-
Notifications
You must be signed in to change notification settings - Fork 2
Conformance Claims 2024
Updated 9 September 2024
The Conformance Claims section of most documents should be mostly boilerplate text. There is a new XML construct that automatically generates a Conformance Claims section based on information provided by the PP Author in the <CClaimsInfo> element. This construct is mandatory for Direct Rationale documents, and will soon be mandatory for CC:2022 documents.
Currently, the schema and transforms support either the old way or this new way, or both!
For the old ways, and for more detail on specific aspects of Conformance Claims, see:
- Conformance Claims Section for PPs:
- Conformance Claims Section for PP-Modules:
- Conformance Claims Section for FPs:
The Conformance Claims section should defined using the <section> element:
<section title="Conformance Claims" id="sec-unique-id" boilerplate="no">
or
<sec:Conformance_Claims boilerplate="no">If you are using the <CClaimsInfo> element, you should set boilerplate to "no" to avoid boilerplate conflicts.
All the information needed to generate a Conformance Claims section is provided by the PP-Author in the <CClaimsInfo> section.
<CClaimsInfo
cc-version="cc-2022r1" <!-- CC Version: cc-2022r1 or cc-31r5 -->
cc-approach="standard" <!-- Approach: standard or direct-rationale -->
display="no"> <!-- Should this info be displayed in the Conformance Claims section? -->The cc-version attribute replaces the uses-cc2022 preference for indicating that the document is using CC:2022 rather than the old CC 3.1. New legal values will be added as revisions to CC:2022 are released.
The cc-approach attribute indicates whether the document is using the standard approach or the Direct Rationale approach. Direct Rationale is now fully supported by transforms.
The display attribute can be set to "no" to indicate that the Conformance Claims section should not be auto-generated from the contents of the <CClaimsInfo> tag.
<cc-st-conf>exact</cc-st-conf> <!-- Conformance for STs: exact, strict, or demonstrable -->The Conformance Claim is mainly boilerplate. The following text is generated form the single line above:
An ST must claim exact conformance to this PP.
The evaluation methods used for evaluating the TOE are a combination of the workunits defined in [CEM]
as well as the Evaluation Activities for ensuring that individual SFRs and SARs have a sufficient level of supporting evidence
in the Security Target and guidance documentation and have been sufficiently tested by the laboratory as part of completing
ATE_IND.1. Any functional packages this PP claims similarly contain their own Evaluation Activities that are used in this same manner.
<cc-pt2-conf>extended</cc-pt2-conf> <!-- Part 2 conformance: extended or conformant -->
<cc-pt3-conf>extended</cc-pt3-conf> <!-- Part 3 conformance: extended or conformant -->These two sub-elements are used to specify the Part 2 and 3 conformance for the document. The above would result in the following text being generated:
This PP is conformant to Part 2 (extended) and Part 3 (extended) of Common Criteria CC:2022, Revision 1.
This section lists the PP that the current document is conformant to, and the PPs and PP-Modules and that the document can be in a PP-Configuration with. If there are none, the sub-element must be left empty. Otherwise, each section contains a list of document titles with an element that indicates the type of document listed.
<cc-pp-conf/>
<cc-pp-config-with>
<PP-cc-ref>Protection Profile for Mobile Device Management Version 4.0</PP-cc-ref>
<Mod-cc-ref>PP-Module for File Encryption, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for File Encryption Enterprise Management, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for VPN Clients, Version 2.2</Mod-cc-ref>
<Mod-cc-ref>PP-Module for VPN Clients, Version 2.3</Mod-cc-ref>
<Mod-cc-ref>PP-Module for VPN Clients, Version 2.4</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Endpoint Detection and Response, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Host Agent, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Voice and Video over IP (VVoIP), Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Email Clients, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Web Browsers, Version 1.0</Mod-cc-ref>
<Mod-cc-ref>PP-Module for Redaction Tools, Version 1.0</Mod-cc-ref>
</cc-pp-config-with>
The above would result in the following text being generated:
This PP does not claim conformance to any Protection Profile.
The following PPs and PP-Modules are allowed to be specified in a PP-Configuration with this PP.
- Protection Profile for Mobile Device Management Version 4.0
- PP-Module for File Encryption, Version 1.0
- PP-Module for File Encryption Enterprise Management, Version 1.0
- PP-Module for VPN Clients, Version 2.2
- PP-Module for VPN Clients, Version 2.3
- PP-Module for VPN Clients, Version 2.4
- PP-Module for Endpoint Detection and Response, Version 1.0
- PP-Module for Host Agent, Version 1.0
- PP-Module for Voice and Video over IP (VVoIP), Version 1.0
- PP-Module for Email Clients, Version 1.0
- PP-Module for Web Browsers, Version 1.0
- PP-Module for Redaction Tools, Version 1.0
This section lists the Functional and Assurance Packages that the document may conform to. Use the <FP-cc-ref> to refer to Functional Packages, and the <AP-cc-ref> to refer to Assurance Packages. The conf attribute is used to specify that the type of Package conformance: "conformant," "augmented," or "tailored."
<cc-pkg-claim>
<FP-cc-ref conf="conformant">Functional Package for TLS Version 1.1</FP-cc-ref>
<FP-cc-ref conf="conformant">Functional Package for TLS Version 2.0</FP-cc-ref>
<FP-cc-ref conf="conformant">Functional Package for SSH Version 1.0</FP-cc-ref>
</cc-pkg-claim>This section automatically generates some boilerplate text as well.
- This PP is Functional Package for TLS Version 1.1 conformant.
- This PP is Functional Package for TLS Version 2.0 conformant.
- This PP is Functional Package for SSH Version 1.0 conformant.
- This PP does not conform to any assurance packages.
The functional packages to which the PP conforms may include SFRs that are not mandatory to claim for the sake of
conformance. An ST that claims one or more of these functional packages may include any non-mandatory SFRs that are
appropriate to claim based on the capabilities of the TSF and on any triggers for their inclusion based inherently on
the SFR selections made.
This is an optional section to be used if the requirement document uses a published Evaluation Methods document for some or all of its evaluation activities.
<cc-eval-methods>
<EM-cc-ref>Name of document</EM-cc-ref>
.
.
</cc-eval-methods>
Eventually this element will be expanded to allow the complete specification of the Evaluation Methods document rather than just the textual name.
The final optional section allows for document-specific information to be added to the end of the Conformance Claims section.
<cc-claims-addnl-info>
All security requirements in these claimed functional packages are intended to satisfy
the O.PROTECTED_COMMS TOE security objective of this PP.
</cc-claims-addnl-info>
</CClaimsInfo>