|
 |
Overview |
|
|
|
|
|
Background |
|
The Common Criteria (CC) provides a grammar for describing
Information Technology (IT) system security. The CC paradigm requires that a Security
Target (ST) be written which defines the security requirements to be used as the basis for
the evaluation of a product or system. An ST may claim conformance to a Protection Profile
(PP), an implementation-independent set of security requirements or needs specified by
customers, consumers, and/or consortium of users. One of the difficulties for the authors
creating either an ST or PP is finding the applicable components in the CC pertinent to
their product or system. As such, the CC Toolbox, is being developed as an
integrated set of tools to aid system developers and requirement authors in generating PP
and ST documents. The CC Toolbox will simplify and streamline the use of the CC for
IT system practitioners and therefore should facilitate the widespread acceptance and use
of the CC.
|
| Purpose
of the CC Toolbox |
|
The purpose of the CC Toolbox is
twofold:
 |
To assist a developer in preparing for a CC
evaluation of an existing or planned system or product. The CC Toolbox supports the
developer in creating the initial document (ST) required to place a system or product
under the scrutiny of a CC evaluation.
|
|
|
To assist an accrediting official,
consumer, or individual of like authority and responsibility, to document an
implementation-independent set of security requirements (PP) for a specific information
technology (IT) need in CC terms. |
|
CC
Toolbox Overview |
|
The
CC Toolbox provides the user the ability to:
|
Select an Evaluation Assurance Level (EAL) 1 through 7.
|
|
Include an EAL, thereby including all assurance components for the
specified EAL.
|
|
Input Security Objectives, Policies, Threats, and Assumptions. The
user created policies, threats, and assumptions (i.e., security environment) may be mapped
to one or more security objectives.
|
|
Allocate functional components and assurance components either to
the Target of Evaluation (TOE) or to the Non-TOE.
|
|
Extend a CC Class and Family by adding a new component with
elements and a rationale.
|
|
Add multiple instances of a CC Component.
|
|
Create and store a Template (i.e., a stored interview session or a
variant Root Topic Hierarchy).
|
|
Use the CC Toolbox in a stand-alone or networked
environment.
|
|
Develop both a draft ST and draft PP report.
|
|
Report observations directly to NIAP.
|
|
Specify the time interval between autosaves and the User
Configuration function.
|
|
Easily identify the status of each requirement with the
addition of new indicator symbols and an improved user interface.
|
|
Provide a long description in addition to the short name and
description in Security Objectives, Policies, Threats and Assumptions.
|
|
Interview users regarding their system
environment by guiding them through an environment interview.
|
|
Select pre-defined environmental considerations
(Policies, Threats, and Assumptions) and incorporate pre-defined Security Objectives.
|
|
Display:
|
- detailed information for
pre-defined environmental considerations and
pre-defined Security Objectives;
- environmental mapping status of all environment statements;
- guidance text to user defined environmental considerations;
- those Security Objectives currently mapped by the user to any component
associated with the security objective;
|
|
Input Non-IT environmental requirements used to address a security objective.
|
|
Map a component to the Target of Evaluation (TOE) or IT environment from a display of dependencies.
|
|
Add "and" and "or" dependencies when creating extension.
|
|
Collect exclusion rationale for unsatisfied dependencies.
|
|