007      Smithson        PPs             arrange to discuss and reach consensus on decision for/against new                 C
                                                                                               asset/threat/objectives model (before May meeting)
 338     5/15/2007    5/23/2007                 5/24/2007      Smithson        PPs             send links to NIAP, BSI, ask for opinion on FPP structure                          C

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:12/31/2011
language:
pages:9