Summary

Document Sample
Summary Powered By Docstoc
					                  Common Criteria ISO/IEC 15408 Parts 2 & 3 Decomposed Requiremen
 Assurance        Assurance    Assurance Component by Evaluation
   Class           Family         Assurance Level (Part 3 v.3.1)                                    Functional Requirements (Part 2 v
                              EAL1   EAL2   EAL3   EAL4   EAL5   EAL6   EAL7 EAL4+   FAU    FCO     FDP  FIA       FMT     FPR
Development       ADV_ARC             1      1      1      1      1      1           ARP    NRO     ACC  AFL       MOF     ANO
Development       ADV_FSP      1      2      3      4      5      5      6           GEN    NRR     ACF  ATD       MSA     PSE
Development       ADV_IMP                           1      1      2      2           SAA            DAU  SOS       MTD     UNL
Development       ADV_INT                                  2      3      3           SAR            ETC  UAU       REV     UNO
Development       ADV_SPM                                         1      1           SEL            IFC  UID       SAE
Development
Guidance          ADV_TDS             1      2      3      4      5      6           STG            IFF USB        SMF
Document
Guidance          AGD_OPE      1      1      1      1      1      1      1                           ITC           SMR
Document
Lifecycle         AGD_PRE      1      1      1      1      1      1      1                           ITT
Support
Lifecycle         ALC_CMC      1      2      3      4      4      5      5                           RIP
Support
Lifecycle         ALC_CMS      1      2      3      4      5      5      5                          ROL
Support
Lifecycle         ALC_DEL             1      1      1      1      1      1                           SDI
Support
Lifecycle         ALC_DVS                    1      1      1      2      2                          UCT
Support
Lifecycle         ALC_FLR                                                                            UIT
Support           ALC_LCD                    1      1      1      1      2
Lifecycle
Support           ALC_TAT                           1      2      3      3

Security target
Evaluation        ASE_CCL      1      1      1      1      1      1      1
Security target
Evaluation        ASE_ECD      1      1      1      1      1      1      1                 Using your mouse, click on a link to navigate to tha
                                                                                           of the Common Criteria ISO/IEC 15408 Manual, Parts
Security target                                                                            use the tabs at the bottom of the screen to o
Evaluation         ASE_INT     1      1      1      1      1      1      1                 individual requirements spreadsheet. Assuran
                                                                                           requirements are listed on the left hand side of th
Security target                                                                            while functional (F) requirements are listed on t
Evaluation         ASE_OBJ     1      2      2      2      2      2      2                 hand side.
Security target
Evaluation        ASE_REQ   1   2   2   2   2   2   2   UNCLASSIFIED
Security target
Evaluation        ASE_SPD       1   1   1   1   1   1

Security target
Evaluation        ASE_TSS   1   1   1   1   1   1   1
Tests             ATE_COV       1   2   2   2   3   3
Tests             ATE_DPT           1   2   3   3   4
Tests             ATE_FUN       1   1   1   1   2   2
Tests             ATE_IND   1   2   2   2   2   2   3
Vulnerability
Assessment        AVA_VAN   1   2   2   3   4   5   5
d Requirements
 quirements (Part 2 v.3.1)
               FPT    FTA     FRU      FCS   FTP
               AMT    LSA     FLT      CKM   ITC
               FLS    MCS     PRS      COP   TRP
               ITA    SSL     RSA
               ITC    TAB
                ITI   TAH
               ITT    TSE
               PHP
               RCV
               RPL
               SSP
               STM
               TDC
               TRC
               TST




  a link to navigate to that section
O/IEC 15408 Manual, Parts 2 & 3 or
 om of the screen to open the
   spreadsheet. Assurance (A)
   the left hand side of the page,
 rements are listed on the right
ASSIFIED
                                                      EAL 4 Assurance Requirements (CC)
ClassFamily Dependencies                             FID


                                                        ADV_ARC
ADV   ARC.1   ADV_FSP.1 Basic functional specifications .1.1D

                                                     ADV_ARC
              ADV_TDS.1 Basic dsign                  .1.2D
                                                     ADV_ARC
                                                     .1.3D




                                                     ADV_FSP
ADV   FSP.1   None                                   .1.1D

                                                     ADV_FSP
                                                     .1.2D




                                                     ADV_IMP.
ADV   IMP.1   ADV_TDS.3 Basic Modular Design         1.1D


              ALC_TAT.1 Well defined development     ADV_IMP.
              tools                                  1.2D




              ADV_FSP.4 Complete functional          ADV_TDS
ADV   TDS.3   specification                          .3.1D



                                                     ADV_TDS
                                                     .3.2D
                                                        AGD_OP
AGD   OPE.1   ADV_FSP.1 Basic functional specifications E.1.1D




                                                     AGD_PR
AGD   PRE.1   None                                   E.1.1D
                                                    ALC_CM
ALC   CMC.1   ALC_CMS.1 TOE CM coverage             C.1.1D

                                                    ALC_CMS
ALC   CMS.1   None                                  .1.1D




                                                    ALC_DEL.
ALC   DEL.1   None                                  1.1D
                                                    ALC_DEL.
                                                    1.2D




                                                    ALC_DVS
ALC   DVS.1   None                                  .1.1D

                                                    ALC_LCD
ALC   LCD.1   None                                  .1.1D

                                                      ALC_LCD
                                                      .1.2D
              ADV_IMP.1 Implementation representation ALC_TAT.
ALC   TAT.1   of the TSF                              1.1D


                                                    ALC_TAT.
                                                    1.2D




                                                    ATE_FUN
ATE   FUN.1   ATE_COV.1 Evidence of coverage        .1.1D
                                                        ATE_IND.
ATE   IND.1   ADV_FSP.1 Basic functional specifications 1.1D
              AGD_OPE.1 Operational user guidance
              AGD_PRE.1 Preparative procedures
                                                        AVA_VAN
AVA   VAN.1   ADV_FSP.1 Basic functional specifications .1.1D
              AGD_OPE.1 Operational user guidance
              AGD_PRE.1 Preparative procedures


              ADV_FSP.2 Security enforcing functional   ATE_COV
ATE   COV.2   specifications                            .2.1D


              ATE_FUN.1 Functional testing


              ADV_ARC.1 Security architecture           ATE_DPT
ATE   DPT.2   description                               .2.1D


              ADV_TDS.3 Basic modular design


              ATE_FUN.1 Functional testing


                                                        ASE_CCL
ASE   CCL.1   ASE_INT.1 ST Introduction                 .1.1D

              ASE_ECD.1 Extended components             ASE_CCL
              definitions                               .1.2D


              ASE_REQ.1 Stated security requirements
                                              ASE_SPD
ASE   SPD.1   None                            .1.1D




                                              ASE_OBJ
ASE   OBJ.1   None                            .1.1D
                                              ASE_ECD
ASE   ECD.1   None                            .1.1D

                                              ASE_ECD
                                              .1.2D




              ASE_ECD.1 Extended components   ASE_REQ
ASE   REQ.1   definition                      .1.1D

                                              ASE_REQ
                                              .1.2D
                                                       ASE_TSS
ASE   TSS.1   ASE_INT.1 ST Introduction                .1.1D

              ASE_REQ.1 Stated security requirements

                                                       ASE_INT.
ASE   INT.1   None                                     1.1D
EAL 4 Assurance Requirements (CC)
     Developer Element                        CID

     The developer shall design and implement
     the TOE so that the security features of the
     TSF cannot be bypassed.                      ADV_ARC.1.1C
     The developer shall design and implement
     the TSF so that it is able to protect itself
     from tampering by untrusted active entities. ADV_ARC.1.2C
     The developer shall provide a security
     architecture description of the TSF.         ADV_ARC.1.3C


                                              ADV_ARC.1.4C


                                              ADV_ARC.1.5C
     The developer shall provide a functional
     specification                            ADV_FSP.1.1C

     The developer shall provide a tracing from
     the functional specification to the SFRs.  ADV_FSP.1.2C

                                              ADV_FSP.1.3C

                                            ADV_FSP.1.4C
     The developer shall make avaialble the
     implementation representation for the
     entire TSF.                            ADV_IMP.1.1C
     The developer shall provide a mapping
     between the TOE design description and
     the sample of the implementation
     representation.                        ADV_IMP.1.2C



                                               ADV_IMP.1.3C
     The developer shall provide the design of
     the TOE                                   ADV_TDS.3.1C
     The developer shall provide a mapping
     from the TSFI of the functional
     specification to the lowest level of
     decomposotion available in the TOE
     design.                                   ADV_TDS.3.2C

                                              ADV_TDS.3.3C

                                              ADV_TDS.3.4C

                                              ADV_TDS.3.5C
                                     ADV_TDS.3.6C

                                     ADV_TDS.3.7C



                                     ADV_TDS.3.8C


                                     ADV_TDS.3.9C


                                     ADV_TDS.3.10C



The developer shall provide operational
user guidance.                          AGD_OPE.1.1C


                                     AGD_OPE.1.2C




                                     AGD_OPE.1.3C




                                     AGD_OPE.1.4C




                                     AGD_OPE.1.5C




                                     AGD_OPE.1.6C

                                     AGD_OPE.1.7C


The developer shall provide the TOE
including its preparative procedures. AGD_PRE.1.1C
                                          AGD_PRE.1.2C
The developer shall provide the TOE and a
reference for the TOE.                    ALC_CMC.1.1C

The developer shall provide a configuration
list for the TOE.                           ALC_CMS.1.1C

                                          ALC_CMS.1.2C

The developer shall document procedures
for delivery of the TOE or parts of it to the
consumer.                                     ALC_DEL.1.1C
The developer shall use the delivery
procedures




The developer shall produce development
security documentation                     ALC_DVS.1.1C
The developer shall establish a life cycle
model to be used in the development and
maintenance of the TOE.                    ALC_LCD.1.1C

The developer shall provide life cycle
definition documentation.                ALC_LCD.1.2C
The developer shall identify each
development tool being used for the TOE. ALC_TAT.1.1C

The developer shall document the selected
implementation dependent options of
reach development tool.                   ALC_TAT.1.2C


                                          ALC_TAT.1.3C
The developer shall test the TSF and
document the results.                ATE_FUN.1.1C




                                          ATE_FUN.1.2C


                                          ATE_FUN.1.3C
                                        ATE_FUN.1.4C
The developer shall provide the TOE for
testing.                                ATE_IND.1.1C


The developer shall provide the TOE for
testing.                                AVA_VAN.1.1C




The developer shall provide an analysis of
the test coverage.                         ATE_COV.2.1C


                                             ATE_COV.2.2C


The developer shall provide            the
analysis of the depth of testing.            ATE_DPT.2.1C


                                             ATE_DPT.2.2C


                                             ATE_DPT.2.3C


The    developer    shall   provide     a
conformance claim                            ASE_CCL.1.1C


                                             ASE_CCL.1.2C

The    developer    shall    provide    a
conformance claim rationale.                 ASE_CCL.1.3C

                                             ASE_CCL.1.4C


                                             ASE_CCL.1.5C


                                             ASE_CCL.1.6C



                                             ASE_CCL.1.7C
                                        ASE_CCL.1.8C




                                        ASE_CCL.1.9C




                                       ASE_CCL.1.10C
The developer shall provide a security
problem definition.                    ASE_SPD.1.1C

                                        ASE_SPD.1.2C

                                        ASE_SPD.1.3C


                                        ASE_SPD.1.4C

The developer shall provide a statement of
security objectives.                       ASE_OBJ.1.1C
The developer shall provide a statement of
security requirements                      ASE_ECD.1.1C

The developer shall provide an extended
compon4ents definition                  ASE_ECD.1.2C



                                        ASE_ECD.1.3C


                                        ASE_ECD.1.4C



                                           ASE_ECD.1.5C
The developer shall provide a statement of
security requirements                      ASE_REQ.1.1C

The developer shall provide a security
requirements rationale                 ASE_REQ.1.2C

                                        ASE_REQ.1.3C
                                        ASE_REQ.1.4C
                                              ASE_REQ.1.5C

                                              ASE_REQ.1.6C
The developer shall      provide   a    TOE
summary specification.                        ASE_TSS.1.1C



The developer    shall   provide   an    ST
introduction.                                 ASE_INT.1.1C
                                              ASE_INT.1.2C
                                              ASE_INT.1.3C

                                              ASE_INT.1.4C
                                              ASE_INT.1.5C

                                              ASE_INT.1.6C

                                              ASE_INT.1.7C

                                              ASE_INT.1.8C
C)
     Conent & Presentation Elements
     The security architecture description shall be at a
     level of detail commensurate with the description of
     the SFR-enforcing abstractions described in the TOE
     design document.
     The security architecture description shall describe
     the security domains maintained by the TSF
     consistently with the SFRs.
     The security architecture description shall describe
     how the TSF initialization process is secure.
     The      security    architecture     description  shall
     demostrate that the TSF protects itself from
     tampering.
     The      security    architecture     description  shall
     demostrate that the TSF prevents bypass of the SFR
     enforcing functionality.
     The functional specification shall a function
     specification.
     The functional specification shall identify all
     parameters associated with each SFR-enforcing and
     SFR-supporting TSFI.
     The functional specification shall provide rationale
     for the implicit categorization of interfaces as SFR-
     The tracing shall demostrate that the SFRs trace to
     TSFIs in the functional specification.
     The implementation representation shall define the
     TSF to a level of detail such that the TSF can be
     generated without further design decisions.


     The implementation represetnation shall be in the
     form used by the development personnel.

     The mapping between the TOE design description
     and the sample of the implementation representation
     shall demostrate their correspondence.
     The design shall describe the structure of the TOE in
     terms of subsystems.



     The design shall describe the TSF in terms of
     modules.

     The design shall identify all subsystems of the TSF.
     The design shall provide a description of each
     subsystem of the TSF.
     The design shall provide a description of the
     interactions among all subsystems of the TSF.
The design shall provide a mapping from the
subsystems of the TSF to the module of the TSF.
The design shall describe each SFR enforcing
module in terms of its purpose.
The design shall describe each SFR enforcing
module in terms of its SFR related interfaces, return
values from those interfaces, and called interfaces to
other modules.
The design shall describe each SFR supporting or
SFR non interfering module in terms of its purpose
and interaction with other modules.
The mapping shall demostrate that all behaviour
described in the TOE design is mapped to the TSFI
that invoke it.
The operational user guidance shall describe, for
each user role, the user accessible functions and
privileges that should be controlled in a secure
processing environemnt, including appropriate
warnings.
The operational user guidance shall describe, for
each user role, how to use the avaialble interfaces
provided by the TOE in a secure manner.
The operational user guidance shall describe , for
each user role, the avaialble functions and
interfaces, in particular all security parameters under
the control of the user, indicating secure values as
appropriate.
The operational user guidance shall, for each user
role, clearly present each type of security relevant
event relative to the user accessible functions that
need to be performed, including changing the
security characteristics of entities under the control
of the TSF.
The operational user guidance shall identify all
possible modes of operation of the TOE (including
operqation following failure or operational error), their
consequences and implications for maintianing
secure operations.
The operational user guidance shall, for each user
role, describe the security measures to be followed
in order to fulfill the security objectives for the
operational environemnt as described in the ST.
The operational user guidance shall be clear and
reasonable.
The preparative procedures shall describe all the
steps necessary for secure acceptance of the
delivered TOE in accordance with the developer's
delivery procedures.
The preparative procedures shall describe all the
steps necessary for secure installation of the TOE
and for the secure preparation of the operational
environemnt in accordance with the security
objectives for the operational environment as
described in the ST.

The TEO shall be labelled with tis unique reference.
The configuration list shall include the following: The
TOE itself; the evlauation evidence required by the
SARs.
The configuration list shall uniquely identify the
configuration items.
The delivery documentation shall describe all
procedures that are necessary to maintain security
when distributing versions of the TOE to the
consumer.


The development security documentation shall
describe all the physical, procedural, personnel, and
other security measures that are necessary to
protect the confidentiality and integrity of the TOE
design and implementation in its development
environment.

The lifecycle definition documentation shall describe
the model used to develop and maintain the TOE.
The lifecycle model shall provide for the necessary
control over the development and maintenance of
the TOE.
Each development tool used for implementation shall
be well defined.
The documentation of each development tool shall
unambiguously define the meaning of all statements
as well as all conventions and directives used in the
implementation.
The documentation of each development tool shall
unambiguously define the meaning of all
implementation dependent options.
The test documentation shall consist of test plans,
expected test results and actual test results.

The test paln shall identify the tests to be performed
and described the scenarios for performing each
test. These scenarios shall include any ordering
dependencies on the results of other tests.

The expected test results shall show the anticipated
outouts from a sucessful execution of the tests.
The actual test results shall be consistent with the
expected test results.

The TOE shall be suitable for testing



The TOE be suitable for testing.


The analysis of the test coverage shall demostrate
the correspondence between the tests in the test
documentation and the TSFIs in the functional
specifications.
The analysis of the test coverage shall demostrate
that all TSFIs in the functional specification have
been tested.
The analysis of the depth of testing shall demostrate
the correspondence between the tests in the test
documentation and the TSF subsystems and
modules in the TOE design.
The analysis of the depth of testing shall demostrate
that all TSF subsystems in the TOE design have
been tested.
The analysis of the depth of testing shall demostrate
that the SFR enforcing modules in the TOE design
have been tested.
The conformance claim shall contain a CC
conformance claim that identifies the version of the
CC to which the ST and the TOE claim
conformance.
The CC conformance claim shall describe the
conformance of the ST to CC Part 2 as either CC
part 2 conformant or CC Part 2 extended.
The CC conformance claim shall describe the
conformance of the ST to CC Part 3 as either CC
part 3 conformant or CC Part 3 extended.
The CC conformance claim shall be consistent with
the extended component defintion
The conformance claim shall identify all PPs and
security requirement packages to which the ST
claims conformance.
The conformance claim shall describe any
conformance of the ST to a package as either
package conformant or package augmented.
The conformance claim rationale shall demostrate
that the TOE type is consistent with the TOE type in
the PPs for which conformance is being claimed.
The conformance claim rationale shall demostrate
that the statement of the security problem definition
is consistent with the statements of the security
problem definition in the PPs for which conformance
is being claimed.
The conformance claim rationale shall demostrate
that the statement of security objectives is consistent
with the statement of security objectives in the PPs
for which conformance is being claimed.
The conformance claim rationale shall demostrate
that the statement of security requirements is
consistent with the statement of security
requirements in the PPs for which conformance is
being claimed.
The security problem definition shall describe the
threats.
All threats shall be described in terms of a threat
agent, an asset, and an adverse action.
The secuirty problem definition shall describe the
OSPs.
The security problem definition shall describe the
assumptions about the operational environemnt of
the TOE.
The statement od security objectives shall describe
the security objectives for the             operational
environment
The statement of security requirements shall identify
all extended security requirements.
The extended components definition shall define an
extended component for each extended security
requirement.

The extended components definition shall describe
how each extended component is related to the
existing CC components, families, and classes.
The extended components definition shall use the
existing CC components, families, classes, and
methodology as a model for presentation.
The extended components shall consist of
measurable and objective elements such that
conformaance or nonconformance to these
elements can be demostrated.
The statement of security requirements shall
describe the SFRs and the SARs
All subjects, objects, operators, security attributes,
external entities and other terms that are used in the
SFRs and the SARs shall be defined.
The statement of security requirements shall identify
all operations on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall
either be satisfied, or the security requirements
rationale shall justify the dependency not being
satisfied.
The statement of the security requirement shall be
internally consistent.
The TOE summary specification shall describe how
the TOE meets each SFR.


The ST introduction shall contain an ST reference, a
TOE reference, a TOE overview and a TOE
description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE.
The TOE overview shall summarize the usage and
major security features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non-TOE
hardware/software/firmware required by the TOE.
The TOE description shall describe the physical
scope of the TOE.
The TOE description shall describe the logical scope
of the TOE.
                                                            EAL 4 Assurance Requireme
Class   Family   Dependencies                              FID

                                                           ADV_ARC
ADV     ARC.1    ADV_FSP.1 Basic functional specifications .1.1D


                                                           ADV_ARC
                 ADV_TDS.1 Basic dsign                     .1.2D
                                                           ADV_ARC
                                                           .1.3D




                                                           ADV_FSP
ADV     FSP.2    ADV.TDS.1 Basic Design                    .2.1D

                                                           ADV_FSP
                                                           .2.2D




                                                           ADV_IMP.
ADV     IMP.1    ADV_TDS.3 Basic Modular Design            1.1D


                 ALC_TAT.1 Well defined development        ADV_IMP.
                 tools                                     1.2D



                 ADV_FSP.2 Security enforcing functional   ADV_TDS
ADV     TDS.1    specification                             .1.1D



                                                           ADV_TDS
                                                           .1.2D
                                                        AGD_OP
AGD   OPE.1   ADV_FSP.1 Basic functional specifications E.1.1D




                                                     AGD_PR
AGD   PRE.1   None                                   E.1.1D




                                                     ALC_CM
ALC   CMC.2   ALC_CMS.1 TOE CM coverage              C.2.1D
                                                     ALC_CM
                                                     C.2.2D
                                                     ALC_CM
                                                     C.2.3D

                                                     ALC_CMS
ALC   CMS.2   None                                   .4.1D
                                                         ALC_DEL.
ALC   DEL.1   None                                       1.1D
                                                         ALC_DEL.
                                                         1.2D



                                                         ALC_DVS
ALC   DVS.1   None                                       .1.1D

                                                         ALC_LCD
ALC   LCD.1   None                                       .1.1D
                                                         ALC_LCD
                                                         .1.2D

              ADV_IMP.1 Implementation representation ALC_TAT.
ALC   TAT.1   of the TSF                              1.1D

                                                         ALC_TAT.
                                                         1.2D



                                                         ATE_FUN
ATE   FUN.1   ATE_COV.1 Evidence of coverage             .1.1D




              ADV_FSP.2 Security enforcing functional    ATE_IND.
ATE   IND.2   specifications                             2.1D


              AGD_OPE.1 Operational user guidance
              AGD_PRE.1 Preparative procedures
              ATE_COV.1 Evidence of coverage
              ATE_FUN.1 Functional testing
              ADV_ARC.1 SECURITY ARCHITECTURE AVA_VAN
AVA   VAN.2   DESCRIPTION                         .1.1D

              ADV_FSP.1 Basicfunctional specifications
              ADV_TDS.1 Basic Design
              AGD_PRE.1 Preparative procedures
              AGD_OPE.1 Operational user guidance
              ADV_FSP.2 Security enforcing functional   ATE_COV
ATE   COV.1   specifications                            .1.1D
              ATE_FUN.1 Functional testing

              ADV_ARC.1 Security architecture           ATE_DPT
ATE   DPT.2   description                               .2.1D

              ADV_TDS.3 Basic modular design

              ATE_FUN.1 Functional testing

                                                        ASE_CCL
ASE   CCL.1                                             .1.1D

              ASE_ECD.1 Extended components             ASE_CCL
              definitions                               .1.2D


              ASE_REQ.1 Stated security requirements




                                                        ASE_SPD
ASE   SPD.1   None                                      .1.1D
                                                       ASE_OBJ
ASE   OBJ.2   ASE_SPD.1 Security problem definitions   .2.1D

                                                       ASE_OBJ
                                                       .2.2D




                                                       ASE_ECD
ASE   ECD.1   None                                     .1.1D
                                                       ASE_ECD
                                                       .1.2D




                                                       ASE_REQ
ASE   REQ.2   ASE_OBJ.2 Security objectives            .2.1D

              ASE_ECD.1 Extended components            ASE_REQ
              definition                               .2.2D




                                                       ASE_TSS
ASE   TSS.1   ASE_INT.1 ST Introduction                .1.1D
              ASE_REQ.1 Stated security requirements
                                                       ASE_INT.
ASE   INT.1   None                                     1.1D
EAL 4 Assurance Requirements (CC)
    Developer Element                            CID
    The developer shall design and implement
    the TOE so that the security features of the
    TSF cannot be bypassed.                      ADV_ARC.1.1C

    The developer shall design and implement
    the TSF so that it is able to protect itself
    from tampering by untrusted active entities. ADV_ARC.1.2C
    The developer shall provide a security
    architecture description of the TSF.         ADV_ARC.1.3C

                                                 ADV_ARC.1.4C

                                                 ADV_ARC.1.5C
    The developer shall provide a functional
    specification                                ADV_FSP.1.1C

    The developer shall provide a tracing from
    the functional specification to the SFRs.    ADV_FSP.1.2C

                                                 ADV_FSP.1.3C

                                                 ADV_FSP.1.4C


                                                 ADV_FSP.1.5C

                                                 ADV_FSP.1.6C
    The developer shall make avaialble the
    implementation representation for the entire
    TSF.                                         ADV_IMP.1.1C
    The developer shall provide a mapping
    between the TOE design description and
    the sample of the implementation
    representation.                              ADV_IMP.1.2C


                                                 ADV_IMP.1.3C
    The developer shall provide the design of
    the TOE                                      ADV_TDS.1.1C

    The developer shall provide a mapping
    from the TSFI of the functional specification
    to the lowest level of decomposotion
    available in the TOE design.                  ADV_TDS.1.2C


                                                 ADV_TDS.1.3C
                                          ADV_TDS.1.4C



                                          ADV_TDS.1.5C

                                          ADV_TDS.1.6C


The developer shall provide operational
user guidance.                            AGD_OPE.1.1C


                                          AGD_OPE.1.2C



                                          AGD_OPE.1.3C




                                          AGD_OPE.1.4C



                                          AGD_OPE.1.5C



                                          AGD_OPE.1.6C
                                          AGD_OPE.1.7C

The developer shall provide the TOE
including its preparative procedures.     AGD_PRE.1.1C




                                          AGD_PRE.1.2C
The developer shall provide the TOE and a
reference for the TOE.                    ALC_CMC.4.1C
The developer shall provide the CM
documentation.                            ALC_CMC.4.2C

The developer shall use a CM system.      ALC_CMC.4.3C

The developer shall provide a configuration
list for the TOE.                           ALC_CMS.2.1C

                                          ALC_CMS.2.2C
                                                ALC_CMS.2.3C
The developer shall document procedures
for delivery of the TOE or parts of it to the
consumer.                                       ALC_DEL.1.1C
The developer shall use the delivery
procedures



The developer shall produce development
security documentation                          ALC_DVS.1.1C
The developer shall establish a life cycle
model to be used in the development and
maintenance of the TOE.                         ALC_LCD.1.1C
The developer shall provide life cycle
definition documentation.                       ALC_LCD.1.2C

The developer shall identify each
development tool being used for the TOE. ALC_TAT.1.1C
The developer shall document the selected
implementation dependent options of reach
development tool.                         ALC_TAT.1.2C


                                                ALC_TAT.1.3C
The developer shall test the TSF and
document the results.                           ATE_FUN.1.1C



                                                ATE_FUN.1.2C

                                                ATE_FUN.1.3C

                                                ATE_FUN.1.4C
The developer shall provide the TOE for
testing.                                        ATE_IND.2.1C


                                                ATE_IND.2.2C



The developer shall provide the TOE for
testing.                                        AVA_VAN.1.1C
The developer shall provide evidence of the
test coverage.                              ATE_COV.1.1C


The developer shall provide the
analysis of the depth of testing.        ATE_DPT.2.1C

                                         ATE_DPT.2.2C

                                         ATE_DPT.2.3C

The developer shall provide a conformance
claim                                     ASE_CCL.1.1C


                                         ASE_CCL.1.2C

The developer shall provide a conformance
claim rationale.                          ASE_CCL.1.3C

                                         ASE_CCL.1.4C

                                         ASE_CCL.1.5C


                                         ASE_CCL.1.6C


                                         ASE_CCL.1.7C




                                         ASE_CCL.1.8C




                                         ASE_CCL.1.9C




                                         ASE_CCL.1.10C
The developer shall provide a security
problem definition.                      ASE_SPD.1.1C

                                         ASE_SPD.1.2C
                                         ASE_SPD.1.3C

                                         ASE_SPD.1.4C
The developer shall provide a statement of
security objectives.                       ASE_OBJ.2.1C

The developer shall provide a security
objectives rationale.                    ASE_OBJ.2.2C




                                         ASE_OBJ.2.3C

                                         ASE_OBJ.2.4C

                                         ASE_OBJ.2.5C


                                           ASE_OBJ.2.6C
The developer shall provide a statement of
security requirements                      ASE_ECD.1.1C
The developer shall provide an extended
compon4ents definition                     ASE_ECD.1.2C


                                         ASE_ECD.1.3C


                                         ASE_ECD.1.4C


                                           ASE_ECD.1.5C
The developer shall provide a statement of
security requirements                      ASE_REQ.2.1C

The developer shall provide a security
requirements rationale                   ASE_REQ.2.2C

                                         ASE_REQ.2.3C
                                         ASE_REQ.2.4C


                                         ASE_REQ.2.5C

                                         ASE_REQ.2.6C

                                         ASE_REQ.2.7C

                                         ASE_REQ.2.8C

                                         ASE_REQ.2.9C
The developer shall provide a TOE
summary specification.                   ASE_TSS.1.1C
The developer shall provide an ST
introduction.                       ASE_INT.1.1C
                                    ASE_INT.1.2C
                                    ASE_INT.1.3C

                                    ASE_INT.1.4C
                                    ASE_INT.1.5C

                                    ASE_INT.1.6C

                                    ASE_INT.1.7C

                                    ASE_INT.1.8C
C)
     Conent & Presentation Elements
     The security architecture description shall be at a level of detail
     commensurate with the description of the SFR-enforcing
     abstractions described in the TOE design document.


