Examples for Building cPPs and SDs

This page is a link to various example pages to help build cPPs and SDs. At the moment there are examples for Security Functional Requirements and their associated Evaluation Activities. Eventually there will be more (SPD, Security Objectives, etc.) as there is time to build out these sections.

The examples here are taken from existing cPPs which will be referenced.

When developing the requirements for the cPP, it is important to realize there are "standard" requirements and "extended" requirements.

Standard requirements are those taken directly from the Common Criteria documentation (possibly with very minor refinement). These can be found in Part 2.

Extended requirements though are ones that may be based on the standard requirements, but which are wholly new (and are denoted by the "_EXT" placed at the end of the requirement in the cPP).

Creating a new requirement means not just creating the requirement but also creating the Evaluation Activities for the requirement as well. The EAs are "how do you prove/test" the claims made about the requirement, and sometimes can be more work than creating the requirement itself (especially if you think you are done when you have the SFR, the EA can be tough).

When working on creating new extended requirements, the first recommendation would be to review [CC2] and other cPPs that may have some similar requirements. For example, the Network Device cPP has a lot of information for how distributed systems should interact, so if you are working on a distributed system, it would be useful to check the ND cPP and maybe copy the requirements for your use (instead of recreating them). Of course a copied requirement can be further modified, regardless of its origin, and starting from something is always easier than creating from scratch.