Updated 12 December 2023

Mandatory SFRs

An SFR is mandatory when it must always be claimed in the ST.

Non-Mandatory SFRs

SFRs that are non-mandatory are claimed in the ST either conditionally or optionally. Objective and Optional SFRs are claimed optionally. Implementation-dependent and selection-based SFRs are claimed conditionally.

Optional SFRs

Optional SFRs are claimed at the option of the ST Author. There is no impact on the compliance of the TOE to the PP if an optional SFR is not claimed, even if the TOE implements the capability covered by the SFR. Optional SFRs generally appear in Appendix A.1 of NIAP PPs and PP-Modules.

Objective SFRs

Objective SFRs are optional requirements that are slated to become mandatory in the future. As with optional requirements, there is no penalty for failing to claim an Objective requirement. Objective SFRs generally appear in Appendix A.2 of NIAP PPs and PP-Modules.

Implementation-dependent SFRs

The CC:2022 lists Implementation-dependent SFRs as a type of optional SFR, though they are, in fact, not optional. Implementation-dependent SFRs are linked to a product feature. If the TOE implements the feature, then the SFR must be claimed. Implementation-dependent SFRs generally appear in Appendix A.3 of NIAP PPs and PP-Modules.

Selection-based SFRs

As the name suggests, the Selection-based SFRs must be claimed if the ST Author makes one or more selections. But it's not that simple. SFRs should also be classified as selection-based if their claiming depends on a use-case or on the inclusion of another SFR. Selection-based SFRs appear in Appendix B.

Conflicts in Classification

It is possible that an SFR could be classified in more than one way. Generally, there is a hierarchy of SFR types with selection-based at the top.

If an SFR can be brought in through a selection, use-case, or dependency on another SFR, it is considered to be Selection-based no matter how many other ways it can be claimed. For example, if an SFR is both selectable and can be brought in at the option of the ST Author, it is considered selection-based.

Otherwise, if an SFR can be Optional/Objective or Implementation-dependent, it is classified as Implementation-dependent.

An SFR cannot be both Optional and Objective. Nor can an SFR be Mandatory and anything else. Mandatory is mandatory.

Non-Mandatory SFRs in the Additional SFRs Section of PP-Modules

As of 11 December 2023, non-Mandatory SFRs may appear in the Additional SFRs section of a PP-Module.