     The security architecture description shall describe the security
     domains maintained by the TSF consistently with the SFRs.
     The security architecture description shall describe how the TSF
     initialization process is secure.
     The security architecture description shall demostrate that the TSF
     protects itself from tampering.
     The security architecture description shall demostrate that the TSF
     prevents bypass of the SFR enforcing functionality.

     The functional specificatio shall completely represent the TSF.

     The functional specification shall describe the purpose and method
     of use for all TSFI.
     The functional specification shall identify and describe all
     parameters assocaited with each TSFI.
     The SFR-enforcing TSFIs, the functional specification shall describe
     the SFR-enforcing actions associated with the TSFI.
     For SFR-enforcing TSFIs, the functional specification shall describe
     direct error messages resulting from processing associated with the
     SFR-enforcing actions.
     The tracing shall demostrate that all SFRs trace to TSFI in the
     functional specification.
     The implementation representation shall define the TSF to a level of
     detail such that the TSF can be generated without further design
     decisions.


     The implementation represetnation shall be in the form used by the
     development personnel.
     The mapping between the TOE design description and the sample
     of the implementation representation shall demostrate their
     correspondence.
     The design shall describe the strucutre of the TOE in terms of
     subsystems.




     The design shall identify all subsystems of the TSF.
     The design shall describe the behaviour of each SFR supporting or
     SFR-non-interfering TSF subsystem in suficient detail to determine
     that it is not SFR-enforcing.
The design shall summarize the SFR-enforcing behaviour of the
SFR enforcing subsystems.

The design shall provide a description of the interactions among
SFR-enfocing subsystems of the TSF, and between the SFR-
enforcing subsystems of the TSF and other subsystems of the TSF.
The mapping shall demostrate that all behaviour described in the
TOE design is mapped to the TSFIs that invoke it.

The operational user guidance shall describe, for each user role, the
user accessible functions and privileges that should be controlled in
a secure processing environemnt, including appropriate warnings.
The operational user guidance shall describe, for each user role,
how to use the avaialble interfaces provided by the TOE in a secure
manner.
The operational user guidance shall describe , for each user role,
the avaialble functions and interfaces, in particular all security
parameters under the control of the user, indicating secure values
as appropriate.

The operational user guidance shall, for each user role, clearly
present each type of security relevant event relative to the user
accessible functions that need to be performed, including changing
the security characteristics of entities under the control of the TSF.
The operational user guidance shall identify all possible modes of
operation of the TOE (including operqation following failure or
operational error), their consequences and implications for
maintianing secure operations.

The operational user guidance shall, for each user role, describe the
security measures to be followed in order to fulfill the security
objectives for the operational environemnt as described in the ST.
The operational user guidance shall be clear and reasonable.
The preparative procedures shall describe all the steps necessary
for secure acceptance of the delivered TOE in accordance with the
developer's delivery procedures.

The preparative procedures shall describe all the steps necessary
for secure installation of the TOE and for the secure preparation of
the operational environemnt in accordance with the security
objectives for the operational environment as described in the ST.

The TEO shall be labelled with tis unique reference.
The CM documentation shall describe the method used to uniquely
identify the configuration items.

The CM system shall uniquely identify all configuration items
The configuration list shall include the following: The TOE itself; the
evlauation evidence required by the SARs; and the parts that
comprise the TOE.

The configuration list shall uniquely identify the configuration items.
For each TSF relevant configuration item, the configuration list shall
indicate the developer of the item.
The delivery documentation shall describe all procedures that are
necessary to maintain security when distributing versions of the
TOE to the consumer.



The development security documentation shall describe all the
physical, procedural, personnel, and other security measures that
are necessary to protect the confidentiality and integrity of the TOE
design and implementation in its development environment.

The lifecycle definition documentation shall describe the model used
to develop and maintain the TOE.
The lifecycle model shall provide for the necessary control over the
development and maintenance of the TOE.

Each development tool used for implementation shall be well
defined.
The documentation of each development tool shall unambiguously
define the meaning of all statements as well as all conventions and
directives used in the implementation.

The documentation of each development tool shall unambiguously
define the meaning of all implementation dependent options.
The test documentation shall consist of test plans, expected test
results and actual test results.

The test paln shall identify the tests to be performed and described
the scenarios for performing each test. These scenarios shall
include any ordering dependencies on the results of other tests.
The expected test results shall show the anticipated outouts from a
sucessful execution of the tests.
The actual test results shall be consistent with the expected test
results.

The TOE shall be suitable for testing

The developer shall provide an equivalent set of resources to those
that were used in the developer's functional testing of the TSF.




The TOE be suitable for testing.
The evidence of the test coverage shall show the correspondence
between the tests in the test documentation and the TSFIs in the
functional specification.

The analysis of the depth of testing shall demostrate the
correspondence between the tests in the test documentation and
the TSF subsystems and modules in the TOE design.
The analysis of the depth of testing shall demostrate that all TSF
subsystems in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that the SFR
enforcing modules in the TOE design have been tested.
The conformance claim shall contain a CC conformance claim that
identifies the version of the CC to which the ST and the TOE claim
conformance.
The CC conformance claim shall describe the conformance of the
ST to CC Part 2 as either CC part 2 conformant or CC Part 2
extended.
The CC conformance claim shall describe the conformance of the
ST to CC Part 3 as either CC part 3 conformant or CC Part 3
extended.
The CC conformance claim shall be consistent with the extended
component defintion
The conformance claim shall identify all PPs and security
requirement packages to which the ST claims conformance.

The conformance claim shall describe any conformance of the ST
to a package as either package conformant or package augmented.
The conformance claim rationale shall demostrate that the TOE
type is consistent with the TOE type in the PPs for which
conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of the security problem definition is consistent with the
statements of the security problem definition in the PPs for which
conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of security objectives is consistent with the statement of
security objectives in the PPs for which conformance is being
claimed.
The conformance claim rationale shall demostrate that the
statement of security requirements is consistent with the statement
of security requirements in the PPs for which conformance is being
claimed.

The security problem definition shall describe the threats.
All threats shall be described in terms of a threat agent, an asset,
and an adverse action.
The secuirty problem definition shall describe the OSPs.
The security problem definition shall describe the assumptions
about the operational environemnt of the TOE.
The statement of security objectives shall describe the security
objectives for the TOE and the security objectives for the
operational environment
The security objectives rationale shall trace each security objective
for the TOE back to threats countered by the security objective and
OSPs enforced by the security objective.

The security objectives rationale shall trace each security objective
for the operational environment back to threats countered by that
security objective, OSPs enforced by the security objective, and
assumptions upheld by that security objective.
The security objective rationale shall demostrate that the security
objectives counter all threats.
The security objective rational shall demostrate that the security
objectives enforce all OSPs.

The security objectives rationale shall demostrate that the security
objectives for the operational environemnt uphold all assumptions
The statement of security requirements shall identify all extended
security requirements.
The extended components definition shall define an extended
component for each extended security requirement.
The extended components definition shall describe how each
extended component is related to the existing CC components,
families, and classes.
The extended components definition shall use the existing CC
components, families, classes, and methodology as a model for
presentation.
The extended components shall consist of measurable and
objective elements such that conformaance or nonconformance to
these elements can be demostrated.
The statement of security requirements shall describe the SFRs and
the SARs
All subjects, objects, operators, security attributes, external entities
and other terms that are used in the SFRs and the SARs shall be
defined.
The statemetn of security requirements shall identify all operations
on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall either be
satisfied, or the security requirements rationale shall justify the
dependency not being satisfied.
The security requirement rationale shall trace each SFR back to the
secuirty objectives for the TOE.
The security requirement rationale shall demostrate that the SFRs
meet all security objectives for the TOE.
The security requirements rationale shall explain why the SARs
were chosen.
The statement of security requirements shall be internally
consistent.
The TOE summary specification shall describe how the TOE meets
each SFR.
The ST introduction shall contain an ST reference, a TOE
reference, a TOE overview and a TOE description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE.
The TOE overview shall summarize the usage and major security
features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non-TOE
hardware/software/firmware required by the TOE.

The TOE description shall describe the physical scope of the TOE.

The TOE description shall describe the logical scope of the TOE.
                                              EAL 4 Assurance Requirements (CC)
Class   Family   Dependencies                     FID




                 ADV_FSP.1 Basic functional       ADV_ARC
ADV     ARC.1    specifications                   .1.1D




                                                  ADV_ARC
                 ADV_TDS.1 Basic dsign            .1.2D


                                                  ADV_ARC
                                                  .1.3D




                                                  ADV_FSP
ADV     FSP.3    ADV.TDS.1 Basic Design           .3.1D

                                                  ADV_FSP
                                                  .3.2D




                                                  ADV_IMP.
ADV     IMP.1    ADV_TDS.3 Basic Modular Design   1.1D
              ALC_TAT.1 Well defined development ADV_IMP.
              tools                              1.2D




              ADV_FSP.3 Functional specification   ADV_TDS
ADV   TDS.2   with complete sumamry.               .2.1D



                                                   ADV_TDS
                                                   .2.2D




              ADV_FSP.1 Basic functional           AGD_OP
AGD   OPE.1   specifications                       E.1.1D
                                                     AGD_PR
AGD   PRE.1   None                                   E.1.1D




                                                     ALC_CM
ALC   CMC.3   ALC_CMS.1 TOE CM coverage              C.3.1D

              ALC_DVS.1 Identification of security   ALC_CM
              measures                               C.3.2D
                                                     ALC_CM
                                                     C.3.3D
                                               ALC_CMS
ALC   CMS.3   None                             .3.1D




                                               ALC_DEL.
ALC   DEL.1   None                             1.1D
                                               ALC_DEL.
                                               1.2D




                                               ALC_DVS
ALC   DVS.1   None                             .1.1D


                                               ALC_LCD
ALC   LCD.1   None                             .1.1D

                                               ALC_LCD
                                               .1.2D

              ADV_IMP.1 Implementation         ALC_TAT.
ALC   TAT.1   representation of the TSF        1.1D


                                               ALC_TAT.
                                               1.2D




                                               ATE_FUN
ATE   FUN.1   ATE_COV.1 Evidence of coverage   .1.1D
              ADV_FSP.2 Security enforcing       ATE_IND.
ATE   IND.2   functional specifications          2.1D

              AGD_OPE.1 Operational user
              guidance
              AGD_PRE.1 Preparative procedures
              ATE_COV.1 Evidence of coverage
              ATE_FUN.1 Functional testing
              ADV_ARC.1 SECURITY                 AVA_VAN
AVA   VAN.3   ARCHITECTURE DESCRIPTION           .3.1D
              ADV_FSP.2 Security enforcing
              functional specifications
              ADV_TDS.3 Basic Modular Design
              ADV_IMP.1 Implementation
              representation of the TSF
              AGD_OPE.1 Operational user
              guidance
              AGD_PRE.1 Preparative procedures


              ADV_FSP.2 Security enforcing       ATE_COV
ATE   COV.2   functional specifications          .2.1D


              ATE_FUN.1 Functional testing




              ADV_ARC.1 Security architecture    ATE_DPT
ATE   DPT.1   description                        .1.1D


              ADV_TDS.2 Architecture design
              ATE_FUN.1 Functional testing


                                                 ASE_CCL
ASE   CCL.1   ASE_INT.1 ST Introduction          .1.1D


              ASE_ECD.1 Extended components      ASE_CCL
              definitions                        .1.2D


              ASE_REQ.1 Stated security
              requirements
                                           ASE_SPD
ASE   SPD.1   None                         .1.1D




              ASE_SPD.1 Security problem   ASE_OBJ
ASE   OBJ.2   definitions                  .2.1D


                                           ASE_OBJ
                                           .2.2D
                                              ASE_ECD
ASE   ECD.1   None                            .1.1D

                                              ASE_ECD
                                              .1.2D




                                              ASE_REQ
ASE   REQ.2   ASE_OBJ.2 Security objectives   .2.1D


              ASE_ECD.1 Extended components   ASE_REQ
              definition                      .2.2D
                                          ASE_TSS
ASE   TSS.1   ASE_INT.1 ST Introduction   .1.1D
              ASE_REQ.1 Stated security
              requirements

                                          ASE_INT.
ASE   INT.1   None                        1.1D
4 Assurance Requirements (CC)
      Developer Element                    CID            Conent & Presentation Elements


      The developer shall design and                      The security architecture description shall be at
      implement the TOE so that the                       a level of detail commensurate with the
      security features of the TSF cannot                 description of the SFR-enforcing abstractions
      be bypassed.                        ADV_ARC.1.1C    described in the TOE design document.
      The developer shall design and
      implement the TSF so that it is
      able to protect itself from                         The security architecture description shall
      tampering by untrusted active                       describe the security domains maintained by the
      entities.                            ADV_ARC.1.2C   TSF consistently with the SFRs.

      The developer shall provide a                       The security architecture description shall
      security architecture description of                describe how the TSF initialization process is
      the TSF.                             ADV_ARC.1.3C   secure.
                                                          The security architecture description shall
                                                          demostrate that the TSF protects itself from
                                           ADV_ARC.1.4C   tampering.

                                                          The security architecture description shall
                                                          demostrate that the TSF prevents bypass of the
                                           ADV_ARC.1.5C   SFR enforcing functionality.
      The developer shall provide a                       The functional specificatio shall completely
      functional specification             ADV_FSP.3.1C   represent the TSF.
      The developer shall provide a
      tracing from the functional                         The functional specification shall describe the
      specification to the SFRs.           ADV_FSP.3.2C   purpose and method of use for all TSFI.
                                                          The functional specification shall identify and
                                                          describe all parameters assocaited with each
                                           ADV_FSP.3.3C   TSFI.
                                                          The SFR-enforcing TSFIs, the functional
                                                          specification shall describe the SFR-enforcing
                                           ADV_FSP.3.4C   actions associated with the TSFI.
                                                          The SFR-enforcing TSFIs, the functional
                                                          specification shall describe direct error
                                                          messages resulting from security enforcing
                                                          effects and exceptions associated with
                                           ADV_FSP.3.5C   invocation of the TSFI.

                                                          The implementation representation shall define
      The developer shall make                            the TSF to a level of detail such that the TSF
      avaialble the implementation                        can be generated without further design
      representation for the entire TSF.   ADV_IMP.1.1C   decisions.
The developer shall provide a
mapping between the TOE design
description and the sample of the                The implementation represetnation shall be in
implementation representation.    ADV_IMP.1.2C   the form used by the development personnel.
                                                 The mapping between the TOE design
                                                 description and the sample of the
                                                 implementation representation shall demostrate
                                  ADV_IMP.1.3C   their correspondence.
The developer shall provide the                  The design shall describe the structure of the
design of the TOE                 ADV_TDS.2.1C   TOE in terms of subsystems.
The developer shall provide a
mapping from the TSFI of the
functional specification to the
lowest level of decomposotion                    The design shall identify all subsystems of the
available in the TOE design.      ADV_TDS.2.2C   TSF.
                                                 The design shall describe the behaviour of each
                                                 SFR non-intering subsystem of the TSF in detail
                                                 sufficient to determine that it is SFR non-
                                  ADV_TDS.2.3C   interfering.
                                                 The design shall describe the SFR-enforcing
                                  ADV_TDS.2.4C   behaviour of the SFR-enforcing subsystems.
                                                 The design shall sumamrize the non-SFR-
                                                 enforcing behaviour of the SFR-enforcing
                                  ADV_TDS.2.5C   subsystems.
                                                 The design shall summarize the behaviour of
                                  ADV_TDS.2.6C   the SFR-supporting subsystems.
                                                 The design shall provide a description of the
                                  ADV_TDS.2.7C   interactions among all subsystems of the TSF.
                                                 The mapping shall demostrate that all behaviour
                                                 described in the TOE design is mapped to the
                                  ADV_TDS.2.8C   TSFIs that invoke it.
                                                 The operational user guidance shall describe,
                                                 for each user role, the user accessible functions
                                                 and privileges that should be controlled in a
The developer shall provide                      secure processing environemnt, including
operational user guidance.        AGD_OPE.1.1C   appropriate warnings.
                                                 The operational user guidance shall describe,
                                                 for each user role, how to use the avaialble
                                                 interfaces provided by the TOE in a secure
                                  AGD_OPE.1.2C   manner.
                                                 The operational user guidance shall describe ,
                                                 for each user role, the avaialble functions and
                                                 interfaces, in particular all security parameters
                                                 under the control of the user, indicating secure
                                  AGD_OPE.1.3C   values as appropriate.
                                                 The operational user guidance shall, for each
                                                 user role, clearly present each type of security
                                                 relevant event relative to the user accessible
                                                 functions that need to be performed, including
                                                 changing the security characteristics of entities
                                  AGD_OPE.1.4C   under the control of the TSF.

                                                 The operational user guidance shall identify all
                                                 possible modes of operation of the TOE
                                                 (including operqation following failure or
                                                 operational error), their consequences and
                                  AGD_OPE.1.5C   implications for maintianing secure operations.
                                                 The operational user guidance shall, for each
                                                 user role, describe the security measures to be
                                                 followed in order to fulfill the security objectives
                                                 for the operational environemnt as described in
                                  AGD_OPE.1.6C   the ST.
                                                 The operational user guidance shall be clear
                                  AGD_OPE.1.7C   and reasonable.
                                                 The preparative procedures shall describe all
The developer shall provide the                  the steps necessary for secure acceptance of
TOE including its preparative                    the delivered TOE in accordance with the
procedures.                       AGD_PRE.1.1C   developer's delivery procedures.
                                                 The preparative procedures shall describe all
                                                 the steps necessary for secure installation of the
                                                 TOE and for the secure preparation of the
                                                 operational environemnt in accordance with the
                                                 security objectives for the operational
                                  AGD_PRE.1.2C   environment as described in the ST.

The developer shall provide the                  The TEO shall be labelled with tis unique
TOE and a reference for the TOE. ALC_CMC.3.1C    reference.
                                                 The CM documentation shall describe the
The developer shall provide the                  method used to uniquely identify the
CM documentation.                 ALC_CMC.3.2C   configuration items.
The developer shall use a CM                     The CM system shall uniquely identify all
system.                           ALC_CMC.3.3C   configuration items
                                                 The CM system shall provide measures such
                                                 that only authorized changes are made to the
                                  ALC_CMC.3.4C   configuration items.

                                  ALC_CMC.3.5C   The CM documentation shall include a CM plan.
                                                 The CM plan shall describe the procedures
                                                 used to accept modified or newly created
                                  ALC_CMC.3.6C   configuration items as part of the TOE.
                                                 The evidence shall demostrate that all
                                                 configuration items are being maintained under
                                  ALC_CMC.3.7C   the CM system.
                                                    The configuration list shall include the following:
                                                    The TOE itself; the evlauation evidence required
The developer shall provide a                       by the SARs; the parts that comprise the TOE;
configuration list for the TOE.    ALC_CMS.4.1C     and the implementation representation.
                                                    The configuration list shall uniquely identify the
                                   ALC_CMS.4.2C     configuration items.
                                                    For each TSF relevant configuration item, the
                                                    configuration list shall indicate the developer of
                                   ALC_CMS.4.3C     the item.
                                                    The delivery documentation shall describe all
The developer shall document                        procedures that are necessary to maintain
procedures for delivery of the TOE                  security when distributing versions of the TOE to
or parts of it to the consumer.    ALC_DEL.1.1C     the consumer.
The developer shall use the
delivery procedures

                                                    The development security documentation shall
                                                    describe all the physical, procedural, personnel,
                                                    and other security measures that are necessary
The developer shall produce                         to protect the confidentiality and integrity of the
development security                                TOE design and implementation in its
documentation                        ALC_DVS.1.1C   development environment.
The developer shall establish a life
cycle model to be used in the                       The lifecycle definition documentation shall
development and maintenance of                      describe the model used to develop and
the TOE.                             ALC_LCD.1.1C   maintain the TOE.
                                                    The lifecycle model shall provide for the
The developer shall provide life                    necessary control over the development and
cycle definition documentation.   ALC_LCD.1.2C      maintenance of the TOE.
The developer shall identify each
development tool being used for                     Each development tool used for implementation
the TOE.                          ALC_TAT.1.1C      shall be well defined.
The developer shall document the                    The documentation of each development tool
selected implementation                             shall unambiguously define the meaning of all
dependent options of reach                          statements as well as all conventions and
development tool.                 ALC_TAT.1.2C      directives used in the implementation.
                                                    The documentation of each development tool
                                                    shall unambiguously define the meaning of all
                                   ALC_TAT.1.3C     implementation dependent options.
                                                    The test documentation shall consist of test
The developer shall test the TSF                    plans, expected test results and actual test
and document the results.          ATE_FUN.1.1C     results.
                                                    The test paln shall identify the tests to be
                                                    performed and described the scenarios for
                                                    performing each test. These scenarios shall
                                                    include any ordering dependencies on the
                                   ATE_FUN.1.2C     results of other tests.
                                                    The expected test results shall show the
                                                    anticipated outouts from a sucessful execution
                                   ATE_FUN.1.3C     of the tests.
                                                 The actual test results shall be consistent with
                                  ATE_FUN.1.4C   the expected test results.
The developer shall provide the
TOE for testing.                  ATE_IND.2.1C   The TOE shall be suitable for testing
                                                 The developer shall provide an equivalent set of
                                                 resources to those that were used in the
                                  ATE_IND.2.2C   developer's functional testing of the TSF.



The developer shall provide the
TOE for testing.                  AVA_VAN.3.1C   The TOE be suitable for testing.




                                                 The analysis of the test coverage shall
                                                 demostrate the correspondence between the
The developer shall provide an                   tests in the test documentation and the TSFIs in
analysis of the test coverage.    ATE_COV.2.1C   the functional specifications.
                                                 The analysis of the test coverage shall
                                                 demostrate that all TSFIs in the functional
                                  ATE_COV.2.2C   specification have been tested.

                                                 The analysis of the depth of testing shall
                                                 demostrate the correspondence between the
The developer shall provide the                  tests in the test documentation and the TSF
analysis of the depth of testing. ATE_DPT.1.1C   subsystems in the TOE design.
                                                 The analysis of the depth of testing shall
                                                 demostrate that all TSF subsystems in the TOE
                                  ATE_DPT.1.2C   design have been tested.

                                                 The conformance claim shall contain a CC
                                                 conformance claim that identifies the version of
The developer shall provide a                    the CC to which the ST and the TOE claim
conformance claim                 ASE_CCL.1.1C   conformance.

                                                 The CC conformance claim shall describe the
                                                 conformance of the ST to CC Part 2 as either
                                  ASE_CCL.1.2C   CC part 2 conformant or CC Part 2 extended.

                                                 The CC conformance claim shall describe the
The developer shall provide a                    conformance of the ST to CC Part 3 as either
conformance claim rationale.      ASE_CCL.1.3C   CC part 3 conformant or CC Part 3 extended.

                                                 The CC conformance claim shall be consistent
                                  ASE_CCL.1.4C   with the extended component defintion
                                                    The conformance claim shall identify all PPs
                                                    and security requirement packages to which the
                                    ASE_CCL.1.5C    ST claims conformance.

                                                    The conformance claim shall describe any
                                                    conformance of the ST to a package as either
                                    ASE_CCL.1.6C    package conformant or package augmented.
                                                    The conformance claim rationale shall
                                                    demostrate that the TOE type is consistent with
                                                    the TOE type in the PPs for which conformance
                                    ASE_CCL.1.7C    is being claimed.
                                                    The conformance claim rationale shall
                                                    demostrate that the statement of the security
                                                    problem definition is consistent with the
                                                    statements of the security problem definition in
                                                    the PPs for which conformance is being
                                    ASE_CCL.1.8C    claimed.
                                                    The conformance claim rationale shall
                                                    demostrate that the statement of security
                                                    objectives is consistent with the statement of
                                                    security objectives in the PPs for which
                                    ASE_CCL.1.9C    conformance is being claimed.
                                                    The conformance claim rationale shall
                                                    demostrate that the statement of security
                                                    requirements is consistent with the statement of
                                                    security requirements in the PPs for which
                                    ASE_CCL.1.10C   conformance is being claimed.
The developer shall provide a                       The security problem definition shall describe
security problem definition.        ASE_SPD.1.1C    the threats.

                                                    All threats shall be described in terms of a threat
                                    ASE_SPD.1.2C    agent, an asset, and an adverse action.
                                                    The secuirty problem definition shall describe
                                    ASE_SPD.1.3C    the OSPs.
                                                    The security problem definition shall describe
                                                    the assumptions about the operational
                                    ASE_SPD.1.4C    environemnt of the TOE.
                                                    The statement od security objectives shall
                                                    describe the security objectives for the TOE and
The developer shall provide a                       the security objectives for the operational
statement of security objectives.   ASE_OBJ.2.1C    environment
                                                    The security objectives rationale shall trace
                                                    each security objective for the TOE back to
The developer shall provide a                       threats countered by the security objective and
security objectives rationale.      ASE_OBJ.2.2C    OSPs enforced by the security objective.
                                                    The security objectives rationale shall trace
                                                    each security objective for the operational
                                                    environment back to threats countered by that
                                                    security objective, OSPs enforced by the
                                                    security objective, and assumptions upheld by
                                    ASE_OBJ.2.3C    that security objective.
                                                  The security objective rationale shall demostrate
                                  ASE_OBJ.2.4C    that the security objectives counter all threats.

