Organizational Security Policies Section - commoncriteria/pp-template GitHub Wiki

Updated 4 January 2024

According to CC:2022, "OSPs are security rules, procedures, or guidelines imposed in the operational environment. OSPs can be made by an organization controlling the operational environment of the TOE, or they can be made by legislative or regulatory bodies. OSPs can apply to the TOE and/or the operational environment of the TOE."

Having Organizational Security Policies is optional, but having an Organizational Security Policies section is not.

The Organizational Security Policies section can be defined in the usual three ways:

  <section title="Organizational Security Policies" id="sec-uniqueId">

  <sec:Organizational_Security_Policies>

  <sec:osp title="Organizational Security Policies">

In XML, the Organizational Security Policies section consists of an <OSPs> element that contains one or more <OSP> elements.

Each <OSP> element has a name attribute and an optional id. The id is only needed if there is a reason to refer to the assumption by other than its name elsewhere in the document. Which is very unlikely.

The OSP name should be of the form P.POLICY_NAME where the name is unique in the document. Ideally, OSP names should be common across all PPs so that they can be maintained in a library. So you should try to use OSPs that you've seen before.

Each OSP includes a description, a reference to one or more Objectives or Operational Environment Objectives, and a rationale explaining how the OSP is enforced by the Objective. The rationale is used to auto-generate the Security Objectives Rationale section.

	<OSP name="P.ENTERPRISE">
		<description>If the GPCP is bound to a directory or management server, the configuration of
			the OS software must be capable of adhering to the enterprise security policies
			distributed by them.</description>
		<objective-refer ref="O.MANAGEMENT">
			<rationale>The organizational security policy P.ENTERPRISE is enforced through the
				objective O.MANAGEMENT as this objective represents how the enterprise and user assert
				management over the OS.</rationale>
		</objective-refer>
	</OSP>

If the PP defines no OSPs, then the Organizational Security Policies section should look like this:

     <sec:Organizational_Security_Policies>
        <OSPs/>
     </sec:Organizational_Security_Policies>

To suppress the boilerplate text at the start of the section, set the section's boilerplate attribute to "no." For this to work, you must use the below form of the section heading.

  <section title="Organizational Security Policies" id="sec-uniqueId" boilerplate="no">