Modules v. Functional Packages - commoncriteria/pp-template GitHub Wiki

9 September 2024

Functional Packages

According to CC:2022, a Package is a re-usable collection of requirements that is "useful and effective in combination."

A Functional Package (FP) may contain only SFRs. An FP may not include SARs.

New for CC:2022, an FP may include an SPD and Security Objectives derived from that SPD (Of course, there are no Security Objectives if the FP is Direct Rationale).

Since FPs are intended to contain re-usable collections of requirements, it makes no sense for FPs to refer to specific SFRs or selection in other documents (other than Evaluation Methods documents, and maybe other FPs).

On the other hand, it is okay for PPs or Modules to refer to specific SFRs within a Package--or even selections within an SFR in an FP.

Currently there is no way to declare that certain selections (or XML ids) are exported from an FP or imported into a PP or Module.

Suitable for things like protocols that are used by many PPs and can be dropped in. e.g. SSH, TLS, X509.

Can FPs be imported in part> Or only as a whole? Only as a whole. Can there be use cases in a package?

How do you select only one SFR from a Package?

All SFRs in the Package would have to be optional or conditional. But an SFR in a Package cannot be dependent on a selection in a PP. Could it be part of a use case? I guess, but not a use case in the PP. Only in the Package. I think the way to do this is to have the base PP invoke a use case from the package. The use case contains the requirements needed by the PP.

Summary

You can reference FPs from PPs, Modules, and other FPs. You may not reference a PP or Module from an FP.

Modules

According to CC:2022, "PP-Modules address those security features of a given TOE type that cannot be required uniformly for all products of this TOE type."

A Module must be associated with at least one Base PP. Which makes sense since it is tied to a par

The thing that we care about is that a Module may have intimate knowledge of its base PPs and may address ... A module extends a base PP to address variations on the TOE type that are not addressed by the base PP. Generally these take the form of different varieties of a abse type...eg Firewall is a network device. there are may different types of

Summary

Additional comments

Bluetooth should be a package