                                                  The security objective rational shall demostrate
                                  ASE_OBJ.2.5C    that the security objectives enforce all OSPs.

                                                  The security objectives rationale shall
                                                  demostrate that the security objectives for the
                                  ASE_OBJ.2.6C    operational environemnt uphold all assumptions

The developer shall provide a                     The statement of security requirements shall
statement of security requirements ASE_ECD.1.1C   identify all extended security requirements.
                                                  The extended components definition shall
The developer shall provide an                    define an extended component for each
extended compon4ents definition   ASE_ECD.1.2C    extended security requirement.
                                                  The extended components definition shall
                                                  describe how each extended component is
                                                  related to the existing CC components, families,
                                  ASE_ECD.1.3C    and classes.

                                                  The extended components definition shall use
                                                  the existing CC components, families, classes,
                                  ASE_ECD.1.4C    and methodology as a model for presentation.
                                                  The extended components shall consist of
                                                  measurable and objective elements such that
                                                  conformaance or nonconformance to these
                                  ASE_ECD.1.5C    elements can be demostrated.

The developer shall provide a                     The statement of security requirements shall
statement of security requirements ASE_REQ.2.1C   describe the SFRs and the SARs
                                                  All subjects, objects, operators, security
                                                  attributes, external entities and other terms that
The developer shall provide a                     are used in the SFRs and the SARs shall be
security requirements rationale   ASE_REQ.2.2C    defined.
                                                  The statemetn of security requirements shall
                                                  identify all operations on the security
                                  ASE_REQ.2.3C    requirements.
                                  ASE_REQ.2.4C    All operations shall be performed correctly
                                                  Each dependency of the security requirements
                                                  shall either be satisfied, or the security
                                                  requirements rationale shall justify the
                                  ASE_REQ.2.5C    dependency not being satisfied.
                                                  The security requirement rationale shall trace
                                                  each SFR back to the secuirty objectives for the
                                  ASE_REQ.2.6C    TOE.
                                                  The security requirement rationale shall
                                                  demostrate that the SFRs meet all security
                                  ASE_REQ.2.7C    objectives for the TOE.
                                                  The security requirements rationale shall
                                  ASE_REQ.2.8C    explain why the SARs were chosen.
                                                 The statement of security requirements shall be
                                ASE_REQ.2.9C     internally consistent.
The developer shall provide a TOE                The TOE summary specification shall describe
summary specification.            ASE_TSS.1.1C   how the TOE meets each SFR.


                                                 The ST introduction shall contain an ST
The developer shall provide an ST                reference, a TOE reference, a TOE overview
introduction.                     ASE_INT.1.1C   and a TOE description.

                                ASE_INT.1.2C     The ST reference shall uniquely identify the ST.
                                ASE_INT.1.3C     The TOE reference shall identify the TOE.

                                                 The TOE overview shall summarize the usage
                                ASE_INT.1.4C     and major security features of the TOE.

                                ASE_INT.1.5C     The TOE overview shall identify the TOE type.
                                                 The TOE overview shall identify any non-TOE
                                                 hardware/software/firmware required by the
                                ASE_INT.1.6C     TOE.
                                                 The TOE description shall describe the physical
                                ASE_INT.1.7C     scope of the TOE.
                                                 The TOE description shall describe the logical
                                ASE_INT.1.8C     scope of the TOE.
                                                      EAL 4 Assurance Requirements (CC)
ClassFamily Dependencies               FID             Developer Element                                CID

                                                    The developer shall design and implement the
            ADV_FSP.1 Basic functional              TOE so that the security features of the TSF
ADV ARC.1   specifications             ADV_ARC.1.1D cannot be bypassed.                                 ADV_ARC.1.1C
                                                    The developer shall design and implement the
                                                    TSF so that it is able to protect itself from
            ADV_TDS.1 Basic dsign      ADV_ARC.1.2D tampering by untrusted active entities.             ADV_ARC.1.2C
                                                    The developer shall provide a security
                                       ADV_ARC.1.3D architecture description of the TSF.                ADV_ARC.1.3C


                                                                                                        ADV_ARC.1.4C


                                                                                                        ADV_ARC.1.5C
                                                       The developer shall provide a functional
ADV FSP.4   ADV.TDS.1 Basic Design     ADV_FSP.4.1D    specification                                    ADV_FSP.4.1C
                                                       The developer shall provide a tracing from the
                                       ADV_FSP.4.2D    functional specification to the SFRs.            ADV_FSP.4.2C

                                                                                                        ADV_FSP.4.3C

                                                                                                        ADV_FSP.4.4C



                                                                                                        ADV_FSP.4.5C

                                                                                                        ADV_FSP.4.6C
                                                       The developer shall make avaialble the
            ADV_TDS.3 Basic Modular                    implementation representation for the entire
ADV IMP.1   Design                     ADV_IMP.1.1D    TSF.                                             ADV_IMP.1.1C
                                                      The developer shall provide a mapping
            ALC_TAT.1 Well defined                    between the TOE design description and the
            development tools          ADV_IMP.1.2D   sample of the implementation representation.      ADV_IMP.1.2C


                                                                                                        ADV_IMP.1.3C
            ADV_FSP.4 Complete                        The developer shall provide the design of the
ADV TDS.3   functional specification   ADV_TDS.3.1D   TOE                                               ADV_TDS.3.1C
                                                      The developer shall provide a mapping from
                                                      the TSFI of the functional specification to the
                                                      lowest level of decomposotion available in the
                                       ADV_TDS.3.2D   TOE design.                                       ADV_TDS.3.2C
                                                                                                        ADV_TDS.3.3C

                                                                                                        ADV_TDS.3.4C

                                                                                                        ADV_TDS.3.5C


                                                                                                        ADV_TDS.3.6C

                                                                                                        ADV_TDS.3.7C



                                                                                                        ADV_TDS.3.8C


                                                                                                        ADV_TDS.3.9C


                                                                                                        ADV_TDS.3.10C
            ADV_FSP.1 Basic functional              The developer shall provide operational user
AGD OPE.1   specifications             AGD_OPE.1.1D guidance.                                       AGD_OPE.1.1C


                                                                                                    AGD_OPE.1.2C




                                                                                                    AGD_OPE.1.3C




                                                                                                    AGD_OPE.1.4C




                                                                                                    AGD_OPE.1.5C



                                                                                                    AGD_OPE.1.6C

                                                                                                    AGD_OPE.1.7C


                                                    The developer shall provide the TOE including
AGD PRE.1   None                       AGD_PRE.1.1D its preparative procedures.                     AGD_PRE.1.1C
                                                                                                     AGD_PRE.1.2C
            ALC_CMS.1 TOE CM                           The developer shall provide the TOE and a
ALC CMC.4   coverage                      ALC_CMC.4.1D reference for the TOE.                        ALC_CMC.4.1C
            ALC_DVS.1 Identification of                The developer shall provide the CM
            security measures             ALC_CMC.4.2D documentation.                                ALC_CMC.4.2C
            ALC_LCD.1 Developer
            defined lifecycle model.      ALC_CMC.4.3D The developer shall use a CM system.          ALC_CMC.4.3C


                                                                                                     ALC_CMC.4.4C

                                                                                                     ALC_CMC.4.5C
                                                                                                     ALC_CMC.4.6C

                                                                                                     ALC_CMC.4.7C


                                                                                                     ALC_CMC.4.8C

                                                                                                     ALC_CMC.4.9C

                                                                                                     ALC_CMC.4.10C



                                                       The developer shall provide a configuration list
ALC CMS.4   None                          ALC_CMS.4.1D for the TOE.                                     ALC_CMS.4.1C

                                                                                                     ALC_CMS.4.2C


                                                                                                     ALC_CMS.4.3C
                                                         The developer shall document procedures for
                                                         delivery of the TOE or parts of it to the
ALC DEL.1     None                        ALC_DEL.1.1D   consumer.                                     ALC_DEL.1.1C
                                                         The developer shall use the delivery
                                          ALC_DEL.1.2D   procedures




                                                         The developer shall produce development
ALC DVS.1     None                        ALC_DVS.1.1D   security documentation                           ALC_DVS.1.1C
                                                         The developer shall establish a life cycle model
                                                         to be used in the development and
ALC LCD.1     None                        ALC_LCD.1.1D   maintenance of the TOE.                          ALC_LCD.1.1C

                                                         The developer shall provide life cycle definition
                                          ALC_LCD.1.2D   documentation.                                    ALC_LCD.1.2C

              ADV_IMP.1 Implementation                   The developer shall identify each development
ALC TAT.1     representation of the TSF   ALC_TAT.1.1D   tool being used for the TOE.                  ALC_TAT.1.1C

                                                         The developer shall document the selected
                                                         implementation dependent options of reach
                                          ALC_TAT.1.2D   development tool.                             ALC_TAT.1.2C


                                                                                                       ALC_TAT.1.3C
              ATE_COV.1 Evidence of                      The developer shall test the TSF and document
ATE   FUN.1   coverage                    ATE_FUN.1.1D   the results.                                  ATE_FUN.1.1C



                                                                                                       ATE_FUN.1.2C

                                                                                                       ATE_FUN.1.3C
                                                                                                          ATE_FUN.1.4C
              ADV_FSP.2 Security
              enforcing functional                       The developer shall provide the TOE for
ATE   IND.2   specifications              ATE_IND.2.1D   testing.                                         ATE_IND.2.1C

              AGD_OPE.1 Operational
              user guidance                                                                               ATE_IND.2.2C
              AGD_PRE.1 Preparative
              procedures
              ATE_COV.1 Evidence of
              coverage
              ATE_FUN.1 Functional
              testing
              ADV_ARC.1 SECURITY
              ARCHITECTURE                               The developer shall provide the TOE for
AVA VAN.3     DESCRIPTION                 AVA_VAN.3.1D   testing.                                         AVA_VAN.3.1C
              ADV_FSP.2 Security
              enforcing functional
              specifications
              ADV_TDS.3 Basic Modular
              Design

              ADV_IMP.1 Implementation
              representation of the TSF
              AGD_OPE.1 Operational
              user guidance
              AGD_PRE.1 Preparative
              procedures

              ADV_FSP.2 Security
              enforcing functional                       The developer shall provide an analysis of the
ATE   COV.2   specifications              ATE_COV.2.1D   test coverage.                                   ATE_COV.2.1C

              ATE_FUN.1 Functional
              testing                                                                                     ATE_COV.2.2C
            ADV_ARC.1 Security                        The developer shall provide the analysis of
ATE   DPT.2 architecture description     ATE_DPT.2.1D the depth of testing.                       ATE_DPT.2.1C

             ADV_TDS.3 Basic modular
             design                                                                                 ATE_DPT.2.2C

             ATE_FUN.1 Functional
             testing                                                                                ATE_DPT.2.3C


                                                        The developer shall provide a conformance
ASE CCL.1    ASE_INT.1 ST Introduction   ASE_CCL.1.1D   claim                                       ASE_CCL.1.1C

             ASE_ECD.1 Extended
             components definitions      ASE_CCL.1.2D                                               ASE_CCL.1.2C

             ASE_REQ.1 Stated security                  The developer shall provide a conformance
             requirements                               claim rationale.                            ASE_CCL.1.3C

                                                                                                    ASE_CCL.1.4C


                                                                                                    ASE_CCL.1.5C


                                                                                                    ASE_CCL.1.6C


                                                                                                    ASE_CCL.1.7C




                                                                                                    ASE_CCL.1.8C
                                                                                              ASE_CCL.1.9C




                                                                                                ASE_CCL.1.10C
                                                 The developer shall provide a security problem
ASE SPD.1   None                  ASE_SPD.1.1D   definition.                                    ASE_SPD.1.1C

                                                                                              ASE_SPD.1.2C

                                                                                              ASE_SPD.1.3C


                                                                                              ASE_SPD.1.4C

            ASE_SPD.1 Security                   The developer shall provide a statement of
ASE OBJ.2   problem definitions   ASE_OBJ.2.1D   security objectives.                         ASE_OBJ.2.1C


                                                 The developer shall provide a security
                                  ASE_OBJ.2.2D   objectives rationale.                        ASE_OBJ.2.2C




                                                                                              ASE_OBJ.2.3C

                                                                                              ASE_OBJ.2.4C

                                                                                              ASE_OBJ.2.5C


                                                                                              ASE_OBJ.2.6C
                                                    The developer shall provide a statement of
ASE ECD.1   None                    ASE_ECD.1.1D    security requirements                        ASE_ECD.1.1C

                                                    The developer shall provide an extended
                                    ASE_ECD.1.2D    compon4ents definition                       ASE_ECD.1.2C


                                                                                                 ASE_ECD.1.3C


                                                                                                 ASE_ECD.1.4C



                                                                                                 ASE_ECD.1.5C
            ASE_OBJ.2 Security                   The developer shall provide a statement of
ASE REQ.2   objectives              ASE_REQ.2.1D security requirements                           ASE_REQ.2.1C

            ASE_ECD.1 Extended                   The developer shall provide a security
            components definition   ASE_REQ.2.2D requirements rationale                          ASE_REQ.2.2C

                                                                                                 ASE_REQ.2.3C
                                                                                                 ASE_REQ.2.4C



                                                                                                 ASE_REQ.2.5C

                                                                                                 ASE_REQ.2.6C


                                                                                                 ASE_REQ.2.7C

                                                                                                 ASE_REQ.2.8C

                                                                                                 ASE_REQ.2.9C
                                                     The developer shall provide a TOE summary
ASE TSS.1   ASE_INT.1 ST Introduction ASE_TSS.1.1D   specification.                               ASE_TSS.1.1C
            ASE_REQ.1 Stated security
            requirements


ASE INT.1   None                     ASE_INT.1.1D    The developer shall provide an ST introduction. ASE_INT.1.1C
                                                                                                     ASE_INT.1.2C
                                                                                                     ASE_INT.1.3C

                                                                                                  ASE_INT.1.4C
                                                                                                  ASE_INT.1.5C

                                                                                                  ASE_INT.1.6C

                                                                                                  ASE_INT.1.7C

                                                                                                  ASE_INT.1.8C
(CC)
       Conent & Presentation Elements
       The security architecture description shall be at a level
       of detail commensurate with the description of the SFR-
       enforcing abstractions described in the TOE design
       document.
       The security architecture description shall describe the
       security domains maintained by the TSF consistently
       with the SFRs.
       The security architecture description shall describe how
       the TSF initialization process is secure.

       The security architecture description shall demostrate
       that the TSF protects itself from tampering.
       The security architecture description shall demostrate
       that the TSF prevents bypass of the SFR enforcing
       functionality.
       The functional specificatio shall completely represent
       the TSF.
       The functional specification shall describe the purpose
       and method of use for all TSFI.
       The functional specification shall identify and describe
       all parameters assocaited with each TSFI.
       The functional specification shall describe all actions
       associated with each TSFI
       The functional specification shall describe all direct
       error messages that may result from security enforcing
       effects and exceptiongs associated with an invocation
       of each TSFI.
       The tracing shall demostrate that all SFRs trace to TSFI
       in the functional specification.
       The implementation representation shall define the TSF
       to a level of detail such that the TSF can be generated
       without further design decisions.
The implementation represetnation shall be in the form
used by the development personnel.
The mapping between the TOE design description and
the sample of the implementation representation shall
demostrate their correspondence.
The design shall describe the structure of the TOE in
terms of subsystems.


The design shall describe the TSF in terms of
modules.
The design shall identify all subsystems of the TSF.
The design shall provide a description of each
subsystem of the TSF.
The design shall provide a description of the
interactions among all subsystems of the TSF.

The design shall provide a mapping from the
subsystems of the TSF to the module of the TSF.
The design shall describe each SFR enforcing module
in terms of its purpose.
The design shall describe each SFR enforcing module
in terms of its SFR related interfaces, return values
from those interfaces, and called interfaces to other
modules.
The design shall describe each SFR supporting or SFR
non interfering module in terms of its purpose and
interaction with other modules.
The mapping shall demostrate that all behaviour
described in the TOE design is mapped to the TSFI that
invoke it.
The operational user guidance shall describe, for each
user role, the user accessible functions and privileges
that should be controlled in a secure processing
environemnt, including appropriate warnings.
The operational user guidance shall describe, for each
user role, how to use the avaialble interfaces provided
by the TOE in a secure manner.

The operational user guidance shall describe , for each
user role, the avaialble functions and interfaces, in
particular all security parameters under the control of
the user, indicating secure values as appropriate.

The operational user guidance shall, for each user role,
clearly present each type of security relevant event
relative to the user accessible functions that need to be
performed, including changing the security
characteristics of entities under the control of the TSF.
The operational user guidance shall identify all possible
modes of operation of the TOE (including operqation
following failure or operational error), their
consequences and implications for maintianing secure
operations.
The operational user guidance shall, for each user role,
describe the security measures to be followed in order
to fulfill the security objectives for the operational
environemnt as described in the ST.
The operational user guidance shall be clear and
reasonable.

The preparative procedures shall describe all the steps
necessary for secure acceptance of the delivered TOE
in accordance with the developer's delivery procedures.
The preparative procedures shall describe all the steps
necessary for secure installation of the TOE and for the
secure preparation of the operational environemnt in
accordance with the security objectives for the
operational environment as described in the ST.

The TEO shall be labelled with tis unique reference.
The CM documentation shall describe the method used
to uniquely identify the configuration items.
The CM system shall uniquely identify all configuration
items
The CM system shall provide automated measures
such that only authorized changes are made to the
configuration item.
The CM system shall suppport the production of the
TOE by automated means.
The CM documentation shall include a CM plan.
The CM plan shall describe how the CM system is used
for the development of the TOE.
The CM plan shall describe the procedures used to
accept modified or newly created configuration items as
part of the TOE.
The evidence shall demostrate that all configuration
items are being maintained under the CM system.
The evidence shall demostrate that the CM system is
being operated in accordance with the CM plan.
The configuration list shall include the following: The
TOE itself; the evlauation evidence required by the
SARs; the parts that comprise the TOE; the
implementation representation; and security flaw reports
and resolution status.
The configuration list shall uniquely identify the
configuration items.

For each TSF relevant configuration item, the
configuration list shall indicate the developer of the item.
The delivery documentation shall describe all
procedures that are necessary to maintain security
when distributing versions of the TOE to the consumer.



The development security documentation shall describe
all the physical, procedural, personnel, and other
security measures that are necessary to protect the
confidentiality and integrity of the TOE design and
implementation in its development environment.

The lifecycle definition documentation shall describe the
model used to develop and maintain the TOE.
The lifecycle model shall provide for the necessary
control over the development and maintenance of the
TOE.

Each development tool used for implementation shall
be well defined.
The documentation of each development tool shall
unambiguously define the meaning of all statements as
well as all conventions and directives used in the
implementation.
The documentation of each development tool shall
unambiguously define the meaning of all
implementation dependent options.
The test documentation shall consist of test plans,
expected test results and actual test results.
The test paln shall identify the tests to be performed
and described the scenarios for performing each test.
These scenarios shall include any ordering
dependencies on the results of other tests.
The expected test results shall show the anticipated
outouts from a sucessful execution of the tests.
The actual test results shall be consistent with the
expected test results.


The TOE shall be suitable for testing
The developer shall provide an equivalent set of
resources to those that were used in the developer's
functional testing of the TSF.




The TOE be suitable for testing.




The analysis of the test coverage shall demostrate the
correspondence between the tests in the test
documentation and the TSFIs in the functional
specifications.
The analysis of the test coverage shall demostrate that
all TSFIs in the functional specification have been
tested.
The analysis of the depth of testing shall demostrate the
correspondence between the tests in the test
documentation and the TSF subsystems and modules
in the TOE design.
The analysis of the depth of testing shall demostrate
that all TSF subsystems in the TOE design have been
tested.
The analysis of the depth of testing shall demostrate
that the SFR enforcing modules in the TOE design have
been tested.

The conformance claim shall contain a CC
conformance claim that identifies the version of the CC
to which the ST and the TOE claim conformance.
The CC conformance claim shall describe the
conformance of the ST to CC Part 2 as either CC part 2
conformant or CC Part 2 extended.
The CC conformance claim shall describe the
conformance of the ST to CC Part 3 as either CC part 3
conformant or CC Part 3 extended.
The CC conformance claim shall be consistent with the
extended component defintion
The conformance claim shall identify all PPs and
security requirement packages to which the ST claims
conformance.
The conformance claim shall describe any conformance
of the ST to a package as either package conformant or
package augmented.
The conformance claim rationale shall demostrate that
the TOE type is consistent with the TOE type in the PPs
for which conformance is being claimed.
The conformance claim rationale shall demostrate that
the statement of the security problem definition is
consistent with the statements of the security problem
definition in the PPs for which conformance is being
claimed.
The conformance claim rationale shall demostrate that
the statement of security objectives is consistent with
the statement of security objectives in the PPs for which
conformance is being claimed.

The conformance claim rationale shall demostrate that
the statement of security requirements is consistent
with the statement of security requirements in the PPs
for which conformance is being claimed.
The security problem definition shall describe the
threats.
All threats shall be described in terms of a threat agent,
an asset, and an adverse action.

The secuirty problem definition shall describe the OSPs.
The security problem definition shall describe the
assumptions about the operational environemnt of the
TOE.
The statement od security objectives shall describe the
security objectives for the TOE and the security
objectives for the operational environment
The security objectives rationale shall trace each
security objective for the TOE back to threats countered
by the security objective and OSPs enforced by the
security objective.
The security objectives rationale shall trace each
security objective for the operational environment back
to threats countered by that security objective, OSPs
enforced by the security objective, and assumptions
upheld by that security objective.
The security objective rationale shall demostrate that
the security objectives counter all threats.
The security objective rational shall demostrate that the
security objectives enforce all OSPs.
The security objectives rationale shall demostrate that
the security objectives for the operational environemnt
uphold all assumptions
The statement of security requirements shall identify all
extended security requirements.
The extended components definition shall define an
extended component for each extended security
requirement.
The extended components definition shall describe how
each extended component is related to the existing CC
components, families, and classes.
The extended components definition shall use the
existing CC components, families, classes, and
methodology as a model for presentation.
The extended components shall consist of measurable
and objective elements such that conformaance or
nonconformance to these elements can be
demostrated.
The statement of security requirements shall describe
the SFRs and the SARs
All subjects, objects, operators, security attributes,
external entities and other terms that are used in the
SFRs and the SARs shall be defined.
The statemetn of security requirements shall identify all
operations on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall
either be satisfied, or the security requirements
rationale shall justify the dependency not being
satisfied.
The security requirement rationale shall trace each SFR
back to the secuirty objectives for the TOE.

The security requirement rationale shall demostrate that
the SFRs meet all security objectives for the TOE.
The security requirements rationale shall explain why
the SARs were chosen.
The statement of security requirements shall be
internally consistent.
The TOE summary specification shall describe how the
TOE meets each SFR.



The ST introduction shall contain an ST reference, a
TOE reference, a TOE overview and a TOE description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE.
The TOE overview shall summarize the usage and
major security features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non-TOE
hardware/software/firmware required by the TOE.
The TOE description shall describe the physical scope
of the TOE.
The TOE description shall describe the logical scope of
the TOE.
                                                             EAL 4 Assurance Requirements (CC)
    FamilyDependencies
Class                                               FID             Developer Element                    CID
                                                                 The developer shall design and
                                                                 implement the TOE so that the
                                                                 security features of the TSF cannot
ADV ARC.1 ADV_FSP.1 Basic functional specifications ADV_ARC.1.1D be bypassed.                            ADV_ARC.1.1C

                                                                 The developer shall design and
                                                                 implement the TSF so that it is able
                                                                 to protect itself from tampering by
             ADV_TDS.1 Basic dsign                  ADV_ARC.1.2D untrusted active entities.              ADV_ARC.1.2C
                                                                 The developer shall provide a
                                                                 security architecture description of
                                                    ADV_ARC.1.3D the TSF.                                ADV_ARC.1.3C

                                                                                                         ADV_ARC.1.4C

                                                                                                         ADV_ARC.1.5C
                                                                    The developer shall make avaialble
                                                                    the implementation representation
ADV IMP.1    ADV_TDS.3 Basic Modular Design         ADV_IMP.1.1D    for the entire TSF.                  ADV_IMP.1.1C
                                                                    The developer shall provide a
                                                                    mapping between the TOE design
             ALC_TAT.1 Well defined development                     description and the sample of the
             tools                                  ADV_IMP.1.2D    implementation representation.       ADV_IMP.1.2C


                                                                                                         ADV_IMP.1.3C


                                                                 The developer shall provide
AGD OPE.1 ADV_FSP.1 Basic functional specifications AGD_OPE.1.1D operational user guidance.              AGD_OPE.1.1C


                                                                                                         AGD_OPE.1.2C
                                                                                                  AGD_OPE.1.3C




                                                                                                  AGD_OPE.1.4C



                                                                                                  AGD_OPE.1.5C



                                                                                                  AGD_OPE.1.6C
                                                                                                  AGD_OPE.1.7C

                                                               The developer shall provide the TOE
AGD PRE.1 None                                    AGD_PRE.1.1D including its preparative procedures. AGD_PRE.1.1C




                                                                                                   AGD_PRE.1.2C
                                                               The developer shall provide the TOE
ALC CMC.4 ALC_CMS.1 TOE CM coverage               ALC_CMC.4.1D and a reference for the TOE.        ALC_CMC.4.1C
          ALC_DVS.1 Identification of security                 The developer shall provide the CM
          measures                                ALC_CMC.4.2D documentation.                      ALC_CMC.4.2C
          ALC_LCD.1 Developer defined lifecycle                The developer shall use a CM
          model.                                  ALC_CMC.4.3D system.                             ALC_CMC.4.3C

                                                                                                  ALC_CMC.4.4C

                                                                                                  ALC_CMC.4.5C
                                                                                                  ALC_CMC.4.6C
                                                                                                            ALC_CMC.4.7C

                                                                                                            ALC_CMC.4.8C

                                                                                                            ALC_CMC.4.9C

                                                                                                            ALC_CMC.4.10C
                                                                   The developer shall document
                                                                   procedures for delivery of the TOE
ALC DEL.1 None                                        ALC_DEL.1.1D or parts of it to the consumer.          ALC_DEL.1.1C
                                                                   The developer shall use the delivery
                                                      ALC_DEL.1.2D procedures
                                                                   The developer shall establish a life
                                                                   cycle model to be used in the
                                                                   development and maintenance of
ALC LCD.1 None                                        ALC_LCD.1.1D the TOE.                                 ALC_LCD.1.1C
                                                                   The developer shall provide life cycle
                                                      ALC_LCD.1.2D definition documentation.                ALC_LCD.1.2C
                                                                   The developer shall test the TSF
ATE FUN.1 ATE_COV.1 Evidence of coverage              ATE_FUN.1.1D and document the results.                ATE_FUN.1.1C



                                                                                                            ATE_FUN.1.2C

                                                                                                            ATE_FUN.1.3C

                                                                                                          ATE_FUN.1.4C
            ADV_FSP.2 Security enforcing functional                   The developer shall provide the TOE
ATE IND.2   specifications                            ATE_IND.2.1D    for testing.                        ATE_IND.2.1C


            AGD_OPE.1 Operational user guidance                                                             ATE_IND.2.2C
            AGD_PRE.1 Preparative procedures
            ATE_COV.1 Evidence of coverage
            ATE_FUN.1 Functional testing
          ADV_FSP.2 Security enforcing functional                 The developer shall provide an
ATE COV.2 specifications                             ATE_COV.2.1D analysis of the test coverage.    ATE_COV.2.1C

            ATE_FUN.1 Functional testing                                                            ATE_COV.2.2C


                                                                  The developer shall provide a
ASE CCL.1 ASE_INT.1 ST Introduction                  ASE_CCL.1.1D conformance claim                 ASE_CCL.1.1C

            ASE_ECD.1 Extended components
            definitions                              ASE_CCL.1.2D                                   ASE_CCL.1.2C

                                                                    The developer shall provide a
            ASE_REQ.1 Stated security requirements                  conformance claim rationale.    ASE_CCL.1.3C

                                                                                                    ASE_CCL.1.4C

                                                                                                    ASE_CCL.1.5C


                                                                                                    ASE_CCL.1.6C


                                                                                                    ASE_CCL.1.7C




                                                                                                    ASE_CCL.1.8C




                                                                                                    ASE_CCL.1.9C




                                                                                                    ASE_CCL.1.10C
                                                                The developer shall provide a
ASE SPD.1 None                                     ASE_SPD.1.1D security problem definition.         ASE_SPD.1.1C

                                                                                                     ASE_SPD.1.2C
                                                                                                     ASE_SPD.1.3C

                                                                                                     ASE_SPD.1.4C

                                                                The developer shall provide a
ASE OBJ.2 ASE_SPD.1 Security problem definitions   ASE_OBJ.2.1D statement of security objectives.    ASE_OBJ.2.1C

                                                                The developer shall provide a
                                                   ASE_OBJ.2.2D security objectives rationale.       ASE_OBJ.2.2C




                                                                                                     ASE_OBJ.2.3C

                                                                                                     ASE_OBJ.2.4C

                                                                                                     ASE_OBJ.2.5C


                                                                                                     ASE_OBJ.2.6C

                                                                The developer shall provide a
ASE ECD.1 None                                     ASE_ECD.1.1D statement of security requirements   ASE_ECD.1.1C
                                                                The developer shall provide an
                                                   ASE_ECD.1.2D extended compon4ents definition      ASE_ECD.1.2C


                                                                                                     ASE_ECD.1.3C


                                                                                                     ASE_ECD.1.4C
                                                                                                         ASE_ECD.1.5C

                                                                  The developer shall provide a
ASE REQ.2 ASE_OBJ.2 Security objectives              ASE_REQ.2.1D statement of security requirements     ASE_REQ.2.1C

            ASE_ECD.1 Extended components                         The developer shall provide a
            definition                               ASE_REQ.2.2D security requirements rationale        ASE_REQ.2.2C

                                                                                                         ASE_REQ.2.3C
                                                                                                         ASE_REQ.2.4C


                                                                                                         ASE_REQ.2.5C

                                                                                                         ASE_REQ.2.6C

                                                                                                         ASE_REQ.2.7C

                                                                                                         ASE_REQ.2.8C

                                                                                                         ASE_REQ.2.9C
                                                                  The developer shall provide a TOE
ASE TSS.1 ASE_INT.1 ST Introduction                  ASE_TSS.1.1D summary specification.                 ASE_TSS.1.1C

            ASE_REQ.1 Stated security requirements
                                                                     The developer shall provide an ST
ASE INT.1   None                                     ASE_INT.1.1D    introduction.                       ASE_INT.1.1C
                                                                                                         ASE_INT.1.2C
                                                                                                         ASE_INT.1.3C

                                                                                                         ASE_INT.1.4C
                                                                                                         ASE_INT.1.5C

                                                                                                         ASE_INT.1.6C
                                                                                                     ASE_INT.1.7C
                                                                                                     ASE_INT.1.8C
          ADV_ARC.1 Security architecture                        The developer shall provide the TOE
AVA VAN.4 description                               AVA_VAN.4.1D for testing.                        AVA_VAN.4.1C
          ADV_FSP.2 Security enforcing functional
          specifications
          ADV_TDS.3 Basic modular design

          ADV_ARC.1 Security architecture                        The developer shall provide the
ATE DPT.3 description                               ATE_DPT.3.1D analysis of the depth of testing    ATE_DPT.3.1C

            ADV_TDS.4 Semiformal modular design                                                      ATE_DPT.3.2C

            ATE_FUN.1 Functional testing                                                                ATE_DPT.3.3C
                                                                    The developer shall identify each
          ADV_IMP.1 Implementation representation                   development tool being used for the
ALC TAT.2 of the TSF                              ALC_TAT.2.1D      TOE.                                ALC_TAT.2.1C

                                                                    The developer shall document the
                                                                    selected implementation dependent
                                                    ALC_TAT.2.2D    options of each development tool. ALC_TAT.2.2C
                                                                    The developer shall describe the
                                                                    implementation standards that are
                                                    ALC_TAT.2.3D    being applied by the developer.   ALC_TAT.2.3C



                                                                 The developer shall produce
ALC DVS.1 None                                      ALC_DVS.1.1D development security documentation ALC_DVS.1.1C



                                                                 The devloper shall provide a
ALC CMS.5 None                                      ALC_CMS.5.1D configuration list for the TOE.     ALC_CMS.5.1C

                                                                                                     ALC_CMS.5.2C
                                                                                                    ALC_CMS.5.3C
                                                               The developer shall provide a
ADV FSP.5 ADV_TDS.1 Basic design                  ADV_FSP.5.1D functional specification             ADV_FSP.5.1C
                                                               The devloper shall provide a tracing
          ADV_IMP.1 Implementation representation              from the functional specification to
          of the TSF.                             ADV_FSP.5.2D the SFRs.                            ADV_FSP.5.2C

                                                                                                               ADV_FSP.5.3C

                                                                                                               ADV_FSP.5.4C

                                                                                                               ADV_FSP.5.5C

                                                                                                               ADV_FSP.5.6C

                                                                                                               ADV_FSP.5.7C


                                                                                                               ADV_FSP.5.8C

                                                                                                               ADV_FSP.5.9C
                                                                         The developer shall design and
              ADV_IMP.1 Implementation representation                    implement the entire TSF such that
ADV INT.2     of the TSF                              ADV_INT.2.1D       it has well structured internals      ADV_INT.2.1D

                                                                      The developer shall provide an
          ADV_TDS.3 Basic modular design                 ADV_INT.2.2D internal description and justification   ADV_INT.2.2D
          ALC_TAT.1 Well defined development
          tools
          ADV_FSP.5 Complete semi-formal
          functional specification with additional error              The developer shall provide the
ADV TDS.4 information                                    ADV_TDS.4.1D design for the TOE.                      ADV_TDS.4.1C
                                                             The developer shall provide a
                                                             mapping from the TSFI of the
                                                             functional specification to the lowest
                                                             level of decomposition available in
                                                ADV_TDS.4.2D the TOE design.                        ADV_TDS.4.2C
                                                                                                    ADV_TDS.4.3C

                                                                                                   ADV_TDS.4.4C

                                                                                                   ADV_TDS.4.5C

                                                                                                   ADV_TDS.4.6C

                                                                                                   ADV_TDS.4.7C



                                                                                                   ADV_TDS.4.8C

                                                                                                   ADV_TDS.4.9C

                                                                                                   ADV_TDS.4.10C

                                                                The developer shall identify the
          ADV_IMP.1 Subset of the implementation                development tools being used for
ALC TAT.2 of the TOE.                            ALC_TAT.2.1D   the TOE.                           ALC-TAT.2.1C

                                                                The developer shall document the
                                                                selected implementation dependent
                                                ALC_TAT.2.2D    options of the development tools. ALC-TAT.2.2C

                                                                                                   ALC-TAT.2.3C


                                                             The developer shall produce
                                                             development security
ALC DVS.1 None                                  ALC_DVS.1.1D documentation.                        ALC_DVS.1.1C
                                                                                                   ALC_DVS.1.2C

          ADV_ARC.1 Secuirty architecture                      The developer shall provide the
ATE DPT.3 description                             ATE_DPT.3.1D analysis of the depth of testing.   ATE_DPT.3.1C

            ADV_TDS.4 Semiformal modular design                                                    ATE_DPT.3.2C

            ATE_FUN.1 Functional testing                                                           ATE_DPT.3.3C



                                                               The developer shall provide a
ALC CMS.5 None                                    ALC_CMS.5.1D configuration list for the TOE      ALC_CMS.5.1C

                                                                                                   ALC_CMS.5.2C

                                                                                                   ALC_CMS.5.3C
nts (CC)
       Conent & Presentation Elements

       The security architecture description shall be at a level of detail
       commensurate with the description of the SFR-enforcing abstractions
       described in the TOE design document.



       The security architecture description shall describe the security
       domains maintained by the TSF consistently with the SFRs.

       The security architecture description shall describe how the TSF
       initialization process is secure.
       The security architecture description shall demostrate that the TSF
       protects itself from tampering.
       The security architecture description shall demostrate that the TSF
       prevents bypass of the SFR enforcing functionality.
       The implementation representation shall define the TSF to a level of
       detail such that the TSF can be generated without further design
       decisions.


       The implementation represetnation shall be in the form used by the
       development personnel.
       The mapping between the TOE design description and the sample of
       the implementation representation shall demostrate their
       correspondence.

       The operational user guidance shall describe, for each user role, the
       user accessible functions and privileges that should be controlled in a
       secure processing environemnt, including appropriate warnings.
       The operational user guidance shall describe, for each user role, how
       to use the avaialble interfaces provided by the TOE in a secure
       manner.
The operational user guidance shall describe , for each user role, the
avaialble functions and interfaces, in particular all security
parameters under the control of the user, indicating secure values as
appropriate.

The operational user guidance shall, for each user role, clearly
present each type of security relevant event relative to the user
accessible functions that need to be performed, including changing
the security characteristics of entities under the control of the TSF.
The operational user guidance shall identify all possible modes of
operation of the TOE (including operqation following failure or
operational error), their consequences and implications for
maintianing secure operations.

The operational user guidance shall, for each user role, describe the
security measures to be followed in order to fulfill the security
objectives for the operational environemnt as described in the ST.
The operational user guidance shall be clear and reasonable.
The preparative procedures shall describe all the steps necessary for
secure acceptance of the delivered TOE in accordance with the
developer's delivery procedures.

The preparative procedures shall describe all the steps necessary for
secure installation of the TOE and for the secure preparation of the
operational environemnt in accordance with the security objectives
for the operational environment as described in the ST.

The TEO shall be labelled with tis unique reference.
The CM documentation shall describe the method used to uniquely
identify the configuration items.

The CM system shall uniquely identify all configuration items
The CM system shall provide automated measures such that only
authorized changes are made to the configuration item.
The CM system shall suppport the production of the TOE by
automated means.
The CM documentation shall include a CM plan.
The CM plan shall describe how the CM system is used for the
development of the TOE.
The CM plan shall describe the procedures used to accept modified
or newly created configuration items as part of the TOE.
The evidence shall demostrate that all configuration items are being
maintained under the CM system.
The evidence shall demostrate that the CM system is being operated
in accordance with the CM plan.
The delivery documentation shall describe all procedures that are
necessary to maintain security when distributing versions of the TOE
to the consumer.




The lifecycle definition documentation shall describe the model used
to develop and maintain the TOE.
The lifecycle model shall provide for the necessary control over the
development and maintenance of the TOE.
The test documentation shall consist of test plans, expected test
results and actual test results.

The test paln shall identify the tests to be performed and described
the scenarios for performing each test. These scenarios shall include
any ordering dependencies on the results of other tests.
The expected test results shall show the anticipated outouts from a
sucessful execution of the tests.
The actual test results shall be consistent with the expected test
results.

The TOE shall be suitable for testing

The developer shall provide an equivalent set of resources to those
that were used in the developer's functional testing of the TSF.
The analysis of the test coverage shall demostrate the
correspondence between the tests in the test documentation and the
TSFIs in the functional specifications.
The analysis of the test coverage shall demostrate that all TSFIs in
the functional specification have been tested.

The conformance claim shall contain a CC conformance claim that
identifies the version of the CC to which the ST and the TOE claim
conformance.

The CC conformance claim shall describe the conformance of the ST
to CC Part 2 as either CC part 2 conformant or CC Part 2 extended.

The CC conformance claim shall describe the conformance of the ST
to CC Part 3 as either CC part 3 conformant or CC Part 3 extended.
The CC conformance claim shall be consistent with the extended
component defintion
The conformance claim shall identify all PPs and security
requirement packages to which the ST claims conformance.

The conformance claim shall describe any conformance of the ST to
a package as either package conformant or package augmented.
The conformance claim rationale shall demostrate that the TOE type
is consistent with the TOE type in the PPs for which conformance is
being claimed.
The conformance claim rationale shall demostrate that the statement
of the security problem definition is consistent with the statements of
the security problem definition in the PPs for which conformance is
being claimed.

The conformance claim rationale shall demostrate that the statement
of security objectives is consistent with the statement of security
objectives in the PPs for which conformance is being claimed.

The conformance claim rationale shall demostrate that the statement
of security requirements is consistent with the statement of security
requirements in the PPs for which conformance is being claimed.
The security problem definition shall describe the threats.
All threats shall be described in terms of a threat agent, an asset,
and an adverse action.
The secuirty problem definition shall describe the OSPs.
The security problem definition shall describe the assumptions about
the operational environemnt of the TOE.
The statement od security objectives shall describe the security
objectives for the TOE and the security objectives for the operational
environment
The security objectives rationale shall trace each security objective
for the TOE back to threats countered by the security objective and
OSPs enforced by the security objective.

The security objectives rationale shall trace each security objective
for the operational environment back to threats countered by that
security objective, OSPs enforced by the security objective, and
assumptions upheld by that security objective.
The security objective rationale shall demostrate that the security
objectives counter all threats.
The security objective rational shall demostrate that the security
objectives enforce all OSPs.

The security objectives rationale shall demostrate that the security
objectives for the operational environemnt uphold all assumptions

The statement of security requirements shall identify all extended
security requirements.
The extended components definition shall define an extended
component for each extended security requirement.
The extended components definition shall describe how each
extended component is related to the existing CC components,
families, and classes.
The extended components definition shall use the existing CC
components, families, classes, and methodology as a model for
presentation.
The extended components shall consist of measurable and objective
elements such that conformaance or nonconformance to these
elements can be demostrated.

The statement of security requirements shall describe the SFRs and
the SARs
All subjects, objects, operators, security attributes, external entities
and other terms that are used in the SFRs and the SARs shall be
defined.
The statemetn of security requirements shall identify all operations
on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall either be
satisfied, or the security requirements rationale shall justify the
dependency not being satisfied.
The security requirement rationale shall trace each SFR back to the
secuirty objectives for the TOE.
The security requirement rationale shall demostrate that the SFRs
meet all security objectives for the TOE.
The security requirements rationale shall explain why the SARs were
chosen.

The statement of security requirements shall be internally consistent.
The TOE summary specification shall describe how the TOE meets
each SFR.


The ST introduction shall contain an ST reference, a TOE reference,
a TOE overview and a TOE description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE.
The TOE overview shall summarize the usage and major security
features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non-TOE
hardware/software/firmware required by the TOE.
The TOE description shall describe the physical scope of the TOE.
The TOE description shall describe the logical scope of the TOE.

The TOE shall be suitable for testing



The analysis of the depth of testing shall demostrate the
coorespondence between the tests in the test documentation and the
TSF subsystems and modules in the TOE design.
The analysis of the depth of testing shall demostrate that all TSF
subsystems in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that all modules
in the TOE design have been tested.


Each development tool used for implementation shall be well defined.

The documentation of each devlopment tool shall unambiguously
define the meaning of all statements as well as all conventions and
directives used in the implementation.

The documentation of each development tool shall unambiguously
define the meaning of all implementation dependent options.

The development security documentation shall describe all the
physical, procedural, personnel, and other security measures that are
necessary to protect the confidentiality and integrity of the TOE
design and implementation in its development environemnt.

The configuration list shall include the following: the TOE itself, the
evaluation evidence required by the SARs; the parts that comprise
the TOE; the implementation representation; security flaw reports
and resolution status; and development tools and related information.

The configuration list shall uniquely identify the configuration items.
For each TSF relevant configuration item, the configuration list shall
inicate the developer of the item.

The functional specification shall completely represent the TSF.

The functional specification shall describe the TSFI using a semi-
formal style.
The functional specification shall describe the purpose and method
of use for all TSFI.
The functional specification shall identify and describe all paramters
associated with each TSFI.
The functional specification shall describe all actions associated with
each TSFI.
The functional specification shall describe all direct error messages
that may result from an invocation of each TSFI
The functional specification shall describe all error messages that do
not result from an invocation of a TSFI
The functional specification shall provide a rationale for each error
message contained in the TSF implementation yet does not result
from an invocation of a TSFI
The tracing shall demostrate that the SFRs trace to TSFIs in the
functional specification

The justification shall explain the characteristics used to judge the
meaning of well structured

The TSF internals description shall demostrate that the entire TSF is
well structured



The design shall describe the structure of the TOE in terms of
subsystems.
The design shall describe the TSF in terms of modules, designating
each module as SFR enforcing, SFR supporting or SFR non
interfering.
The design shall identify all subsystems of the TSF.

The design shall provide a description of each subsystem of the TSF.
The design shall provide a description of the interactions among all
subsystems of the TSF.
The design shall provide a mapping from the subsystems of the TSF
to the modules of the TSF.
The design describe each SFR enforcing and SFR supporting
module in terms of its purpose.

The design shall describe each SFR enforcing and SFR supporting
module in terms of its SFR related interfaces, return values from
those interfaces, and called interfaces to other modules.
The design describe each SFR non interfering module in terms of its
purpose and interaction with other modules.
The mapping shall demostrate that all behaviour described in the
TOE design is mapped to the TSFI that invoke it.




All development tools used for implementation shall be well defined.


The documentaiton of the development tools shall unambiguously
define the meaning of all statemnets used in the implementation.
The documentation of the development toll shall unambiguously
define the meaning of all implementation dependent options.

The development security documentation shall describe all the
physical procedural, personnel, and other security measures that are
necessary to protect the confidentiality and integrity of the TEO
design and implementation in its development environment.
The development security docuemntation shall provide evidence that
these security measures are followed during the development and
maintenance of the TOE.
The analysis of the depth of testing shall demostrate the
correspondence between the tests documentation and the TSF
subsystems and modules in the TOE design.
The analysis of the depth of testing shall demostrate that all TSF
subsystems in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that all modules
in the TOE design have been tested.

The configuration list shall include the following: the TOE itself; the
evaluation evidence required by the SARs; the parts that comprise
the TOE; the implementation representation; security flaw reports
and resolution status; and development tools and related information.

The configuration list shall uniquely identify the configuration items.
For each TSF relevant configuration item, the configuration list shall
indicate the developer of the item.
                                                   EAL 4 Assurance Requirements (CC
Class   Family   Dependencies                FID


                 ADV_FSP.1 Basic functional
ADV     ARC.1    specifications             ADV_ARC.1.1D


                 ADV_TDS.1 Basic dsign       ADV_ARC.1.2D

                                             ADV_ARC.1.3D




                 ADV_ARC.1 Security
AVA     VAN.5    architecture description    AVA_VAN.5
                 ADV_FSP.2 Security
                 enforcing functional
                 specifications
                 ADV_TDS.3 Basic modular
                 design
                 ADV_IMP1 Implementation
                 representation of the TSF

                 AGD_OPE.1 Operationa
                 user guidance
                 AGD_PRE.1 Preparative
                 procedures


                 ADV_FSP.1 Basic functional
AGD     OPE.1    specifications             AGD_OPE.1.1D
AGD   PRE.1   None                    AGD_PRE.1.1D




              ATE_COV.1 Evidence of
ATE   FUN.2   coverage                ATE_FUN.2.1D



                                      ATE_FUN.2.2D




ALC   DEL.1   None                    ALC_DEL.1.1D

                                      ALC_DEL.1.2D


ALC   LCD.1   None                    ALC_LCD.1.1D


                                      ALC_LCD.1.2D

              ADV_FSP.2 Security
              enforcing functional
ATE   COV.3   specifications          ATE_COV.3.1D

              ATE_FUN.1 Functional
              testing


ASE   INT.1   None                    ASE_INT.1.1D
              ADV_FSP.2 Security
              enforcing functional
ATE   IND.2   specifications              ATE_IND.2.1D

              AGD_OPE.1 Operational
              user guidance
              AGD_PRE.1 Preparative
              procedures
              ATE_COV.1 Evidence of
              coverage
              ATE_FUN.1 Functional
              testing



ALC   TAT.3   ADV_IMP.1                   ALC_TAT.3.1D




                                          ALC_TAT.3.2D




                                          ALC_TAT.3.3D


ASE   CCL.1   ASE_INT.1 ST Introduction   ASE_CCL.1.1D

              ASE_ECD.1 Extended
              components definitions      ASE_CCL.1.2D

              ASE_REQ.1 Stated security
              requirements
ASE   SPD.1   None                  ASE_SPD.1.1D




              ASE_SPD.1 Security
ASE   OBJ.2   problem definitions   ASE_OBJ.2.1D



                                    ASE_OBJ.2.2D




ASE   ECD.1   None                  ASE_ECD.1.1D


                                    ASE_ECD.1.2D
              ASE_OBJ.2 Security
ASE   REQ.2   objectives                 ASE_REQ.2.1D

              ASE_ECD.1 Extended
              components definition      ASE_REQ.2.2D




ASE   TSS.1   ASE_INT.1 ST Introduction ASE_TSS.1.1D
              ASE_REQ.1 Stated security
              requirements


              ADV_ARC.1 Security
ATE   DPT.3   architecture description   ATE_DPT.3.1D

              ADV_TDS.4 Semiformal
              modular design
              ATE_FUN.1 Functional
              testing




ALC   CMS.5   None                       ALC_CMS.5.1D




ADV   FSP.5   ADV_TDS.1 Basic design     ADV_FSP.5.1D
              ADV_IMP.1 Implementation
              representation of the TSF. ADV_FSP.5.2D




ALC   DVS.2   None                            ALC_DVS.2.1D




              ALC_CMS.1 TOE CM
ALC   CMC.5   coverage                        ALC_CMC.5.1D
              ALC_DVS.2 Sufficiency of
              security measures               ALC_CMC.5.2D
              ALC_LCD.1 Developer
              defined lifecycle model         ALC_CMC.5.3D
              ADV_FSP.5 Complete
              semiformal functional
              specification with additional
ADV   TDS.5   error information               ADV_TDS.5.1D




                                              ADV_TDS.5.2D
              ADV_FSP.4 Complete
ADV   SPM.1   functional specification   ADV_SPM.1.1D



                                         ADV_SPM.1.2D



                                         ADV_SPM.1.3D




              ADV_IMP.1 Implementation
ADV   INT.3   representation of the TSF ADV_INT.3.1D

              ADV_TDS.3 basic modular
              design                     ADV_INT.3.2D
              ALC_TAT.1 Well defined
              development tools

              ADV_TDS.3 basic modular
ADV   IMP.2   design                     ADV_IMP.2.1D


              ALC_TAT.1 Well defined
              development tools          ADV_IMP.2.2D

              ALC_CMS.5 Advance
              Support


ASE   ECD.1   None                       ASE_ECD.1.1D


                                         ASE_ECD.1.2D
EAL 4 Assurance Requirements (CC)
       Developer Element                 CID
       The developer shall design and
       implement the TOE so that the
       security features of the TSF cannot
       be bypassed.                         ADV_ARC.1.1C
       The developer shall design and
       implement the TSF so that it is able
       to protect itself from tampering by  ADV_ARC.1.2C
       The developer shall provide a
       security architecture description of ADV_ARC.1.3C

                                         ADV_ARC.1.4C


                                         ADV_ARC.1.5C
       The developer shall provide the
       TOE for testing.                  AVA_VAN.5.1C




       The developer shall provide
       operational user guidance.        AGD_OPE.1.1C


                                         AGD_OPE.1.2C



                                         AGD_OPE.1.3C




                                         AGD_OPE.1.4C



                                         AGD_OPE.1.5C
                                    AGD_OPE.1.6C

                                    AGD_OPE.1.7C
The developer shall provide the
TOE including its preparative
procedures.                         AGD_PRE.1.1C




                                    AGD_PRE.1.2C
The developer shall test the TSF
and document the results            ATE_FUN.2.1C


The developer shall provide test
documentation.                      ATE_FUN.2.2C

                                    ATE_FUN.2.3C

                                    ATE_FUN.2.4C

                                     ATE_FUN.2.5C
The developer shall document
procedures for delivery of the TOE
or parts of it to the consumer.      ALC_DEL.1.1C
The developer shall use the delivery
procedures
The developer shall establish a life
cycle model to be used in the
development and maintenance of       ALC_LCD.1.1C

The developer shall provide life
cycle definition documentation.     ALC_LCD.1.2C


The developer shall provide an
analysis of the test coverage.      ATE_COV.3.1C


                                    ATE_COV.3.2C

The developer shall provide an ST
introduction.                       ASE_INT.1.1C
                                    ASE_INT.1.2C
                                    ASE_INT.1.3C

                                    ASE_INT.1.4C
                                    ASE_INT.1.5C
                                  ASE_INT.1.6C

                                  ASE_INT.1.7C

                                  ASE_INT.1.8C

The developer shall provide the
TOE for testing.                  ATE_IND.2.1C


                                  ATE_IND.2.2C




The developer shall identify each
development tool being used for the
TOE.                                ALC_TAT.3.1C
The developer shall document
the selected implemention
dependent options of each
development tool.                    ALC_TAT.3.2C
The developer shall describe the
implementation standards that are
being applied by the developer and
by any third-party providers for all
parts of the TOE.                    ALC_TAT.3.3C

The developer shall provide a
conformance claim                 ASE_CCL.1.1C


                                  ASE_CCL.1.2C

The developer shall provide a
conformance claim rationale.      ASE_CCL.1.3C

                                  ASE_CCL.1.4C


                                  ASE_CCL.1.5C


                                  ASE_CCL.1.6C


                                  ASE_CCL.1.7C
                                     ASE_CCL.1.8C




                                     ASE_CCL.1.9C




                                     ASE_CCL.1.10C
The developer shall provide a
security problem definition.         ASE_SPD.1.1C

                                     ASE_SPD.1.2C

                                     ASE_SPD.1.3C


                                     ASE_SPD.1.4C

The developer shall provide a
statement of security objectives.    ASE_OBJ.2.1C


The developer shall provide a
security objectives rationale.       ASE_OBJ.2.2C




                                     ASE_OBJ.2.3C

                                     ASE_OBJ.2.4C

                                     ASE_OBJ.2.5C


                                     ASE_OBJ.2.6C

The developer shall provide a
statement of security requirements   ASE_ECD.1.1C

The developer shall provide an
extended compon4ents definition      ASE_ECD.1.2C


                                     ASE_ECD.1.3C
                                     ASE_ECD.1.4C



                                     ASE_ECD.1.5C
The developer shall provide a
statement of security requirements   ASE_REQ.2.1C

The developer shall provide a
security requirements rationale      ASE_REQ.2.2C

                                     ASE_REQ.2.3C
                                     ASE_REQ.2.4C


                                     ASE_REQ.2.5C

                                     ASE_REQ.2.6C

                                     ASE_REQ.2.7C

                                     ASE_REQ.2.8C

                                  ASE_REQ.2.9C
The developer shall provide a TOE
summary specification.            ASE_TSS.1.1C




The developer shall provide the
analysis of the depth of testing     ATE_DPT.3.1C


                                     ATE_DPT.3.2C

                                     ATE_DPT.3.3C




The devloper shall provide a
configuration list for the TOE.      ALC_CMS.5.1C

                                     ALC_CMS.5.2C

                                     ALC_CMS.5.3C
The developer shall provide a
functional specification             ADV_FSP.5.1C
The devloper shall provide a tracing
from the functional specification to
the SFRs.                            ADV_FSP.5.2C

                                   ADV_FSP.5.3C

                                   ADV_FSP.5.4C

                                   ADV_FSP.5.5C


                                   ADV_FSP.5.6C


                                   ADV_FSP.5.7C



                                   ADV_FSP.5.8C

                                   ADV_FSP.5.9C


The developer shall produce
development security
documentation                      ALC_DVS.2.1C



                                   ALC_DVS.2.2C
The developer shall provide the
TOE and a reference for the TOE. ALC_CMC.5.1C
The developer shall provide the CM
documentation                      ALC_CMC.5.2C
The developer shall use a CM
system


The developer shall provide the
design of the TOE.                     ADV_TDS.5.1C
The developer shall provide a
mapping from the TSFI of the
functional specification to the lowest
level of decomposition available in
the TOE design.                        ADV_TDS.5.2C
                                       ADV_TDS.5.3C

                                   ADV_TDS.5.4C

                                   ADV_TDS.5.5C

                                   ADV_TDS.5.6C
                                     ADV_TDS.5.7C


                                     ADV_TDS.5.8C

The developer shall provide a
formal security polciy model         ADV_SPM.1.1C
The developer shall provide a
formal proof of correspondence
between the model and any formal
functional specifications.           ADV_SPM.1.2C
The developer shall provide a
demostration of correspondence
betwee the model and the
functional specification.            ADV_SPM.1.3C


                                     ADV_SPM.1.4C



                                     ADV_SPM.1.5C

The developer shall design and
implement the entire TSF such that
it has well structured internals   ADV_INT.3.1C

The developer shall provide an
internal description and justification. ADV_INT.3.2C

                                   ADV_INT.3.3C
The developer shall make avaialble
the implementation representation
for the entire TSF.                ADV_IMP.2.1C
The developer shall provide a
mapping between the TOE design
description and the entire
implementation representation.     ADV_IMP.2.2C


                                     ADV_IMP.2.3C

The developer shall provide a
statement of security requirements   ASE_ECD.1.1C

The developer shall provide an
extended compon4ents definition      ASE_ECD.1.2C


                                     ASE_ECD.1.3C
ASE_ECD.1.4C



ASE_ECD.1.5C
CC)
      Conent & Presentation Elements
      The security architecture description shall be at a level of
      detail commensurate with the description of the SFR-
      enforcing abstractions described in the TOE design
      document.
      The security architecture description shall describe the
      security domains maintained by the TSF consistently with
      the SFRs.
      The security architecture description shall describe how the
      TSF initialization process is secure.
      The security architecture description shall demostrate that
      the TSF protects itself from tampering.
      The security architecture description shall demostrate that
      the TSF prevents bypass of the SFR enforcing
      functionality.

      The TOE shall be suitable for testing.




      The operational user guidance shall describe, for each
      user role, the user accessible functions and privileges that
      should be controlled in a secure processing environemnt,
      including appropriate warnings.
      The operational user guidance shall describe, for each
      user role, how to use the avaialble interfaces provided by
      the TOE in a secure manner.
      The operational user guidance shall describe , for each
      user role, the avaialble functions and interfaces, in
      particular all security parameters under the control of the
      user, indicating secure values as appropriate.
      The operational user guidance shall, for each user role,
      clearly present each type of security relevant event relative
      to the user accessible functions that need to be performed,
      including changing the security characteristics of entities
      under the control of the TSF.
      The operational user guidance shall identify all possible
      modes of operation of the TOE (including operqation
      following failure or operational error), their consequences
      and implications for maintianing secure operations.
The operational user guidance shall, for each user role,
describe the security measures to be followed in order to
fulfill the security objectives for the operational environemnt
as described in the ST.
The operational user guidance shall be clear and
reasonable.
The preparative procedures shall describe all the steps
necessary for secure acceptance of the delivered TOE in
accordance with the developer's delivery procedures.
The preparative procedures shall describe all the steps
necessary for secure installation of the TOE and for the
secure preparation of the operational environemnt in
accordance with the security objectives for the operational
environment as described in the ST.
The test documentation shall consist of test plans,
expected test results and actual test results.
The test plans shall identify the tests to be performed and
describe the scenarios for performing each test. These
scenarios shall include any ordering dependencies on the
results of other tests.
The expected test results shall show the anticipated
outputs from a successful execution of the tests.
The qactual test results shall be consistent with the
expected test results.
The test documentation shall include an analysis of the test
procedure ordering dependencies.
The delivery documentation shall describe all procedures
that are necessary to maintain security when distributing
versions of the TOE to the consumer.



The lifecycle definition documentation shall describe the
model used to develop and maintain the TOE.

The lifecycle model shall provide for the necessary control
over the development and maintenance of the TOE.
The analysis of the test coverage shall demostrate the
correspondence between the tests in the test
documentation and the TSFIs in the functional
specification.
The analysis of the test coverage shall demostrate that all
TSFIs in the functional specification have been completed
tested.

The ST introduction shall contain an ST reference, a TOE
reference, and TOE overview and a TOE description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE
The TOE overview shall summarize the usage and major
security features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non TOE
hardware/software/firmware required by the TOE.
The TOE description shall describe the physical scope of
the TOE.
The TOE description shall describe the logical scope of the
TOE.


The TOE shall be suitable for testing
The developer shall provide an equivalent set of resources
to those that were used in the developer's functional testing
of the TSF.




Each development tool used for implementation shall be
well defined.

The documentaiton of each development tool shall
unambiguously define the meaning of all statements as
well as all conventions and directives used in the
implementation


The documentation of each development tool shall
unambiguously define the meaning of all implementatiojn
dependent options.
The conformance claim shall contain a CC conformance
claim that identifies the version of the CC to which the ST
and the TOE claim conformance.
The CC conformance claim shall describe the
conformance of the ST to CC Part 2 as either CC part 2
conformant or CC Part 2 extended.
The CC conformance claim shall describe the
conformance of the ST to CC Part 3 as either CC part 3
conformant or CC Part 3 extended.
The CC conformance claim shall be consistent with the
extended component defintion
The conformance claim shall identify all PPs and security
requirement packages to which the ST claims
conformance.
The conformance claim shall describe any conformance of
the ST to a package as either package conformant or
package augmented.
The conformance claim rationale shall demostrate that the
TOE type is consistent with the TOE type in the PPs for
which conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of the security problem definition is consistent
with the statements of the security problem definition in the
PPs for which conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of security objectives is consistent with the
statement of security objectives in the PPs for which
conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of security requirements is consistent with the
statement of security requirements in the PPs for which
conformance is being claimed.

The security problem definition shall describe the threats.
All threats shall be described in terms of a threat agent, an
asset, and an adverse action.

The secuirty problem definition shall describe the OSPs.
The security problem definition shall describe the
assumptions about the operational environemnt of the
TOE.
The statement od security objectives shall describe the
security objectives for the TOE and the security objectives
for the operational environment
The security objectives rationale shall trace each security
objective for the TOE back to threats countered by the
security objective and OSPs enforced by the security
objective.
The security objectives rationale shall trace each security
objective for the operational environment back to threats
countered by that security objective, OSPs enforced by the
security objective, and assumptions upheld by that security
objective.
The security objective rationale shall demostrate that the
security objectives counter all threats.
The security objective rational shall demostrate that the
security objectives enforce all OSPs.
The security objectives rationale shall demostrate that the
security objectives for the operational environemnt uphold
all assumptions

The statement of security requirements shall identify all
extended security requirements.
The extended components definition shall define an
extended component for each extended security
requirement.
The extended components definition shall describe how
each extended component is related to the existing CC
components, families, and classes.
The extended components definition shall use the existing
CC components, families, classes, and methodology as a
model for presentation.

The extended components shall consist of measurable and
objective elements such that conformaance or
nonconformance to these elements can be demostrated.
The statement of security requirements shall describe the
SFRs and the SARs
All subjects, objects, operators, security attributes, external
entities and other terms that are used in the SFRs and the
SARs shall be defined.
The statemetn of security requirements shall identify all
operations on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall either
be satisfied, or the security requirements rationale shall
justify the dependency not being satisfied.
The security requirement rationale shall trace each SFR
back to the secuirty objectives for the TOE.
The security requirement rationale shall demostrate that
the SFRs meet all security objectives for the TOE.
The security requirements rationale shall explain why the
SARs were chosen.
The statement of security requirements shall be internally
consistent.
The TOE summary specification shall describe how the
TOE meets each SFR.


The analysis of the depth of testing shall demostrate the
coorespondence between the tests in the test
documentation and the TSF subsystems and modules in
the TOE design.

The analysis of the depth of testing shall demostrate that
all TSF subsystems in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that
all modules in the TOE design have been tested.

The configuration list shall include the following: the TOE
itself, the evaluation evidence required by the SARs; the
parts that comprise the TOE; the implementation
representation; security flaw reports and resolution status;
and development tools and related information.
The configuration list shall uniquely identify the
configuration items.
For each TSF relevant configuration item, the configuration
list shall inicate the developer of the item.
The functional specification shall completely represent the
TSF.
The functional specification shall describe the TSFI using a
semi-formal style.
The functional specification shall describe the purpose and
method of use for all TSFI.
The functional specification shall identify and describe all
paramters associated with each TSFI.
The functional specification shall describe all actions
associated with each TSFI.

The functional specification shall describe all direct error
messages that may result from an invocation of each TSFI

The functional specification shall describe all error
messages that do not result from an invocation of a TSFI

The functional specification shall provide a rationale for
each error message contained in the TSF implementation
yet does not result from an invocation of a TSFI
The tracing shall demostrate that the SFRs trace to TSFIs
in the functional specification
The development security documentation shall describe all
the physical, procedural, personnel, and other security
measures that are necessary to protect the confidentiality,
and integrity of the TOE design and implementation in its
development environemnt.
The development security documentation shall justify that
the security measures provide the necessary level of
protection to maintain the confidentiality and intetgrity of the
TOE

The TOE shall be labelled with its unique reference
The CM documentation shall describe the methods used to
uniquely identify the configuration items.




The design shall describe the structure of the TOE in terms
of subsystems.


The design shall describe the TSF in terms of modules,
designating each module as SFR enforcing, SFR
supporting, or SFR non interfering
The design shall identify all subsystems of the TSF
The design shall provide a description of each subsystem
of the TSF.
The design shall provide a description of the interactions
among subsystems of the TSF.
The design shall provide a mapping from the subsystems
of the TSF to the modules of the TSF.
The design shall describe each module in terms of its
purpose, interfaces, return values from those interfaces,
and called interfaces to other modules.

The mapping shall demostrate that all behavious described
in the TOE design is mapped to the TSFIs that invoke it.
The model shall be in a formal style. Supported by
explanatory text as required, and identify the security
policies of the TSF that are modelled.

For all policies that are modelled, the model shall define
security for the TOE and provide a formal proof that the
TOE cannot reach a state that is not secure.


The correspondence between the model and the functional
specification shall be at the coreect level of formaility.l
The correspondence shall show that the functional
specification is consistent and complete with respect to the
model.
The demostration of corresponence shall show that the
interfaces in the functional specification are consistent and
complete with respect to the policies in the ADV_SPM.1.1D
assignment.


The justification shall explain the characteristics used to
judge the meaning of well structured and complex.

The TSF internals description shall demostrate that the
entire TSF is well structured.
The TSF internals description shall demostrate that the
entire TSF is well structured and is not overly complex
The implementation representation shall define the YSF to
a level of detail such that the TSF can be generated
without further design decisions.


The implementation representation shall be in the form
used by the development personnel.
The mapping between the TOE design description and the
entire implementation representation shall demostrate their
correspondence.

The statement of security requirements shall identify all
extended security requirements.
The extended components definition shall define an
extended component for each extended security
requirement.
The extended components definition shall describe how
each extended component is related to the existing CC
components, families, and classes.
The extended components definition shall use the existing
CC components, families, classes, and methodology as a
model for presentation.

The extended components shall consist of measurable and
objective elements such that conformaance or
nonconformance to these elements can be demostrated.
                                                   EAL 4 Assurance Requirements

Class   Family   Dependencies                      FID


                 ADV_FSP.1 Basic functional        ADV_ARC
ADV     ARC.1    specifications                    .1.1D


                                                   ADV_ARC
                 ADV_TDS.1 Basic dsign             .1.2D
                                                   ADV_ARC
                                                   .1.3D




                 ADV_ARC.1 Security architecture   AVA_VAN
AVA     VAN.5    description                       .5
                 ADV_FSP.2 Security enforcing
                 functional specifications

                 ADV_TDS.3 Basic modular design
                 ADV_IMP1 Implementation
                 representation of the TSF

                 AGD_OPE.1 Operationa user
                 guidance
                 AGD_PRE.1 Preparative
                 procedures


                 ADV_FSP.1 Basic functional        AGD_OP
AGD     OPE.1    specifications                    E.1.1D
                                               AGD_PR
AGD   PRE.1   None                             E.1.1D




                                               ATE_FUN
ATE   FUN.2   ATE_COV.1 Evidence of coverage   .2.1D


                                               ATE_FUN
                                               .2.2D




                                               ALC_DEL.
ALC   DEL.1   None                             1.1D
                                               ALC_DEL.
                                               1.2D



                                               ALC_LCD
ALC   LCD.2   None                             .2.1D

                                               ALC_LCD
                                               .2.2D

                                               ALC_LCD
                                               .2.3D
                                               ALC_LCD
                                               .2.4D


              ADV_FSP.2 Security enforcing     ATE_COV
ATE   COV.3   functional specifications        .3.1D
              ATE_FUN.1 Functional testing


ASE   INT.1   None                             ASE_INT.1.1D




              ADV_FSP.4 Complete functional    ATE_IND.
ATE   IND.3   specification                    3.1D

              AGD_OPE.1 Operational user
              guidance
              AGD_PRE.1 Preparative
              procedures
              ATE_COV.1 Evidence of coverage
              ATE_FUN.1 Functional testing

                                               ALC_TAT.
ALC   TAT.3   ADV_IMP.1                        3.1D


                                               ALC_TAT.
                                               3.2D




                                               ALC_TAT.
                                               3.3D

                                               ASE_CCL
ASE   CCL.1   ASE_INT.1 ST Introduction        .1.1D

              ASE_ECD.1 Extended components ASE_CCL
              definitions                   .1.2D

              ASE_REQ.1 Stated security
              requirements
                                           ASE_SPD
ASE   SPD.1   None                         .1.1D




              ASE_SPD.1 Security problem   ASE_OBJ
ASE   OBJ.2   definitions                  .2.1D


                                           ASE_OBJ
                                           .2.2D




                                           ASE_ECD
ASE   ECD.1   None                         .1.1D

                                           ASE_ECD
                                           .1.2D
                                                ASE_REQ
ASE   REQ.2   ASE_OBJ.2 Security objectives     .2.1D

              ASE_ECD.1 Extended components ASE_REQ
              definition                    .2.2D




                                                ASE_TSS
ASE   TSS.1   ASE_INT.1 ST Introduction         .1.1D
              ASE_REQ.1 Stated security
              requirements


              ADV_ARC.1 Security architecture   ATE_DPT
ATE   DPT.4   description                       .4.1D

              ADV_TDS.4 Semiformal modular
              design
              ADV_IMP.1 Implementation
              representation of the TSF


              ATE_FUN.1 Functional testing



                                                ALC_CMS
ALC   CMS.5   None                              .5.1D
                                                  ADV_FSP
ADV   FSP.6   ADV_TDS.1 Basic design              .5.1D

                                                  ADV_FSP
                                                  .5.2D




                                                  ALC_DVS
ALC   DVS.2   None                                .2.1D




                                                  ALC_CM
ALC   CMC.5   ALC_CMS.1 TOE CM coverage           C.5.1D
              ALC_DVS.2 Sufficiency of security   ALC_CM
              measures                            C.5.2D
              ALC_LCD.1 Developer defined         ALC_CM
              lifecycle model                     C.5.3D

              ADV_FSP.5 Complete semiformal
              functional specification with       ADV_TDS
ADV   TDS.6   additional formal specification     .6.1D
                                              ADV_TDS
                                              .6.2D




              ADV_FSP.4 Complete functional
ADV   SPM.1   specification                   ADV_SPM.1.1D



                                              ADV_SPM.1.2D



                                              ADV_SPM.1.3D




              ADV_IMP.1 Implementation
ADV   INT.3   representation of the TSF       ADV_INT.3.1D
              ADV_TDS.3 basic modular design   ADV_INT.3.2D
              ALC_TAT.1 Well defined
              development tools


ADV   IMP.2   ADV_TDS.3 basic modular design   ADV_IMP.2.1D


              ALC_TAT.1 Well defined
              development tools                ADV_IMP.2.2D


              ALC_CMS.5 Advance Support
EAL 4 Assurance Requirements (CC)

     Developer Element                         CID

     The developer shall design and
     implement the TOE so that the security
     features of the TSF cannot be bypassed. ADV_ARC.1.1C
     The developer shall design and
     implement the TSF so that it is able to
     protect itself from tampering by untrusted
     active entities.                           ADV_ARC.1.2C
     The developer shall provide a security
     architecture description of the TSF.       ADV_ARC.1.3C

                                               ADV_ARC.1.4C


                                               ADV_ARC.1.5C
     The developer shall provide the TOE for
     testing.                                  AVA_VAN.5.1C




     The developer shall provide operational
     user guidance.                            AGD_OPE.1.1C


                                               AGD_OPE.1.2C



                                               AGD_OPE.1.3C




                                               AGD_OPE.1.4C
                                         AGD_OPE.1.5C



                                         AGD_OPE.1.6C

                                         AGD_OPE.1.7C

The developer shall provide the TOE
including its preparative procedures.    AGD_PRE.1.1C




                                         AGD_PRE.1.2C
The developer shall test the TSF and
document the results                     ATE_FUN.2.1C


The developer shall provide test
documentation.                           ATE_FUN.2.2C

                                         ATE_FUN.2.3C

                                         ATE_FUN.2.4C

                                         ATE_FUN.2.5C
The developer shall document
procedures for delivery of the TOE or
parts of it to the consumer.             ALC_DEL.1.1C
The developer shall use the delivery
procedures

The developer shall establish a life cycle
model to be used in the development and
maintenance of the TOE, that is based on
a measurable life-cycle model..            ALC_LCD.2.1C

The developer shall provide life cycle
definition documentation.                ALC_LCD.2.2C
The developer shall measure the TOE
development using the measurable life-
cycle model.                             ALC_LCD.2.3C
The developer shall provide life-cycle
output documentation


The developer shall provide an analysis of
the test coverage.                         ATE_COV.3.1C
                                          ATE_COV.3.2C

The developer shall provide an ST
introduction.                             ASE_INT.1.1C
                                          ASE_INT.1.2C
                                          ASE_INT.1.3C

                                          ASE_INT.1.4C
                                          ASE_INT.1.5C

                                          ASE_INT.1.6C

                                          ASE_INT.1.7C

                                          ASE_INT.1.8C
The developer shall provide the TOE for
testing.                                  ATE_IND.3.1C


                                          ATE_IND.3.2C




The developer shall identify each
development tool being used for the TOE. ALC_TAT.3.1C
The developer shall document the
selected implemention dependent
options of each development tool.         ALC_TAT.3.2C

The developer shall describe the
implementation standards that are being
applied by the developer and by any third-
party providers for all parts of the TOE.  ALC_TAT.3.3C

The developer shall provide a
conformance claim                         ASE_CCL.1.1C


                                          ASE_CCL.1.2C

The developer shall provide a
conformance claim rationale.              ASE_CCL.1.3C

                                          ASE_CCL.1.4C


                                          ASE_CCL.1.5C
                                          ASE_CCL.1.6C


                                          ASE_CCL.1.7C




                                          ASE_CCL.1.8C




                                          ASE_CCL.1.9C




                                          ASE_CCL.1.10C
The developer shall provide a security
problem definition.                       ASE_SPD.1.1C

                                          ASE_SPD.1.2C
                                          ASE_SPD.1.3C


                                          ASE_SPD.1.4C

The developer shall provide a statement
of security objectives.                   ASE_OBJ.2.1C


The developer shall provide a security
objectives rationale.                     ASE_OBJ.2.2C




                                          ASE_OBJ.2.3C

                                          ASE_OBJ.2.4C

                                          ASE_OBJ.2.5C


                                          ASE_OBJ.2.6C
The developer shall provide a statement
of security requirements                  ASE_ECD.1.1C

The developer shall provide an extended
compon4ents definition                  ASE_ECD.1.2C
                                           ASE_ECD.1.3C


                                           ASE_ECD.1.4C


                                           ASE_ECD.1.5C
The developer shall provide a statement
of security requirements                   ASE_REQ.2.1C

The developer shall provide a security
requirements rationale                     ASE_REQ.2.2C

                                           ASE_REQ.2.3C
                                           ASE_REQ.2.4C


                                           ASE_REQ.2.5C

                                           ASE_REQ.2.6C

                                           ASE_REQ.2.7C

                                           ASE_REQ.2.8C

                                           ASE_REQ.2.9C
The developer shall provide a TOE
summary specification.                     ASE_TSS.1.1C




The developer shall provide the analysis
of the depth of testing                    ATE_DPT.4.1C


                                           ATE_DPT.4.2C

                                           ATE_DPT.4.3C


                                           ATE_DPT.4.4C



The devloper shall provide a configuration
list for the TOE.                          ALC_CMS.5.1C

                                           ALC_CMS.5.2C
                                           ALC_CMS.5.3C
The developer shall provide a functional
specification                              ADV_FSP.5.1C

The devloper shall provide a tracing from
the functional specification to the SFRs. ADV_FSP.5.2C

                                           ADV_FSP.5.3C

                                           ADV_FSP.5.4C

                                           ADV_FSP.5.5C


                                           ADV_FSP.5.6C

                                           ADV_FSP.5.7C




                                           ADV_FSP.5.8C



                                           ADV_FSP.5.9C

                                           ADV_FSP.5.10C



The developer shall produce development
security documentation                  ALC_DVS.2.1C



                                        ALC_DVS.2.2C
The developer shall provide the TOE and
a reference for the TOE.                ALC_CMC.5.1C
The developer shall provide the CM
documentation                           ALC_CMC.5.2C

The developer shall use a CM system


The developer shall provide the design of
the TOE.                                  ADV_TDS.6.1C
The developer shall provide a mapping
from the TSFI of the functional
specification to the lowest level of
decomposition available in the TOE
design.                                  ADV_TDS.6.2C
The developer shall provide a formal
specification of the TSF subsystems      ADV_TDS.6.3C
The developer shall provide a proof of
correspondence between the formal
specifications of the TSF subsystems and
the functional specification.            ADV_TDS.6.4C

                                        ADV_TDS.6.5C

                                        ADV_TDS.6.6C


                                        ADV_TDS.6.7C


                                        ADV_TDS.6.8C


                                        ADV_TDS.6.9C




                                        ADV_TDS.6.10C

The developer shall provide a formal
security polciy model                   ADV_SPM.1.1C
The developer shall provide a formal
proof of correspondence between the
model and any formal functional
specifications.                         ADV_SPM.1.2C

The developer shall provide a
demostration of correspondence betwee
the model and the functional specification. ADV_SPM.1.3C


                                        ADV_SPM.1.4C



                                          ADV_SPM.1.5C
The developer shall design and
implement the entire TSF such that it has
well structured internals                 ADV_INT.3.1C
The developer shall provide an internal
description and justification.            ADV_INT.3.2C

                                          ADV_INT.3.3C
The developer shall make avaialble the
implementation representation for the
entire TSF.                               ADV_IMP.2.1C

The developer shall provide a mapping
between the TOE design description and
the entire implementation representation. ADV_IMP.2.2C


                                          ADV_IMP.2.3C
C)

     Conent & Presentation Elements
     The security architecture description shall be at a level of
     detail commensurate with the description of the SFR-
     enforcing abstractions described in the TOE design
     document.

     The security architecture description shall describe the
     security domains maintained by the TSF consistently with
     the SFRs.
     The security architecture description shall describe how the
     TSF initialization process is secure.
     The security architecture description shall demostrate that
     the TSF protects itself from tampering.

     The security architecture description shall demostrate that
     the TSF prevents bypass of the SFR enforcing functionality.

     The TOE shall be suitable for testing.




     The operational user guidance shall describe, for each user
     role, the user accessible functions and privileges that should
     be controlled in a secure processing environemnt, including
     appropriate warnings.
     The operational user guidance shall describe, for each user
     role, how to use the avaialble interfaces provided by the
     TOE in a secure manner.
     The operational user guidance shall describe , for each user
     role, the avaialble functions and interfaces, in particular all
     security parameters under the control of the user, indicating
     secure values as appropriate.
     The operational user guidance shall, for each user role,
     clearly present each type of security relevant event relative
     to the user accessible functions that need to be performed,
     including changing the security characteristics of entities
     under the control of the TSF.
The operational user guidance shall identify all possible
modes of operation of the TOE (including operqation
following failure or operational error), their consequences
and implications for maintianing secure operations.
The operational user guidance shall, for each user role,
describe the security measures to be followed in order to
fulfill the security objectives for the operational environemnt
as described in the ST.
The operational user guidance shall be clear and
reasonable.
The preparative procedures shall describe all the steps
necessary for secure acceptance of the delivered TOE in
accordance with the developer's delivery procedures.
The preparative procedures shall describe all the steps
necessary for secure installation of the TOE and for the
secure preparation of the operational environemnt in
accordance with the security objectives for the operational
environment as described in the ST.
The test documentation shall consist of test plans, expected
test results and actual test results.
The test plans shall identify the tests to be performed and
describe the scenarios for performing each test. These
scenarios shall include any ordering dependencies on the
results of other tests.
The expected test results shall show the anticipated outputs
from a successful execution of the tests.
The qactual test results shall be consistent with the
expected test results.
The test documentation shall include an analysis of the test
procedure ordering dependencies.
The delivery documentation shall describe all procedures
that are necessary to maintain security when distributing
versions of the TOE to the consumer.



The lifecycle definition documentation shall describe the
model used to develop and maintain the TOE, including the
details of its arithmetic parametes and/or metrics used to
measure the quality of the TOE and/or it development..

The lifecycle model shall provide for the necessary control
over the development and maintenance of the TOE.
The life cycle output documentaiotn shall provide the results
of the measurements of the TOE development using the
measurable life cycle model.



The analysis of the test coverage shall demostrate the
correspondence between the tests in the test
documentation and the TSFIs in the functional specification.
The analysis of the test coverage shall demostrate that all
TSFIs in the functional specification have been completed
tested.

The ST introduction shall contain an ST reference, a TOE
reference, and TOE overview and a TOE description.
The ST reference shall uniquely identify the ST.
The TOE reference shall identify the TOE
The TOE overview shall summarize the usage and major
security features of the TOE.
The TOE overview shall identify the TOE type.
The TOE overview shall identify any non TOE
hardware/software/firmware required by the TOE.
The TOE description shall describe the physical scope of
the TOE.
The TOE description shall describe the logical scope of the
TOE.

The TOE shall be suitable for testing
The developer shall provide an equivalent set of resources
to those that were used in the developer's functional testing
of the TSF.




Each development tool used for implementation shall be
well defined.

The documentaiton of each development tool shall
unambiguously define the meaning of all statements as well
as all conventions and directives used in the implementation


The documentation of each development tool shall
unambiguously define the meaning of all implementatiojn
dependent options.
The conformance claim shall contain a CC conformance
claim that identifies the version of the CC to which the ST
and the TOE claim conformance.
The CC conformance claim shall describe the conformance
of the ST to CC Part 2 as either CC part 2 conformant or CC
Part 2 extended.
The CC conformance claim shall describe the conformance
of the ST to CC Part 3 as either CC part 3 conformant or CC
Part 3 extended.
The CC conformance claim shall be consistent with the
extended component defintion

The conformance claim shall identify all PPs and security
requirement packages to which the ST claims conformance.
The conformance claim shall describe any conformance of
the ST to a package as either package conformant or
package augmented.
The conformance claim rationale shall demostrate that the
TOE type is consistent with the TOE type in the PPs for
which conformance is being claimed.

The conformance claim rationale shall demostrate that the
statement of the security problem definition is consistent
with the statements of the security problem definition in the
PPs for which conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of security objectives is consistent with the
statement of security objectives in the PPs for which
conformance is being claimed.
The conformance claim rationale shall demostrate that the
statement of security requirements is consistent with the
statement of security requirements in the PPs for which
conformance is being claimed.

The security problem definition shall describe the threats.
All threats shall be described in terms of a threat agent, an
asset, and an adverse action.
The secuirty problem definition shall describe the OSPs.

The security problem definition shall describe the
assumptions about the operational environemnt of the TOE.
The statement od security objectives shall describe the
security objectives for the TOE and the security objectives
for the operational environment
The security objectives rationale shall trace each security
objective for the TOE back to threats countered by the
security objective and OSPs enforced by the security
objective.
The security objectives rationale shall trace each security
objective for the operational environment back to threats
countered by that security objective, OSPs enforced by the
security objective, and assumptions upheld by that security
objective.
The security objective rationale shall demostrate that the
security objectives counter all threats.
The security objective rational shall demostrate that the
security objectives enforce all OSPs.
The security objectives rationale shall demostrate that the
security objectives for the operational environemnt uphold
all assumptions
The statement of security requirements shall identify all
extended security requirements.
The extended components definition shall define an
extended component for each extended security
requirement.
The extended components definition shall describe how
each extended component is related to the existing CC
components, families, and classes.
The extended components definition shall use the existing
CC components, families, classes, and methodology as a
model for presentation.
The extended components shall consist of measurable and
objective elements such that conformaance or
nonconformance to these elements can be demostrated.
The statement of security requirements shall describe the
SFRs and the SARs
All subjects, objects, operators, security attributes, external
entities and other terms that are used in the SFRs and the
SARs shall be defined.
The statemetn of security requirements shall identify all
operations on the security requirements.
All operations shall be performed correctly
Each dependency of the security requirements shall either
be satisfied, or the security requirements rationale shall
justify the dependency not being satisfied.
The security requirement rationale shall trace each SFR
back to the secuirty objectives for the TOE.
The security requirement rationale shall demostrate that the
SFRs meet all security objectives for the TOE.
The security requirements rationale shall explain why the
SARs were chosen.
The statement of security requirements shall be internally
consistent.
The TOE summary specification shall describe how the
TOE meets each SFR.


The analysis of the depth of testing shall demostrate the
coorespondence between the tests in the test
documentation and the TSF subsystems and modules in the
TOE design.

The analysis of the depth of testing shall demostrate that all
TSF subsystems in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that all
modules in the TOE design have been tested.
The analysis of the depth of testing shall demostrate that
thte TSF operates in accordance with its implementation
representaton
The configuration list shall include the following: the TOE
itself, the evaluation evidence required by the SARs; the
parts that comprise the TOE; the implementation
representation; security flaw reports and resolution status;
and development tools and related information.
The configuration list shall uniquely identify the configuration
items.
For each TSF relevant configuration item, the configuration
list shall inicate the developer of the item.
The functional specification shall completely represent the
TSF.

The functional specification shall describe the TSFI using a
formal style.
The functional specification shall describe the purpose and
method of use for all TSFI.
The functional specification shall identify and describe all
paramters associated with each TSFI.
The functional specification shall describe all actions
associated with each TSFI.

The functional specification shall describe all direct error
messages that may result from an invocation of each TSFI
The functional specification shall describe all error
messages that do not result from an invocation of a TSFI

The functional specification shall provide a rationale for
each error message contained in the TSF implementation
that is not otherwise described in the functional specification
justifying why it is not associated with a TSFI.

The formal presebtation of the functional specification of th
TSF shall describe the TSFI using a formal style, supported
by informal explanatory text where appropriate.
The tracing shall demostrate that the SFRs trace to TSFIs in
the functional specification.
The development security documentation shall describe all
the physical, procedural, personnel, and other security
measures that are necessary to protect the confidentiality,
and integrity of the TOE design and implementation in its
development environemnt.
The development security documentation shall justify that
the security measures provide the necessary level of
protection to maintain the confidentiality and intetgrity of the
TOE

The TOE shall be labelled with its unique reference
The CM documentation shall describe the methods used to
uniquely identify the configuration items.




The design shall describe the structure of the TOE in terms
of subsystems.
The design shall describe the TSF in terms of modules,
designating each module as SFR enforcing, SFR
supporting, or SFR non interfering

The design shall identify all subsystems of the TSF


The design shall provide a description of each subsystem of
the TSF.
The design shall provide a description of the interactions
among all subsystems of the TSF.
The design shall provide a mapping from the subsystems of
the TSF to the modules of the TSF.
The design shall describe each module in terms of its
purpose, interfaces, return values from those interfaces,
and called interfaces to other modules.
The formal specification of the TSF subsystems shall
describe the TSF using a formal style, supported by informal
explanatory text where appropriate.

The mapping shall demostrate that all behaviour described
in the TOE design is mapped to the TSFIs that invoke it.
The prrof of correspondence between the formal
specifications of the TSF subsystems and of the functional
specification shall demostrate that all behaviour described in
the TOE design is a correct and complete refinement of the
TSFI that invoked it.
The model shall be in a formal style. Supported by
explanatory text as required, and identify the security
policies of the TSF that are modelled.

For all policies that are modelled, the model shall define
security for the TOE and provide a formal proof that the
TOE cannot reach a state that is not secure.


The correspondence between the model and the functional
specification shall be at the coreect level of formaility.l
The correspondence shall show that the functional
specification is consistent and complete with respect to the
model.
The demostration of corresponence shall show that the
interfaces in the functional specification are consistent and
complete with respect to the policies in the ADV_SPM.1.1D
assignment.

The justification shall explain the characteristics used to
judge the meaning of well structured and complex.
The TSF internals description shall demostrate that the
entire TSF is well structured.
The TSF internals description shall demostrate that the
entire TSF is well structured and is not overly complex
The implementation representation shall define the YSF to a
level of detail such that the TSF can be generated without
further design decisions.


The implementation representation shall be in the form used
by the development personnel.
The mapping between the TOE design description and the
entire implementation representation shall demostrate their
correspondence.
      EAL4+

Class    Family Dependencies                  FID            Developer Element


                                                             The developer shall provide the
                 ADV_LLD.1 Descriptive low                   implementation representation for
ADV      IMP.2   level design                 ADV_IMP2.1D    the entire TSF.
                 ALC_TAT.1 Well defined
                 development tools



                                                             The developer shall design and
                                                             structure the TSF in a modular
                                                             fashion that avoids unnecessary
                 ADV_IMP.1 Subset of the                     interactions between the modules
ADV      INT.1   implementation of the TSF.   ADV_INT.1.1D   of the design.

                 ADV_LLD.1 Descriptive low                   The developer shall provide an
                 level design.                ADV_INT.1.2D   architectural description.



                                                             The developer shall provide flaw
                                                             remediation procedures addressed
ALC      FLR.2   None                         ALC_FLR.2.1D   to TOE developers.
                                                             The developer shall establish a
                                                             procedure for accepting and acting
                                                             upon all reports of security flaws
                                                             and requests for corrections to
                                              ALC_FLR.2.2D   those flaws.
                                                             The developer shall provide flaw
                                                             remediation guidance addressed to
                                              ALC_FLR.2.3D   TOE users.
              ADV_HLD.2 Security enforcing              The developer shall provide the
ATE   DPT.2   high level design            ATE_DPT.2.1D analysis of the depth of testing.
              ADV_LLD.1 Descriptive low
              level design

              ATE_FUN.1 Functional testing


              ADV_FSP.1 Informal functional                 The developer sahll perform a
AVA   VLA.2   specifications                AVA_ALA.2.1D    vulnerability analysis
                                                            The developer shall provide
              ADV_HLD.2 Security enforcing                  vulnerability analysis
              high level design            AVA_ALA.2.2D     documentation.


              ADV_IMP.1 Subset of the
              implementation of the TSF.

              ADV_LLD.1 Descriptive low
              level design
              AGD_ADM.1 Administrator
              Guidance
              AGD_USR.1 User Guidance
AMA   AMP.1



AMA   CAT.1



AMA   EVD.1



AMA   SIA.1
CID              Conent & Presentation Elements


                The implementation representation shall unambiguously
                define the TSF to a level of detail such that the TSF can
ADV_IMP.2.1C    be generated without further design decisions
                The implementation representation shall be internally
ADV_IMP.2.2C    consistent.

                The implementation representation shall describe the
ADV_IMP.2.3C    relationships between all portions of the implementation.



             The architectural description shall identify the modules of
ADV_INT.1.1C the TSF.
             The architectural description shall describe the purpose,
             interface, parameters, and effects of each module of the
ADV_INT.1.2C TSF.
             The architectural description shall describe how the TSF
             design provides for largely independent modules that
ADV_INT.1.3C avoid unnecessary interactions.
             The flaw remediation procedures documentation shall
             describe the procedures used to track all reported
ALC_FLR.2.1C security flaws in each release of the TOE.

             The flaw remediation procedures shall require that a
             description of the nature and effect of each security flaw
             be provided, as well as the status of finding a correction
ALC_FLR.2.2C to that flaw.
             The flaw remediation procedures shall require that
             corrective actions be identified for each of the security
ALC_FLR.2.3C flaws.
             The flaw remediation procedures documentation shall
             desribe the methods used to provide flaw information,
             corrections and guidance on corrective actions to TOE
ALC_FLR.2.4C users.

             The flaw remediation procedures shall describe a means
             by which the developer receives from TOE users reports
ALC_FLR.2.5C and enquiries of suspected security flaws in the TOE.
             The procedures for processing reported security flaws
             shall ensure that any reported flaws are corrected and the
ALC_FLR.2.6C corrected issued to TOE users.
             The procedures for processing reported security flaws
             shall provide safeguards to any corrections to these
ALC_FLR.2.7C security flaws do not introduce any new flaws.
             The flaw remediation guidance shall describe a means by
             which TOE users report to the developer any suspected
ALC_FLR.2.8C security flaws in the TOE.
             The depth analysis shall demostrate that the tests
             identified in the test documentation are sufficient to
             demostrate that the TSF operates in accordance with its
ATE_DPT.2.1C high level design and low level design.




             The vulnerability analysis documentation shall describe
             the analysis of the TOE deliverables performed to search
AVA_VLA.2.1C for ways in which a user can violate the TSP.

             The vulnerability analysis documentation shall describe
AVA_VLA.2.2C the disposition of identified vulnerabilities.

             The vulnerability analysis documentation shall show, for
             all identified vulnerabilities, that the vulnerability cannot
AVA_VLA.2.3C be exploited in the intended environment for the TOE.
             The vulnerability analysis documentation shall justify that
             the TOE, with the identifued vulnerabilities, is resistant to
AVA_VLA.2.4C obvious penetration attacks.
Class                CName                 Family   Hierarchical to           Dependencies
                                                                          FAU_SAA.1 Potential
FAU     Security Alarms                   ARP.1     N/A                   violation analysis

                                                                          FPT_STM1 Reliable time
FAU     Audit Data Generation             GEN.1     N/A                   stamps




FAU     Audit Data Generation




                                                                          FAU_GEN.1 Audit Data
FAU     User Identity Association         GEN.2     N/A                   Generation
                                                                          FIA_UID.1 Timing of
                                                                          idnetification


                                                                          FAU_GEN.1 Audit Data
FAU     Potential Violation Analysis      SAA.1     N/A                   Generation




                                                    FAU_SAA.1
                                                    Potential Violation   FIA_UID.1 Timing of
FAU     Profile Based Anomaly Detection   SAA.2     Analysis              identification



                                                    FAU_SAA.1
                                                    Potential Violation   FIA_UID.1 Timing of
FAU     Profile Based Anomaly Detection   SAA.2     Analysis              identification
                                                FAU_SAA.1
                                                Potential Violation   FIA_UID.1 Timing of
FAU   Profile Based Anomaly Detection   SAA.2   Analysis              identification

                                                FAU_SAA.1
                                                Potential Violation
FAU   Simple Attack Heuristics          SAA.3   Analysis              N/A

                                                FAU_SAA.1
                                                Potential Violation
FAU   Simple Attack Heuristics          SAA.3   Analysis              N/A



                                                FAU_SAA.3 Simple
FAU   Complex Attack Heuristics         SAA.4   Attack Heuristics N/A




                                                FAU_SAA.3 Simple
FAU   Complex Attack Heuristics         SAA.4   Attack Heuristics N/A



                                                FAU_SAA.3 Simple
FAU   Complex Attack Heuristics         SAA.4   Attack Heuristics N/A



                                                FAU_SAA.3 Simple
FAU   Complex Attack Heuristics         SAA.4   Attack Heuristics N/A

                                                                      FAU_GEN.1 Audit Data
FAU   Audit Review                      SAR.1   N/A                   Generation
                                                                      FAU_GEN.1 Audit Data
FAU   Audit Review                      SAR.1   N/A                   Generation


FAU   Restricted Audit Review           SAR.2   N/A                   FAU_SAR.1 Audit Review



FAU   Selectable Audit Review           SAR.3   N/A                   FAU_SAR.1 Audit Review

                                                                      FAU_GNE.1 Audit Data
FAU   Selective Audit                   SEL.1   N/A                   Generation
                                                                         FAU_GEN.1 Audit Data
FAU   Protected Audit Trail Storage      STG.1   N/A                     Generation

                                                                         FAU_GEN.1 Audit Data
FAU   Protected Audit Trail Storage      STG.1   N/A                     Generation
                                                 FAU_STG.1
      Guarantees of Audit Data                   Protected Audit Trail   FAU_GEN.1 Audit Data
FAU   Availability                       STG.2   Storage                 Generation
                                                 FAU_STG.1
      Guarantees of Audit Data                   Protected Audit Trail   FAU_GEN.1 Audit Data
FAU   Availability                       STG.2   Storage                 Generation

                                                 FAU_STG.1
      Guarantees of Audit Data                   Protected Audit Trail FAU_GEN.1 Audit Data
FAU   Availability                       STG.2   Storage               Generation

      Action in case of Possible Audit                                   FAU_STG.1 Protected
FAU   Data Loss                          STG.3   N/A                     Audit Trail Storage


                                                 FAU_STG.3 Action
                                                 in case of possible FAU_STG.1 Protected
FAU   Prevention of Audit Data Loss      STG.4   audit data loss     Audit Trail Storage
         ID                       Requirement
              The TSF shall take [assignment: list of actions] upon
FAU_ARP.1.1   detection of a potential security violation

              The TSF shall be able to generate an audit record of
FAU_GEN.1.1   the following auditable events:

              a). Startup and shutdown of the audit functions

              b). All auditable events for the [selection, choose one of:
              minimum, basic, detailed, not specified] level of audit
              c). [assignment: other specifically defined auditable
              events].
              The TSF shall record within each audit record at least
FAU_GEN.1.2   the following information:
              a). Date and time of the event, type of event, subject
              idnetity, and the outcome (success or failure) of the
              event
              b). For each audit event type, based on the auditable
              event definitions of the functional components included
              in the PP/ST, [assignment: other audit relevant
              information.

              The TSF shall be able to associate each auditable
FAU_GEN.2.1   event with the identity of the user that caused the event.


              The TSF shall be able to apply a set of rules in
              monitoring the audited events and based upon these
              rules indicate a potential violation of the enforcement of
FAU_SAA.1.1   the SFRs
              The TSF shall enforce the following rules for monitoring
FAU_SAA.1.2   audited events:
              a). Accumulation or combination of [assignment: subset
              of defined auditable events] known to indicate a
              potential security violation
              b). [assignment : any other rules].
              The TSF shall be able to maintain profiles of system
              usage, where an individual profile represnts the
              historical patterns of usage performed by the
FAU_SAA.2.1   member(s) of [assignment: the profile target group].
              The TSF shall be able to maintain a suspicion rating
              associated with each user whose activity is recorded in
              a profile, where the suspicion rating represents the
              degree to which the user's current activity is found
              inconsistent with the established patterns of usage
FAU_SAA.2.2   represted in the profile.
              The TSF shall be able to indicate a possible violation of
              the dnforcement of the SFRs when a user's suspicion
              rating exceeds the following threshold conditions
              [assignment: conditions under which anomalous activity
FUA_SAA.2.3   is reported by the TSF.
              The TSF shall be able to maintain an internal
              representation of the following signature events
              [assignment: a subset of system events] that may
FAU_SAA.3.1   indicate a violation of the enforcement of the SFRs.
              The TSF shall be able to compare the signature events
              against the record of system activity discernible from an
              examination of [assignment: the information to be used
FAU_SAA.3.2   to determine system activity].

              The TSF shall be able to indicate a potential iolation of
              the enforcement of the SFRs when a system event is
              found to match a signature event that indicates a
FAU_SAA.3.3   potential violation of the enforcement of the SFRs.
              The TSF shal be able to maintain an internal
              representation of the following event sequences of
              known intrusion scenarios [assignments: list of
              sequences of system events whose occurrence are
              representative of known penetration scenarios] and the
              following signature events [assignment: a subset of
              system events] that may indicate a potential violation of
FAU_SAA.4.1   the enforcement of the SFRs.

              The TSF shall be able to comapre the signature events
              and event sequences against the record of system
              activity discernible from an examination of [assignemnt:
FAU_SAA.4.2   the information to be used to determine system activity].
              The TSF shall be able to indicate a potential violation of
              the enforcement of the SFRs when system activity is
              found to amtch a signature event or event sequence
              that indicates a potential violation of the enforcement of
FAU_SAA.4.3   the SFRs.
              The TSF shall provide [assignemnt: authorized users]
              with the capability to read [assignment: list of audit
FAU_SAR.1.1   information] from the audit records.
              The TSF shall provide the audit records in a manner
FAU_SAR.1.2   suitable for the user to interpret the information.
              The TSF shall prohibit all users read access to the audit
              records, except those users that have been granted
FAU_SAR.2.1   explicit read access.

              The TSF shall provide the ability to perform [selection:
              searches, sorting, ordering] of audit data based on [
FAU_SAR.3.1   assignemnt: criteria with logical relations].
              The TSF shall be able to include or exclude auditable
              events from the set of audited events based on the
FAU_SEL.1.1   following attributes:
              a). [Selection: object identity, user identity, subject
              identity, host identity, event type].
              b). [assignment : list of additional attributes that audit
              selectivity is based upon].
              The TSF shall protect the stored audit records in the
FAU_STG.1.1   audit trail from unauthorized deletion.
              The TSF shall be able to [selection, choose one of:
              prevent, detect] unauthorized modifications to the
FAU_STG.1.2   stored audit records in the audit trail.

              The TSF shall protect the stored audit records from
FAU_STG.2.1   unauthorized deletion.
              The TSF shall be able to [selection, choose one of:
              prevent, detect} unauthorized modifications to the
FAU_STG.2.2   stored audit records in th audit trail.
              The TSF ensure that [assignment: metric for saving
              audit records] stored audit records will be maintained
              when the following conditions occur: [selection: audit
FAU_STG.2.3   storage exhaustion, failure, attack]
              The TSF shall [assignment: actions to be taken in case
              of possible audit storage failure] if the audit trail
FAU_STG.3.1   exceeds [assignment: pre-defined limit].
              The TSF shall [selection, choose one of: "ignore
              auditable events", "prevent auditable events", "overwrite
              the oldest stored audit records"] and [assignment: other
              actions to be taken in case of audit storage failure] if the
FAU_STG.4.1   audit trail is full.
Class           CName               Family     Hierarchical to        Dependencies

                                                                   FIA_UID.1 Timning of
 FCO    Selective Proof of Orgin   NRO.1     N/A                   identification

                                                                   FIA_UID.1 Timning of
 FCO    Selective Proof of Orgin   NRO.1     N/A                   identification

                                                                   FIA_UID.1 Timning of
 FCO    Selective Proof of Orgin   NRO.1     N/A                   identification

                                             FCO_NRO.1 Selective   FIA_UID.1 Timing of
 FCO    Enforced Proof of Origin   NRO.2     proof of origin       identification

                                             FCO_NRO.1 Selective   FIA_UID.1 Timing of
 FCO    Enforced Proof of Origin   NRO.2     proof of origin       identification

                                             FCO_NRO.1 Selective   FIA_UID.1 Timing of
 FCO    Enforced Proof of Origin   NRO.2     proof of origin       identification

                                                                   FIA_UID.1 Timing of
 FCO    Selective Proof of Receipt NRR.1     N/A                   identification

                                                                   FIA_UID.1 Timing of
 FCO    Selective Proof of Receipt NRR.1     N/A                   identification


                                                                   FIA_UID.1 Timing of
 FCO    Selective Proof of Receipt NRR.1     N/A                   identification
                                             FCO_NRR.1 Selective   FIA_UID.1 Timing of
 FCO    Enforced Proof of Receipt NRR.2      proof of receipt      identification
     ID                                         Requirement
              The TSF shall be able to generate evidence of origin for transmitted
              [assignment: list of information types] at the request of the [selection: originator,
FCO_NRO.1.1   recipient [ assignment: list of third parties].
              The TSF shall be able to relate the [assignemnt: lsit of attributes] of the originator
              of the information, and the [assignment: list of information fields] of the
FCO_NRO.1.2   information to which the evidence applies.
              The TSF shall provide a capability to verify the evidence of origin of information
              to [selection: originator, recipient, [assignment: list of third parties] given
FCO_NRO.1.3   [assignment: limitations on the evidence of origin].

              The TSF shall enforce the generation of evidence of origin for transmitted
FCO_NRO.2.1   [assignemnt: list of information types] at all times.
              The TSF shall be able to relate the [assignment: list of attributes] of the originator
              of the information, and the [assignment: list of information fields] of the
FCO_NRO.2.2   information to which the evidence applies.
              Thes TSF shall provide a capability to verify the evidence or origin of information
              to [selection: originator, recipient, [assignment: list of third parties] given
FCO_NRO.2.3   [assignment: limitations on the evidence of origin.
              The TSF shall be able to generate evidence of receipt for received [assignement:
              list of information types] at the request of the [selection: originator, recipient,
FCO_NRR.1.1   [assignment: list of third parties].
              The TSF shall be able to realte the [assignment: list of attributes] of the recipient
              of the information, and the [assignment: list of information fields] of the
FCO_NRR.1.2   information to which the evidence applies.
              The TSF shall provide a capability to verify the evidence of receipt of information
              to [selection: originator, recipient, [assignment: list of third parties] given
FCO_NRR.1.3   [assignment: limitations on the evidence of receipt].
              The TSF shall enforce the generation of evidence of receipt for received
FCO_NRR.2.1   [assignment: list of information types].

              The TSF shall be able to relate the [assignemnt: list of attributes] of the recipient
              of the information, and the [assignment: list of information fields] of the
FCO_NRR.2.2   information to which the evidence applies.
              The TSF shall provide a capability to verify the evidence of receipt of information
              to [selection: originator, recipient, [assignment: list of third parties] given
FCO_NRR.2.3   [assignment: limitations on the evidence of receipt].
Class CName          Family             Hierarchical to



FDP   ACC.1                            N/A


                                       FDP_ACC.1 Subset
FDP   ACC.2                            access control


                                       FDP_ACC.1 Subset
FDP   ACC.2                            access control




              Security Attribute Based
FDP   ACF.1   Access Control           N/A




              Security Attribute Based
FDP   ACF.1   Access Control           N/A



              Security Attribute Based
FDP   ACF.1   Access Control           N/A


              Security Attribute Based
FDP   ACF.1   Access Control           N/A


              Basic Data
FDP   DAU.1   Authentication           N/A

              Basic Data
FDP   DAU.1   Authentication           N/A


              Data Authentication with FDP_DAU.1 Basic
FDP   DAU.2   Identity of Guarantor    Data Authentication


              Data Authentication with FDP_DAU.1 Basic
FDP   DAU.2   Identity of Guarantor    Data Authentication
              Export of user data
              without security
FDP   ETC.1   attributes                 N/A
              Export of user data
              without security
FDP   ETC.1   attributes                 N/A


              Export of user data with
FDP   ETC.2   security attributes        N/A
              Export of user data with
FDP   ETC.2   security attributes        N/A

              Export of user data with
FDP   ETC.2   security attributes        N/A

              Export of user data with
FDP   ETC.2   security attributes        N/A



              Subset Information Flow
FDP   IFC.1   Control                 N/A



              Complete Information
FDP   IFC.2   Flow Control               FDP_IFC.1


              Complete Information
FDP   IFC.2   Flow Control               FDP_IFC.1




              Simple Security
FDP   IFF.1   Attributes                 N/A




              Simple Security
FDP   IFF.1   Attributes                 N/A
              Simple Security
FDP   IFF.1   Attributes                 N/A
              Simple Security
FDP   IFF.1   Attributes                 N/A
              Simple Security
FDP   IFF.1   Attributes              N/A


              Simple Security
FDP   IFF.1   Attributes              N/A




              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes




              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes
              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes
              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes


              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes


              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes

              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes



              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes



              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes



              Hierarchical Security   FDP_IFF.1 Simple
FDP   IFF.2   Attributes              Security Attributes
              Limited illicit information
FDP   IFF.3   flows                       N/A


              Partial elimination of illicit FDP_IFF.3 Limited
FDP   IFF.4   information flows              illicit information flows
                                             FDP_IFF.4 Partial
                                             elimination of illicit
FDP   IFF.5   No illicit information flow information flows


              Illicit information flow
FDP   IFF.6   monitoring                    N/A

              Import of user data
              without security
FDP   ITC.1   attributes                    N/A
              Import of user data
              without security
FDP   ITC.1   attributes                    N/A

              Import of user data
              without security
FDP   ITC.1   attributes                    N/A


              Import of user data with
FDP   ITC.2   security attributes           N/A
              Import of user data with
FDP   ITC.2   security attributes           N/A

              Import of user data with
FDP   ITC.2   security attributes           N/A

              Import of user data with
FDP   ITC.2   security attributes           N/A


              Import of user data with
FDP   ITC.2   security attributes           N/A




              Basic Internal Transfer
FDP   ITT.1   Protection                    N/A
                                      FDP_ITT.1Basic
              Transmission separation internal transfer
FDP   ITT.2   by attribute            protection


                                      FDP_ITT.1Basic
              Transmission separation internal transfer
FDP   ITT.2   by attribute            protection




FDP   ITT.3   Integrity monitoring        N/A




              Attribute-based integrity   FDP_ITT.3 Integrity
FDP   ITT.4   monitoring                  monitoring




              Subset residual
FDP   RIP.1   information protection      N/A

                                        FDP_RIP.1 Subset
              Full residual information residual information
FDP   RIP.2   protection                protection



FDP   ROL.1   Basic Rollback              N/A




                                          FDP_ROL.1 Basic
FDP   ROL.2   Advanced Rollback           rollback
              Stored data integrity
FDP   SDI.1   monitoring                N/A

                                        FDP_SDI.1 Stored
              Stored data integrity     data integrity
FDP   SDI.2   monitoring and action     monitoring




              Basic data exchange
FDP   UCT.1   confidentiality           N/A




FDP   UIT.1   Data exchange integrity   N/A




              Source data excahnge
FDP   UIT.2   recovery                  N/A




                                        FDP_UIT.2 Source
              Destination data          data exchange
FDP   UIT.3   exchange recovery         recovery




              Inter-TSF basic TSF
FDP   TDC.1   data consistency          N/A
              Inter-TSF basic TSF
FDP   TDC.1   data consistency        N/A


FDP   TRC.1   Internal TSF consistency N/A




FDP   TRC.1   Internal TSF consistency N/A
                  Dependencies                            ID



FDP_ACF.1 Security attribute based access control   FDP_ACC.1.1



FDP_ACF.1 Security attribute based access control   FDP_ACC.2.1



FDP_ACF.1 Security attribute based access control   FDP_ACC.2.2




FDP_ACC.1 Subset Access Control                     FDP_ACF.1.1




FMT_MSA.3 Static attribute initialization           FDP_ACF.1.2




                                                    FDP_ACF.1.3



                                                    FDP_ACF.1.4



N/A                                                 FDP_DAU.1.1


N/A                                                 FDP_DAU.1.2



FIA_UID.1 Timing of identification                  FDP_DUA.2.1



FIA_UID.1 Timing of identification                  FDP_DUA.2.2
FDP_ACC.1 Subset access control             FDP_ETC.1.1


FDP_IFC.1 Subset information flow control   FDP_ETC.1.2



FDP_ACC.1 Subset access control             FDP_ETC.2.1

FDP_IFC.1 Subset information flow control   FDP_ETC.2.2


                                            FDP_ETC.2.3


                                            FDP_ETC.2.4




FDP_IFF.1 Simple Secuirty Attributes        FDP_IFC.1.1




FDP_IFF.1 Simple Secuirty Attributes        FDP_IFC.2.1



FDP_IFF.1 Simple Secuirty Attributes        FDP_IFC.2.2




FDP_IFC.1 Subset information flow control   FDP_IFF.1.1




FMT_MSA.3 Static Attribute Initialization   FDP_IFF.1.2

                                            FDP_IFF.1.3

                                            FDP_IFF.1.4
                                            FDP_IFF.1.5



                                            FDP_IFF.1.6




FDP_IFC.1 Subset information flow control   FDP_IFF.2.1




FMT_MSA.3 Static attribute initialization   FDP_IFF.2.2

                                            FDP_IFF.2.3

                                            FDP_IFF.2.4



                                            FDP_IFF.2.5



                                            FDP_IFF.2.6


                                            FDP_IFF.2.7
FDP_IFC.1 Subset information flow control    FDP_IFF.3.1



FDP_IFC.1 Subset information flow control    FDP_IFF.4.1


FDP_IFC.1 Subset information flow control    FDP_IFF.5.1



FDP_IFC.1 Subset information flow control    FDP_IFF.6.1



FDP_ACC.1 Subset Access Control              FDP_ITC.1.1


FDP_IFC.1 Subset information flow control    FDP_ITC.1.2



FMT_MSA.3 Static attribute initialization    FDP_ITC.1.3



FDP_ACC.1 Subset Access Control              FDP_ITC.2.1

FDP_IFC.1 Subset information flow control    FDP_ITC.2.2


FTP_ITC.1 Inter-TSF trusted channel          FDP_ITC.2.3


FTP_TRP.1 Trusted path                       FDP_ITC.2.4



FPT_TDC.1 Inter-TSF basic data consistency   FDP_ITC.2.5




FDP_ACC.1 Subset Access Control              FDP_ITT.1.1
FDP_IFC.1 Subset information flow control
FDP_ACC.1 Subset access control                  FDP_ITT.2.1




FDP_IFC.1 Subset information flow control        FDP_ITT.2.2




FDP_ACC.1 Subset Access Control                  FDP_ITT.3.1


FDP_IFC.1 Subset information flow control        FDP_ITT.3.2
FDP_ITT.1 Basic internal transfer protection




FDP_ACC.1 Subset Access Control                  FDP_ITT.4.1


FDP_IFC.1 Subset information flow control        FDP_ITT.4.2
FDP_ITT.2 Transmission separation by attribute




N/A                                              FDP_RIP.1.1



N/A                                              FDP_RIP.2.1



FDP_IFC.1 Subset information flow control        FDP_ROL.1.1


                                                 FDP_ROL.1.2



FDP_ACC.1 Subset Access Control                  FDP_ROL.2.1
FDP_IFC.1 Subset information flow control   FDP_ROL.2.2



N/A                                         FDP_SDI.1.1



N/A                                         FDP_SDI.2.1

                                            FDP_SDI.2.2




FTP_ITC.1 Inter-TSF trusted channel         FDP_UCT.1.1
FTP_TRP.1 Trusted path
FDP_ACC.1 Subset Access Control
FDP_IFC.1 Subset information flow control




FDP_ACC.1 Subset Access Control             FDP_UIT.1.1


FDP_IFC.1 Subset information flow control   FDP_UIT.1.2
FTP_ITC.1 Inter-TSF trusted channel
FTP_TRP.1 Trusted path




FDP_ACC.1 Subset Access Control             FDP_UIT.2.1
FDP_IFC.1 Subset information flow control
FDP_UIT.1 Data exchange integrity
FTP_ITC.1 Inter-TSF Trusted channel




FDP_ACC.1 Subset Access Control             FDP_UIT.3.1
FDP_IFC.1 Subset information flow control
FDP_UIT.1 Data exchange integrity
FTP_ITC.1 Inter-TSF trusted channel




N/A                                         FPT_TDC.1.1
N/A                                          FPT_TDC.1.2
FPT_ITT.1 Basic internal TSF data transfer
protection                                   FPT_TRC.1.1




FPT_ITT.1 Basic internal TSF data transfer
protection                                   FPT_TRC.1.2
                    Requirement
The TSF shall enforce the [assignment: access control
SFP] on [assignment: list of subjects, objects, and
operations among subjects and objects covered by the
SFP].
The TSF shall enforce the [assignment: acess control
SFP] on [assignment: list of subjects and objects] and
all operations among subjects and objects covered by
the SFP.

The TSF shall ensure that all operations between any
subject controlled by the TSF and any object controlled
by the TSF are covered by an access control SFP.

The TSF shall enforce the [assignment: access control
SFP] to objects based on the following: [assignment: list
of subjects and objects controlled under the indicated
SFP, and for each, the SFP relevant security attributes,
or named groups of SFP relevant security attributes].

The TSF shall enforce the following rules to determine if
an operation among controlled subjects and controlled
objects is allowed: [assignment: rules governing access
among controlled subjects and controlled objects using
controlled operations on controlled objects].

The TSF shall explicitly authorize access of subjects to
objects based on the following additional rules;
[assignment: rules, based on security attributes, that
explicity authorize access of subjects to objects].
The TSF shall explicity deny access of subjects to
objects based on the [assignment: rules, based on
security attributes, that explicity deny access of subjects
to objects].

The TSF shall provide a capability to generate evidence
that can be used as a guarantee of the validity of
[assignment: list of objects or information types].
The TSF shall provide [assignment: list of subject] with
the ability to verify evidence of the validity of the
indicated information.

The TSF shall provide a capability to generate evidence
that can be used as a guarantee of the validity of
[assignment: list of objects or information types].
The TSF shall provide [assignment: list of subjects] with
the ability to verify evidence of the validity of the
indicated information and the identity of the user that
generated the evidence.
The TSF shall enforce the [assignment: access control
SFP(s) and .or information flow control SFP(s)] when
exporting user data, controlled under the SFP(s) outside
of the TOE.

The TSF shall export the user data without the user
data's assocaited security attributes.
The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s) when
exporting user data, controlled under the SFP(s),
outside of the TOE.
The TSF shall export the user data's associated security
attrributes.
The TSF shall ensure that the security attributes, when
exported outside the TOE, are unambiguously
associated with the exported user data.
The TSF shall enforce the following rules when user
data is exported from the TOE: [assignment: additional
exportation control rules].
The TSF shall enforce the [assignment: information flow
control SFP] on [assignment: list of subjects,
information, and operations that cause controlled
information to flow to and from controlled subjects
covered by the SFP.
The TSF shall enforce the [assignment: information flow
control SFP] on [assignment: list of subjects and
information] and all operations that cause that
information to flow to and from subjects covered by the
SFP.
The TSF shall ensure that all operations that cause any
information in the TOE to flow to and from any subject
in the TOE are covered by an information flow control
SFP.

The TSF shall enforce the [assignment: information flow
control SFP] based on the following types of subject and
information security attributes: [assignemnts: list of
subjects and information controlled under the indicated
SFP, and for each, the security attributes].
The TSF shall permit an information flow between a
controlled subject and controlled information via a
controlled operation if the foloowing rules hold:
[assignment: for each operation, the security attribute-
based relationship that must hold between subject and
information security attributes].
The TSF shall enforce the [assignment: additional
information flow control SFP rules].
The TSF shall provide the following [assignment: list of
additional SFP capabilities].
The TSF shall explicity authorize an information flow
based on the following rules: [assignmanet: rules, based
on security attributes, that explicity authorize information
flows].

The TSF shall explicity deny an information flow based
on the following rules: [assignment: rules, based on
security attributes, that explicity deny information flows].

The TSF shall enforce the [assignment: information flow
control SFP] based on the following types of subject and
information security attributes: [assignment: list of
subjects and information controlled under the indicated
SFP, and for each, the security attributes].

The TSF shall permit an information flow between a
controleld subject and controlled information via a
controleed operation if the following rules, based on the
ordering relationships between security attributes hold:
[assignment: for each operation, the security attribute-
based relationship that must hold between subject and
information security attributes.].
The TSF shall enforce the [assignment: additional
information flow control SFP rules].
The TSF shall provide the following [assignment: list of
additional SFP capabilities].
The TSF shall explicitly authorize an information flow
based on the following rules: [assignment: rules, based
on security attributes, that explicitly authorize
information flows].

The TSF shall explicitly deny an information flow based
on the following rules: [assignment: rules, based on
security attributes, that explicity deny information flows].

The TSF shall enforce the following relationships for any
two valid information flow control security attributes:

a). There exist an ordering function that, given two valid
security attributes, determines if the security attributes
are equal, if one security attribute is greater than the
other; or if the security attributes are incomparable.
b).Ther exists a "least upper bound" in the set of
security attributes, such that, given any two valid
security attributes, there is a valid security attribute that
is greater than or equal to the two valid security
attributes

c).There exist a "greatest lower bound" in the set of
security attributes, such that, given any two valid
security attributes, there isa valid security attribute that
is not greater than the two valid security attributes.
The TSF shall enforce the [assignment: information flow
control SFP] to limit the capacity of [assignment: types
of illicit information flows] to a [assignment: maximum
capability.
The TSF shall enforce the [assignment: information flow
control SFP] to limit the capacity of [assignment: types
of illicit information flows] to a [assignment: maximum
capability.
The TSF shall ensure that no illicit information flow exist
to curcumvent [assignment: name of information flow
control SFP].
The TSF shall enforce the [assignment: information flow
control SFP] to monitor [assignment: types of illicit
information flows] when it exceeds the [assignment:
maximum capacity].
The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP9s)] when
importing user data, controlled under the SFP, from
outside of the TOE.

The TSF shall ignore any security attributes associated
with the user data when imported from outside the TOE.
The TSF shall enforce the following rules when
importing user data controlled under the SFP from
outside the TOE: [assignment: additional information
control rules].
The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s)] when
importing user data, controlled under the SFP, from
outside of the TOE.
The TSF shall use the security attributes associated
with the imported user data.
The TSF shall ensure that the protocol used provides
for the unambiguous association between the security
attributes and the user data received.
The TSF shall ensure that interpretation of the security
attributes of the imported user data is as intended by
the source of the user data.
The TSF shall enforce the following rules when
importing user data controlled under the SFP from
outside the TOE: [assignment: additional importation
control rules].

The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s)] to
prevent the [selection: disclosure, modification, loss of
use] of user data when it is transmitted between
physically-separated parts of the TOE.
The TSF shall enforce the [assignment: access control
DFP(s) and/or information flow control SFP(S)] to
prevent the [selection: disclosure, modification, loss of
use ] of user data when it is transmitted between
physically-separated parts of the TOE.

The TSF shall separate data controlled by the SFP(s)
when transmitted between physicall-separated parts of
the TOE, based on the values of the following:
[assignment: secuirty attributes that require separation].
The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(S) to
monitor user data transmitted between physically
separated parts of the TOE for the following errors;
[assignment: integrity errors].
Upon detection of a data integrity error, the TSF shall
[assignment: specify the action to be taken upon
integrity error].

The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s) to
monitor user data transmitted between physically
separated parts of the TOE for the following errors:
[assignment: integrity errors], based on the following
attributes: [assignment: security attributes that require
transmission channels].
Upon detection of a data integrity errot, the TSF shall
[assignment: specify the action to be taken upon
integrity error].

The TSF shall ensure that any previous information
content of a resource is made unavailable upon the
[selection: allocation of the resource to, deallocation of
the resource from] the following objects: [assignment:
list of objects].
The TSF shall ensure that any previous information
content of a resource is made unavailable upon the
[selection: allocation of the resourse to, deallocation of
the resource from] all objects.
The TSF shall enforce [assignment: access control
SFP(s) and/or information flow control SFP(s) to permit
the rollback of the [assignment: information and/or list of
objects].
The TSF shall permit operations to be rolled back within
the [assignment: boundary limit to which rollback may
be performed].
The TSF shall enforce [assignment: access control
SFP(s) and/or information flow control SFP(s)] to permit
the rollback of all the operations on the [assignment: list
of objects].
The TSF shall permit operations to be rolled back within
the [assignment: boundary limit to which rollback may
be performed].
The TSF shall monitor user data stored in containers
controlled by the TSF for [assignment: integrity errors]
on all objects, based on the following attributes:
[assignment: user data attributes].
The TSF shall monitor user data stored in containers
controlled by the TSF for [assignment: integrity errors]
on all objects, based on the following attributes:
[assignment: user data attributes].
Upon detection of a data integrity error, the TSF shall
[assignment action to be taken].

The TSF shall enforce the [assignment: access control
SFP(s) and /or information flow control SFP(S) to be
able to [selection: transmit, receive] objects in a manner
protected from unauthorized disclosure.



The TSF enforce the [assignment: access control
SFP(s) and/or information flow control SFP(S) to be
able to [selection: transmit, receive] user data in a
manner protected from [selection: modification,
deleteion, insertion, replay] errors.
The TSF shall be able to determine on receipt of user
data, whether [selection: modification, deletion,
insertion, replay] has occurred.



The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s) to be able
to recover from [assignment: list of recoverable errors]
with the help of the source trusted IT product.



The TSF shall enforce the [assignment: access control
SFP(s) and/or information flow control SFP(s)] to be
able to recover from [assignment: list of recoverable
errors] without any helo from the source trusted IT
product.




The TSF shall provide the capability to consistently
interpret [assignment: list of TSF data types] when
shared between the TSF and another trusted IT product.
The TSF shall use [assignment: list of interpretation
rules to be applied by the TSF] when interpreting the
TSF data from another trusted IT product.
The TSF shall ensure that TSF data is consistent when
replicated between parts of the TOE.
When parts of the TOE containing replicated TSF data
are disconnected, the TSF shall ensure the consistency
of the replicated TSF data upon reconnection before
processing any requests for [assignment: list of
functions dependent on TSF data replication
consistency].
 Class     CName            Family                   Hierarchical to



                   Authentication failure
FIA      AFL.1     handling                    N/A




FIA      ATD.1     User Attribute Definition   N/A

FIA      SOS.1     Verification of Secrets     N/A

                   TSF Generation of
FIA      SOS.2     Secrets                     N/A




FIA      UAU.1     Timing of authentication    N/A




                   User authentication         FIA_UAU.1 Timing of
FIA      UAU.2     before any action           authentication
                   Unforgeable
FIA      UAU.3     Authentication              N/A



                   Single use authentication
FIA      UAU.4     mechanisms                N/A
                   Multiple Authentication
FIA      UAU.5     Mechanisms                N/A


FIA      UAU.6     Re-authenticating           N/A
                   Protected authentication
FIA      UAU.7     feedback                    N/A

FIA      UID.1     Timing of identification    N/A


                   User Identification before FIA_UID.1 Timing of
FIA      UID.2     any action                 identification


FIA      USB.1     User subject binding        N/A
FIA    USB.1   User subject binding   N/A


FIA-   USB.1   User subject binding   N/A
                  Dependencies                 ID




FIA)UAU.1 Timing of authentication   FIA_AFL.1.1


                                     FIA_AFL.1.2


N/A                                  FIA_ATD.1.1

N/A                                  FIA_SOS.1.1


N/A                                  FIA_SOS.2.1

                                     FIA_SOS.2.2


FIA_UID.1 Timing of identification   FIA_UAU.1.1


                                     FIA_UAU.1.2


FIA_UID.1 Timing of identification   FIA_UAU.2.1

N/A                                  FIA_UAU.3.1

                                     FIA_UAU.3.2


N/A                                  FIA_UAU.4.1

N/A                                  FIA_UAU.5.1


N/A                                  FIA_UAU.6.1

FIA_UID.1 Timing of identification   FIA_UAU.7.1

N/A                                  FIA_UID.1.1

                                     FIA_UID.1.2

N/A                                  FIA_UID.2.1


FIA_UID.1 Timing of identification   FIA_USB.1.1
FIA_USB.1.2


FIA_USB.1.3
                            Requirement

The TSF shall detect when [selection: [asignment: positive integer
number], an administrator configurable positive integer within
[assignment: range of acceptable values] unsusccessful authentication
attempts occur related to [assignment: list of authentication events].
When the defined number of unsuccessful authentication attempts
have been met or surpassed, the TSF shall [assignment: list of
actions].

The tSF shall maintain the following list of security attributes belonging
to individual users; [assignemnt: list of security attributes].
The TSF shall provide a mechanism to verify that secret meet
[assignment: a defined quality metric].

The TSF shall provide a mechanism to generate secrets that meet
[assignment: a defined quality metric].
The TSF shall be able to enforce the use of TSF generated secrets for
[assignment: list of TSF functions].

The TSF shall allow [assignment: list of TSF mediated actions] on
behalf of the user to be performed before the user is authenticated.

The TSF shall require each user to be sucessfully authenticated
before allowing any other TSF-mediated actions on behalf of that user.

The TSF shall require each user to be sucessfully authenticated
before allowing any other TSF-mediated actions on behalf of that user.
The TSF shall [selection: detect, prevent] use of authentication data
that has been forged by any user of the TSF.
The TSF shall [selection: detect, prevent] use of authentication data
that has been copied from any user of the TSF.

The TSF prevent resue of authentication data related to [assignment:
idnetified authentication mechanism(s)].
The TSF shall provide [assignemnt: list of multiple authentication
mechanisms] to support user authentication

The TSF re-authenticate the user under the conditions [assignment:
list of conditions under which re-authentication is required].
The TSF shall provide aonly [assignment: list of feedback] to the user
while the authentication is in process.
The TSF shall allow [assignment: list of TSF mediated actions] on
behalf of the user to be performed before the user is identified.
The TSF shall require each user to be sucessfully idnetified before
allowing any other TSF-mediated actions on behalf of that user.
The TSF shall require each user to be sucessfully idnetified before
allowing any other TSF-mediated actions on behalf of that user.
The TSF shall associate the following user security attributes with
subjects acting on the behalf of that user; [assignment: list of user
security attributes].
The TSF shall enforce the following rules on the initial assocaition of
user security attributes with subjects acting on the behalf of users:
[assignment: rules for the initial association of attributes].
The TSF shall enforce the following rules governing changes to the
user security attributes wassociated with subjects acting on the behalf
of users: [assignment: rules for the changing of attributes].
 Class   CName           Family                  Hierarchical to

                 Management of security
FMT      MOF.1   functions behavioor    N/A




                 Management od security
FMT      MSA.1   attributes                N/A
                 Management od security
FMT      MSA.1   attributes                N/A
                 Management od security
FMT      MSA.1   attributes                N/A
                 Management od security
FMT      MSA.1   attributes                N/A
                 Secure security
FMT      MSA.2   attributes                N/A
                 Secure security
FMT      MSA.2   attributes
                 Secure security
FMT      MSA.2   attributes
                 Secure security
FMT      MSA.2   attributes


                 Static Attribute
FMT      MSA.3   Initialization            N/A

                 Static Attribute
FMT      MSA.3   Initialization            N/A

                 Managemnt of TSF
FMT      MTD.1   Data                      N/A
                 Managemnt of TSF
FMT      MTD.1   Data                      N/A
                 Management of limits on
FMT      MTD.2   TSF data                  N/A
                 Management of limits on
FMT      MTD.2   TSF data                  N/A
FMT      MTD.3   Secure TSF Data           N/A


FMT      REV.1   Revocation                N/A

FMT      REV.1   Revocation                N/A

                 Time limited
FMT      SAE.1   authorization             N/A
              Time limited
FMT   SAE.1   authorization               N/A

              Specification of
FMT   SMF.1   Management Functions        N/A
FMT   SMR.1   Security roles              N/A
FMT   SMR.1   Security roles              N/A
              Restricitions on secuirty
FMT   SMR.2   roles                       FMT_SMR.1 Security roles
              Restricitions on secuirty
FMT   SMR.2   roles                       FMT_SMR.1 Security roles
              Restricitions on secuirty
FMT   SMR.2   roles                       FMT_SMR.1 Security roles

FMT   SMR.3   Assuming roles              N/A
                Dependencies                            ID


FMT_SMR.1 Security roles                          FMT_MOF.1.1

FMT_SMF.1 Specification of Management functions




FDP_ACC.1 Subset access control                   FMT_MSA.1.1

FDP_IFC.1 Subset information flow control

FMT_SMR.1 Security roles

FMT_SMF.1 Specification of Management functions

FDP_ACC.1 Subset access control                   FMT_MSA.2.1

FDP_IFC.1 Subset information flow control

FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles



FMT_MSA.1 Management of security attributes       FMT_MSA.3.1


FMT_SMR.1 Security roles                          FMT_MSA.3.2


FMT_SMR.1 Security roles                          FMT.MTD.1.1

FMT_SMF.1 Specification of Management functions

FMT_MTD.1 Mangement of TSF data                   FMT.MTD.2.1

FMT_SMR.1 Security roles                          FMT.MTD.2.2
FMT_MTD.1 Mangement of TSF data                   FMT_MTD.3.1


FMT_SMR.1 Security roles                          FMT_REV.1.1

                                                  FMT_REV.1.2


FMT_SMR.1 Security roles                          FMT_SAE.1.1
FPT_STM.1 Reliable time stamp        FMT_SAE.1.2


N/A                                  FMT_SMF.1.1
FIA_UID.1 Timing of identification   FMT_UID.1.1
FIA_UID.1 Timing of identification   FMT_UID.1.2

FIA_UID.1 Timing of identification   FMT_SMR.2.1

FIA_UID.1 Timing of identification   FMT_SMR.2.2

FIA_UID.1 Timing of identification   FMT_SMR.2.3

FMT_SMR.1 Security roles             FMT_SMR.3.1
                                   Requirement
The TSF shall restrict the ability to [selection: determine the behaviour of, disable,
enable, modify the behavior of] the functions [assignment: list of functions] to
[assignment: the authorized identified roles.



The TSF shall enforce the [assignment: access control SFP, information flow
control SFP] to restrict the ability to [selection: change_default, query, modify,
delete, [assignment: other operations] the security attributes [assignment: list of
secuirty attributes] to [assignment: the authorized identified roles].




The TSF shall ensure that only secure values are accepted for security attributes.




The TSF shall enforce the [assignment: access control SFP, information flow
control SFP] to provide [selection: choose one of: restrictive, permissive,
[assignment: other property] default values for security attributes that are used to
enforce the SFP.
The TSF shall allow the [assignemnt: the authorized idnetified roles] to specify
alternative initial values to override the default values when an object or information
is created.
The TSF shall restrict the ability to [selection: change_default, query, modify,
delete, clear, [assignment: other operations] the [assignment: list of TSF data] to [
assignment: the authorized idnetified roles].


The TSF shall restrict the specification of the limits for [assignemnt: list of TSF
data] to [assignment: the authorized identified roles].
The TSF shall take the following actionsm, if the TSF data are at, or exceed, the
indicated limits: [assignment: actions to be taken].
The TSF shall ensure that only secure values are accepted for TSF data.
The TSF shall restrict the ability to revoke security attributes associated with the
[selection: users, subjects, [assignment: other additional resources] under the
control of the TSF to [assignemnt: the authorized identified roles].

The TSF shall enforce the rules [assignment: specification of revocation rules].
The TSF shall restrict the capability to specify an expiration time for [assignment:
list of security attributes for which expiration is to be supported] to [assignemnt: the
authorized identified roles].
For each of these security attributes, the TSF shall be able to [assignment: lsit of
actions to be taken for each security attribute] after the expiration time for the
indicated security attribute has passed.

The TSF shall be capable of performing the following management functions:
[assignment: list of management functions to be provided by the TSF].
The TSF shall maintain the roles [assignment: the authorized identified roles].
The TSF shall be able to associate user with roles.

The TSF shall maintain the roles [assignment: the authorized identified roles].

The TSF shall be able to associate user with roles.
The TSF shall ensure that the conditions [assignment: conditions for the different
roles] asre satisfied.
The TSF shall require an explicit request to assume the following roles:
[assignment: the roles].
Class   CName                   Family                Hierarchical to


FPR     ANO.1   Anonymity                      N/A


                Anonymity without soliciting
FPR     ANO.2   information                    FPR_ANO.1 Anonymity




FPR     PSE.1   Pseudonymity                   N/A

FPR     PSE.1   Pseudonymity



FPR     PSE.1   Pseudonymity                   N/A


FPR     PSE.2   Reversible Pseudonymity        FPR_PSE.1 Pseudonymity




FPR     PSE.3   Alias Pseudonymity             FPR_PSE.1 Pseudonymity




FPR     UNL.1   Unlinkability                  N/A
FPR   UNO.1   Unobservability                      N/A



              Allocation of information
FPR   UNO.2   impacting unobservability            FPR_UNO.1 Unobservability


              Allocation of information
FPR   UNO.2   impacting unobservability            FPR_UNO.1 Unobservability

              Unobservability without soliciting
FPR   UNO.3   information                          N/A



FPR   UNO.4   Authorised user observability
  Dependencies             ID


N/A                   FPR_ANO.1.1



N/A                   FPR_ANO.2.1



                      FPR_ANO.2.2




N/A                   FPR_PSE.1.1

                      FPR_PSE.1.2



N/A                   FPR_PSE.1.3

FIA_UID.1 Timing of
identification        FPR_PSE.2.1


                      FPR_PSE.2.2



                      FPR_PSE.2.3


N/A                   FPR_PSE.3.1

                      FPR_PSE.3.2


                      FPR_PSE.3.3



                      FPR_PSE.3.4




N/A                   FPR_UNL.1.1
N/A               FPR_UNO.1.1




N/A               FPR_UNO.2.1




N/A               FPR_UNO.2.2

FPR_UNO.1
Unobservability   FPR_UNO.3.1



                  FPR_UNO.4.1
                               Requirement
The TSF shall ensure that [assignment: set of users and/or subjects] are
unable to determine the real user anme bound to [assignment: lsit of subjects
and/or operations and/or objects.
The TSF shall ensure that [assignment: set of users and/or subjects] are
unable to determine the real user anme bound to [assignment: lsit of subjects
and/or operations and/or objects.

The TSF shall provide [assignment: list of services] to [assignment: list of
subjects] without soliciting any reference to the real user name.
The TSF shalle nsure that [assignment: set of users and/or subjects] are
unable to determine the real user name bound to [assignment: list of unable
to determine the real user name bound to [assignment: list of subjects and/or
objects].
The TSF shall be able to provide [assignment: number of aliases] aliases of
the real user name to [assignment: list of subjects].
The TSF shall [selection, choose one of: determine an alias for a user accept
the alias from the user] and verify that its conforms to the [assignemnt: alias
metric].
The TSF shall ensure that [assignment: set of users and/or subjects] are
unable to determine the real user anme bound to [assignment: lsit of subjects
and/or operations and/or objects.
The TSF shall be able to provide [assignment: number of aliases] aliases of
the real user name to [assignment: list of subjects].
The TSF shall [selection, choose one of: determine an alias for a user accept
the alias from the user] and verify that its conforms to the [assignemnt: alias
metric].
The TSF shall ensure that [assignment: set of users and/or subjects] are
unable to determine the real user anme bound to [assignment: lsit of subjects
and/or operations and/or objects.
The TSF shall be able to provide [assignment: number of aliases] aliases of
the real user name to [assignment: list of subjects].
The TSF shall {selection: choose one of: determine an alias for a user;
accept the alias from the user] and verify that it conforms to the [assignment:
alias metric].
The TSF shall provide an alias to the real user name which shall be identical
to an alias provided previously under the following [assignment: list of
conditions] otherwise the alias provided shall be unrelated to previously
provided aliases.
The TSF shall ensure that [assignment: set of users and/or subjects ] are
unable to determine whether [assignment: list of operations ][selection: were
caused by the same user, are related as follows[assignment: list of
relations] ].
The TSF shall ensure that [assignment: list of users and/or subjects]
are unable to observe the operation [assignment: list of operations] on
[assignment: list of objects] by [assignment: list of protected users
and/or subjects].
The TSF shall ensure that [assignment: list of users and/or subjects]
are unable to observe the operation [assignment: list of operations] on
[assignment: list of objects] by [assignment: list of protected users
and/or subjects].
The TSF shall allocate the [assignment: unobservability related
information] among different parts of the TOE such that the following
conditions hold during the lifetime of the information: [assignment:
list of conditions].
The TSF shall provide [assignment: list of services] to [assignment: list of
subjects] without soliciting any reference to [assignment: privacy related
information].
The TSF shall provide [assignment: set of authorised users] with the
capability to observe the usage of [assignment: list of resources and/or
services].
Class   CName                Family                       Hierarchical to




FPT     AMT.1   Abstract machine testing           N/A

                Failure with preservation of
FPT     FLS.1   secure state                       N/A




                Inter-TSF availability within a
FPT     ITA.1   defined availability metric        N/A

                Inter-TSF confidentiality during
FPT     ITC.1   transmission                       N/A




FPT     ITI.1   Inter-TSF detection of modification N/A




FPT     ITI.1   Inter-TSF detection of modification N/A

                                                   FPT_ITI.1 Inter-TSF
                Inter-TSF detection and correction detection of
FPT     ITI.2   of modification                    modification

                                                   FPT_ITI.1 Inter-TSF
                Inter-TSF detection and correction detection of
FPT     ITI.2   of modification                    modification
                                                   FPT_ITI.1 Inter-TSF
                Inter-TSF detection and correction detection of
FPT     ITI.2   of modification                    modification

                Basic internal TSF data transfer
FPT     ITT.1   protection                         N/A
                                                   FPT_ITT.1 Basic internal
                                                   TSF data transfer
FPT     ITT.2   TSF data transfer separation       protection
                                                 FPT_ITT.1 Basic internal
                                                 TSF data transfer
FPT   ITT.2   TSF data transfer separation       protection




FPT   ITT.3   TSF data integrity monitoring      N/A



FPT   ITT.3   TSF data integrity monitoring      N/A

FPT   PHP.1   Passive detection of physical attack N/A


FPT   PHP.1   Passive detection of physical attack N/A
                                                 FPT_PHP.1 Passive
                                                 detection of physical
FPT   PHP.2   Notification of physical attack    attack
                                                 FPT_PHP.1 Passive
                                                 detection of physical
FPT   PHP.2   Notification of physical attack    attack


                                                 FPT_PHP.1 Passive
                                                 detection of physical
FPT   PHP.2   Notification of physical attack    attack



FPT   PHP.3   Resistance to physical attack      N/A


FPT   RCV.1   Manual recovery                    N/A



                                                 FPT_RCV.1 Manual
FPT   RCV.2   Automated recovery                 recovery

                                                 FPT_RCV.1 Manual
FPT   RCV.2   Automated recovery                 recovery
              Automated recovery without undue   FPT_RCV.2 Automated
FPT   RCV.3   loss                               recovery

              Automated recovery without undue   FPT_RCV.2 Automated
FPT   RCV.3   loss                               recovery


              Automated recovery without undue FPT_RCV.2 Automated
FPT   RCV.3   loss                             recovery
              Automated recovery without undue FPT_RCV.2 Automated
FPT   RCV.3   loss                             recovery



FPT   RCV.4   Function recovery                  N/A

FPT   RPL.1   Replay detection                   N/A

FPT   RPL.1   Replay detection                   N/A

FPT   RPL.1   Simple trusted acknowledgement     N/A

FPT   RPL.1   Simple trusted acknowledgement     N/A



FPT   SSP.1   Simple trusted acknowledgement     N/A


                                                 FPT_SSP.1 Simple
FPT   SSP.2   Mutual trusted acknowledgement     trusted acknowledgement

                                                 FPT_SSP.1 Simple
FPT   SSP.2   Mutual trusted acknowledgement     trusted acknowledgement
FPT   STM.1   Reliable time stamps               N/A

              Inter-TSF basic TSF data
FPT   TDC.1   consistency                        N/A



FPT   TRC.1   Internal TSF consistency           N/A
FPT   TRC.1   Internal TSF consistency   N/A




FPT   TST.1   TSF testing                N/A



FPT   TST.1   TSF testing                N/A


FPT   TST.1   TSF testing                N/A
      Dependencies         ID




N/A                  FPT_AMT.1.1



N/A                  FPT_FLS.1.1




N/A                  FPT_ITA.1.1



N/A                  FPT_ITC.1.1FPT




N/A                  FPT_ITI.1.1




N/A                  FPT_ITI.1.2




N/A                  FPT_ITI.2.1




N/A                  FPT_ITI.2.2



N/A                  FPT_ITI.2.3



N/A                  FPT_ITT.1.1



N/A                  FPT_ITT.2.1
N/A                      FPT_ITT.2.2

FPT_ITT.1 Basic internal
TSF data transfer
protection               FPT_ITT.3.1
FPT_ITT.1 Basic internal
TSF data transfer
protection               FPT_ITT.3.2

N/A                      FPT_PHP.1.1


N/A                      FPT_PHP.1.2
FMT_MOF.1
Management of security
functions behaviour      FPT_PHP.2.1
FMT_MOF.1
Management of security
functions behaviour      FPT_PHP.2.2



FMT_MOF.1
Management of security
functions behaviour      FPT_PHP.3.2




N/A                      FPT_PHP.3.1

AGD_OPE.1 Operational
user guidance



AGD_OPE.1 Operational
user guidance            FPT_RCV.2.1

AGD_OPE.1 Operational
user guidance            FPT_RCV.2.2
AGD_OPE.1 Operational
user guidance         FPT_RCV.3.1

AGD_OPE.1 Operational
user guidance         FPT_RCV.3.2



AGD_OPE.1 Operational
user guidance         FPT_RCV.3.3
AGD_OPE.1 Operational
user guidance         FPT_RCV.3.4




N/A                        FPT_RCV.4.1

N/A                        FPT_RPL.1.1

N/A                        FPT_RPL.1.2

N/A                        FPT_RPL.1.1

N/A                        FPT_RPL.1.2

FPT_ITT.1 Basic internal
TSF data transfer protection FPT_SSP.1.1

FPT_ITT.1 Basic internal
TSF data transfer protection FPT_SSP.2.1

FPT_ITT.1 Basic internal
TSF data transfer protection FPT_SSP.2.2
N/A                          FPT_STM.1.1


N/A                        FPT_TDC.1.1
FPT_ITT.1 Basic internal
TSF data transfer
protection               FPT_TRC.1.1
FPT_ITT.1 Basic internal
TSF data transfer
protection               FPT_TRC.1.2




FPT_AMT.1 Abstract
machine testing         FPT_TST.1.1

FPT_AMT.1 Abstract
machine testing         FPT_TST.1.2
FPT_AMT.1 Abstract
machine testing         FPT_TST.1.3
                         Requirement

The TSF shall run a suite of tests [selection: during initial start-
up, periodically during normal operation, at the request of an
authorised user, [assignment: other conditions] ] to demonstrate
the correct operation of the security assumptions provided by the
abstract machine that underlies the TSF.

The TSF shall preserve a secure state when the following types of
failures occur: [assignment: list of types of failures in the TSF ].
The TSF shall ensure the availability of [assignment: list of
types of TSF data ] provided to a remote trusted IT product
within [assignment: a defined availability metric ] given the
following conditions [assignment: conditions to ensure
availability ].
FPT_ITC.1.1 The TSF shall protect all TSF data transmitted from
the TSF to a remote trusted IT product from unauthorized
disclosure during transmission.
The TSF shall provide the capability to detect modification of all
TSF data during transmission between the TSF and a remote
trusted IT product within the following metric: [assignment: a
defined modification metric].
The TSF shall provide the capability to verify the integrity of all
TSF data transmitted between the TSF and a remote trusted IT
product and perform [assignment: action to be taken] if
modifications are detected.
The TSF shall provide the capability to detect modification
of all TSF data during transmission between the TSF and a
remote trusted IT product within the following metric:
[assignment: a defined modification metric ].
The TSF shall provide the capability to verify the integrity of
all TSF data transmitted between the TSF and a remote
trusted IT product and perform [assignment: action to be
taken ] if modifications are detected.
The TSF shall provide the capability to correct [assignment:
type of modification ] of all TSF data transmitted between the
TSF and a remote trusted IT product
The TSF shall protect TSF data from [selection: disclosure,
modification] when it is transmitted between separate parts
of the TOE.
The TSF shall protect TSF data from [selection: disclosure,
modification ] when it is transmitted between separate parts of the
TOE.
The TSF shall separate user data from TSF data when such data is
transmitted between separate parts of the TOE.
The TSF shall be able to detect [selection: modification of
data, substitution of data, re-ordering of data, deletion of
data, [assignment: other integrity errors] ] for TSF data
transmitted between separate parts of the TOE.
Upon detection of a data integrity error, the TSF shall take
the following actions: [assignment: specify the action to be
taken ].
The TSF shall provide unambiguous detection of physical
tampering that might compromise the TSF.
The TSF shall provide the capability to determine whether
physical tampering with the TSF's devices or TSF's elements has
occurred.

The TSF shall provide unambiguous detection of physical
tampering that might compromise the TSF.
The TSF shall provide the capability to determine whether
physical tampering with the TSF's devices or TSF's elements
has occurred.
For [assignment: list of TSF devices/elements for which active
detection is required], the TSF shall monitor the devices and
elements and notify [assignment: a designated user or role] when
physical tampering with the TSF's devices or TSF's elements has
occurred.

The TSF shall resist [assignment: physical tampering scenarios] to
the [assignment: list of TSF devices/elements] by responding
automatically such that the SFRs are always enforced.
FPT_RCV.1.1 After [assignment: list of failures/service
discontinuities] the TSF shall enter a maintenance mode where the
ability to return to a secure state is provided.
When automated recovery from [assignment: list of
failures/service discontinuities] is not possible, the TSF shall enter
a maintenance mode where the ability to return to a secure state is
provided.
For [assignment: list of failures/service discontinuities ], the TSF
shall ensure the return of the TOE to a secure state using
automated procedures.
When automated recovery from [assignment: list of
failures/service discontinuities ] is not possible, the TSF shall
enter a maintenance mode where the ability to return to a secure
state is provided.
For [assignment: list of failures/service discontinuities ], the TSF
shall ensure the return of the TOE to a secure state using
automated procedures.
The functions provided by the TSF to recover from failure or
service discontinuity shall ensure that the secure initial state is
restored without exceeding [assignment: quantification ] for loss
of TSF data or objects under the control of the TSF.
The TSF shall provide the capability to determine the objects that
were or were not capable of being recovered.
The TSF shall ensure that [assignment: list of functions and
failure scenarios] have the property that the function either
completes successfully, or for the indicated failure scenarios,
recovers to a consistent and secure state.
The TSF shall detect replay for the following entities:
[assignment: list of identified entities ].
The TSF shall perform [assignment: list of specific actions ] when
replay is detected.
The TSF shall detect replay for the following entities:
[assignment: list of identified entities].
The TSF shall perform [assignment: list of specific actions ] when
replay is detected.

The TSF shall acknowledge, when requested by another part of
the TSF, the receipt of an unmodified TSF data transmission.
The TSF shall acknowledge, when requested by another part
of the TSF, the receipt of an unmodified TSF data
transmission.
The TSF shall ensure that the relevant parts of the TSF know
the correct status of transmitted data among its different
parts, using acknowledgements.
The TSF shall be able to provide reliable time stamps.
The TSF shall provide the capability to consistently interpret
[assignment: list of TSF data types] when shared between the TSF
and another trusted IT product.

The TSF shall ensure that TSF data is consistent when replicated
between parts of the TOE.
When parts of the TOE containing replicated TSF data are
disconnected, the TSF shall ensure the consistency of the
replicated TSF data upon reconnection before processing any
requests for [assignment: list of functions dependent on TSF data
replication consistency ].

The TSF shall run a suite of self tests [selection: during initial
start-up, periodically during normal operation, at the request of the
authorised user, at the conditions[assignment: conditions under
which self test should occur]] to demonstrate the correct operation
of [selection: [assignment: parts of TSF], the TSF].
The TSF shall provide authorised users with the capability to
verify the integrity of [selection: [assignment: parts of TSF], TSF
data].
The TSF shall provide authorised users with the capability to
verify the integrity of stored TSF executable code.
Class      CName             Family                      Hierarchical to

                   Limitation on scope of
FTA     LSA.1      selectable attributes
                   Basic limitation on             N/A
                   multiple concurrent
FTA     MCS.1      sessions
                   Basic limitation on             N/A
                   multiple concurrent
FTA     MCS.1      sessions                        N/A


                   Per user attribute limitation   FTA_MCS.1 Basic
                   on multiple concurrent          limitation on multiple
FTA     MCS.2      sessions                        concurrent sessions
                   Per user attribute limitation   FTA_MCS.1 Basic
                   on multiple concurrent          limitation on multiple
FTA     MCS.2      sessions                        concurrent sessions


                   Per user attribute limitation FTA_MCS.1 Basic
                   on multiple concurrent        limitation on multiple
FTA     MCS.2      sessions                      concurrent sessions
                   Per user attribute limitation FTA_MCS.1 Basic
                   on multiple concurrent        limitation on multiple
FTA     MCS.2      sessions                      concurrent sessions
                   TSF-initiated session
FTA     SSL.1      locking                       N/A




FTA     SSL.1      TSF-initiated session locking N/A

FTA     SSL.2      User-initiated locking




FTA     SSL.2      User-initiated locking          N/A

FTA     SSL.3      TSF-initiated termination       N/A
FTA   TAB.1   Default TOE access banners N/A


FTA   TAH.1   TOE access history          N/A




FTA   TAH.1   TOE access history          N/A



FTA   TAH.1   TOE access history          N/A

FTA   TSE.1   TOE session establishment   N/A
           Dependencies                     ID



N/A                                  FTA_LSA.1.1


FIA_UID.1 Timing of identification   FTA_MCS.1.1


FIA_UID.1 Timing of identification   FTA_MCS.1.2




FIA_UID.1 Timing of identification   FTA_MCS.2.1



FIA_UID.1 Timing of identification   FTA_MCS.2.2




FIA_UID.1 Timing of identification   FTA_MCS.2.1



FIA_UID.1 Timing of identification   FTA_MCS.2.2


FIA_UAU.1 Timing of authentication   FTA_SSL.1.1




FIA_UAU.1 Timing of authentication   FTA_SSL.1.2

FIA_UAU.1 Timing of authentication   FTA_SSL.2.1




FIA_UAU.1 Timing of authentication   FTA_SSL.2.2

N/A                                  FTA_SSL.3.1
N/A   FTA_TAB.1.1



N/A   FTA_TAH.1.1




N/A   FTA_TAH.1.2



N/A   FTA_TAH.1.3

N/A   FTA_TSE.1.1
                          Requirement
The TSF shall restrict the scope of the session security
attributes [assignment: session security attributes ], based on
[assignment: attributes ].
FTA_MCS.1.1 The TSF shall restrict the maximum number of
concurrent sessions that belong to the same user.
FTA_MCS.1.2 The TSF shall enforce, by default, a limit of
[assignment: default number] sessions per user.
The TSF shall restrict the maximum number of concurrent
sessions that belong to the same user according to the rules
[assignment: rules for the number of maximum concurrent
sessions ].

FTA_MCS.2.2 The TSF shall enforce, by default, a limit of
[assignment: default number ] sessions per user.
The TSF shall restrict the maximum number of concurrent
sessions that belong to the same user according to the rules
[assignment: rules for the number of maximum
concurrent sessions ].

The TSF shall enforce, by default, a limit of [assignment:
default number ] sessions per user.
FTA_SSL.1.1 The TSF shall lock an interactive session after
[assignment: time interval of user inactivity ] by:
• clearing or overwriting display devices, making the current
contents unreadable;
• disabling any activity of the user's data access/display devices
other than unlocking the session.

FTA_SSL.1.2 The TSF shall require the following events to occur
prior to unlocking the session: [assignment: events to occur ].
FTA_SSL.2.1 The TSF shall allow user-initiated locking of the
user's own interactive session, by:
• clearing or overwriting display devices, making the current
contents unreadable;
• disabling any activity of the user's data access/display devices
other than unlocking the session.

FTA_SSL.2.2 The TSF shall require the following events to occur
prior to unlocking the session: [assignment: events to occur ].
The TSF shall terminate an interactive session after a [assignment:
time interval of user inactivity ].
Before establishing a user session, the TSF shall display an
advisory warning message regarding unauthorized use of the TOE.
Upon successful session establishment, the TSF shall display the
[selection: date, time, method, location ] of the last successful
session establishment to the user.

Upon successful session establishment, the TSF shall display the
[selection: date, time, method, location ] of the last unsuccessful
attempt to session establishment and the number of unsuccessful
attempts since the last successful session establishment.
The TSF shall not erase the access history information from the
user interface without giving the user an opportunity to review the
information.
FTA_TSE.1.1 The TSF shall be able to deny session establishment based
on [assignment: attributes ].
Class     CName           Family                    Hierarchical to




FRU     FLT.1     Degraded fault tolerance N/A

                                          FRU_FLT.1 Degraded fault
FRU     FLT.2     Limited fault tolerance tolerance

FRU     PRS.1     Limited priority of service N/A


FRU     PRS.1     Limited priority of service N/A
                                             FRU_PRS.1 Limited priority of
FRU     PRS.2     Full priority of service   service

                                             FRU_PRS.1 Limited priority of
FRU     PRS.2     Full priority of service   service




FRU     RSA.1     Maximum quotas             N/A




                  Minimum and maximum
FRU     RSA.2     quotas              FRU_RSA.1 Maximum quotas




                  Minimum and maximum
FRU     RSA.2     quotas              FRU_RSA.1 Maximum quotas
         Dependencies                    ID



FPT_FLS.1 Failure with preservation
of secure state                     FRU_FLT.1.1


FPT_FLS.1 Failure with preservation
of secure state                     FRU_FLT.2.1


N/A                                FRU_PRS.1.1


N/A                                FRU_PRS.1.2

N/A                                FRU_PRS.2.1



N/A                                FRU_PRS.2.2




N/A                                FRU_RSA.1.1




N/A                                FRU_RSA.2.1




N/A                                FRU_RSA.2.2
                         Requirement


FRU_FLT.1.1 The TSF shall ensure the operation of [assignment:
list of TOE capabilities ] when the following failures occur:
[assignment: list of type of failures ].
The TSF shall ensure the operation of all the TOE's
capabilities when the following failures occur: [assignment:
list of type of failures].
FRU_PRS.1.1 The TSF shall assign a priority to each subject in
the TSF.
The TSF shall ensure that each access to [assignment: controlled
resources ] shall be mediated on the basis of the subjects assigned
priority.

The TSF shall assign a priority to each subject in the TSF.
The TSF shall ensure that each access to all shareable
resources shall be mediated on the basis of the subjects
assigned priority.

The TSF shall enforce maximum quotas of the following
resources: [assignment: controlled resources ] that [selection:
individual user, defined group of users, subjects ] can use
[selection: simultaneously, over a specified period of time ].
FRU_RSA.2.1 The  TSF shall enforce maximum quotas of the
following resources [assignment: controlled resources ] that
[selection: individual user, defined group of users, subjects ]
can use [selection: simultaneously, over a specified period
of time ].
The TSF shall ensure the provision of minimum quantity of
each [assignment: controlled resource] that is available for
[selection: an individual user, defined group of users,
subjects] to use [selection: simultaneously, over a specified
period of time].
Class         CName            Family         Hierarchical to




        Cryptographyic key
FCS     generation           CKM.1      N/A




        Cryptographic key
FCS     distribution         CKM.2      N/A




        Cryptographic key
FCS     access               CKM.3      N/A




        Cryptographic Key
FCS     Distruction          CKM.4      N/A




        Cryptographic
FCS     Operation            COP.1      N/A
                  Dependencies                                 ID




FCS_CKM.2 Cryptographic key distribution                 FCS_CKM.1.1
FCS_COP.1 Cryptographic operation
FCS_CKM.4 Cryptographic key destruction
FMT_MSA.2 Secure security attributes


FDP_ITC.1 Import of user data without security
attributes                                               FCS_CKM.2.1

FDP_ITC.2 Import of user data with security attributes
FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key distribution
FMT_MSA.2 Secure security attributes



FDP_ITC.1 Import of user data without security
attributes                                               FCS_CKM.3.1

FDP_ITC.2 Import of user data with security attributes
FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key distribution
FMT_MSA.2 Secure security attributes


FDP_ITC.1 Import of user data without security
attributes                                               FCS_CKM.4.1

FDP_ITC.2 Import of user data with security attributes
FCS_CKM.1 Cryptographic key generation
FMT_MSA.2 Secure security attributes




FDP_ITC.1 Import of user data without security
attributes                                               FCS_COP.1.1

FDP_ITC.2 Import of user data with security attributes
FCS_CKM.1 Cryptographic key generation
FCS_CKM.4 Cryptographic key distribution
                        Requirement

The TSF generate cryptographic keys in accordance with a
specified cryptographic key generation algorithm [assignment:
cryptographic key generation algorithm] and specified
cryptographic key sizes [assignment: cryptographic key sizes]
that meets the following: [assignment: list of standards].



The TSF shall distribute cryptographic keys in accordance with a
specified cryptographic key distribution method [assignment:
cryptographic key distribution method] that meets the following:
[assignment: list of standards].




The TSF shall perform [assignment: type of cryptographic key
access] in accordance with a specified cryptographic key access
method [assignment: cryptographic key access method] that
meets the following: [assignment: list of standards].




The TSF shall destroy cryptographic keys in accordance with a
specified cryptograpjic key destruction method [assignment:
cryptographic key destruction method] that meets the following:
[assignment: list of standards].




The TSF shall perform [assignment: list of cryptographic
operations] in accordance with a specified cryptographic
algorithm [assignment: cryptographic algorithm] and
cryptographic key sizes [assignment: cryptographic key sizes]
that meet the following [assignment: list of standards].
Class           CName        Family               Hierarchical to


                        Inter-TSF trusted
FTP     ITC.1           channel             N/A
                        Inter-TSF trusted
FTP     ITC.1           channel             N/A
                        Inter-TSF trusted
FTP     ITC.1           channel             N/A




FTP     TRP.1           Trusted path        N/A

FTP     TRP.1           Trusted path        N/A

        TRP.1           Trusted path        N/A
      Dependencies       ID




N/A                  FTP_ITC.1.1

N/A                  FTP_ITC.1.2

N/A                  FTP_ITC.1.3




N/A                  FTP_TRP.1.1

N/A                  FTP_TRP.1.2

N/A                  FTP_TRP.1.3
                                       Requirement
The TSF shall provide a communication channel between itself and a remote trusted IT
product that is logically distinct from other communication channels and provides assured
identification of its end points and protection of the channel data from modification or
disclosure.
The TSF shall permit [selection: the TSF, the remote trusted IT product ] to initiate
communication via the trusted channel.
The TSF shall initiate communication via the trusted channel for [assignment: list of
functions for which a trusted channel is required ].
The TSF shall provide a communication path between itself and [selection: remote, local ]
users that is logically distinct from other communication paths and provides assured
identification of its end points and protection of the communicated data from modification or
disclosure.
The TSF shall permit [selection: the TSF, local users, remote users ] to initiate
communication via the trusted path.
The TSF shall require the use of the trusted path for [selection: initial user authentication,
[assignment: other services for which trusted path is required] ].

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:8/8/2011
language:English
pages:225