GB/T 18336.1-2024 English PDFUS$2594.00 ยท In stock
Delivery: <= 12 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 18336.1-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model Status: Valid GB/T 18336.1: Historical versions
Basic dataStandard ID: GB/T 18336.1-2024 (GB/T18336.1-2024)Description (Translated English): Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 130,170 Date of Issue: 2024-04-25 Date of Implementation: 2024-11-01 Older Standard (superseded by this standard): GB/T 18336.1-2015 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 18336.1-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35:030 CCSL80 National Standards of People's Republic of China Replaces GB/T 18336:1-2015 Cybersecurity Technology Information Technology Security Assessment Criteria Part 1: Introduction and general model (ISO /IEC 15408-1:2022, Information security, cyber security and Published on April 25, 2024, implemented on November 1, 2024 State Administration for Market Regulation The National Standardization Administration issued Table of ContentsPreface V Introduction VII 1 Scope 1 2 Normative references 1 3 Terms and Definitions 2 4 Abbreviations11 5 Overview 12 5:1 Overview 12 5:2 ISO /IEC 15408 Notes 12 5:3 Evaluation Object 15 5:4 The rest of the content 17 6 General Model 17 6:1 Background 17 6:2 Asset and security controls 17 6:3 ISO /IEC 15408 Core Model Structure 19 7 Detailed description of safety requirements 23 7:1 Security Problem Definition 23 7:2 Security Objectives 24 7:3 Safety requirements 27 8 Safety components 30 8:1 Hierarchy of security components 30 8:2 Operation 31 8:3 Dependencies between components 34 8:4 Extension Components 35 9 packs 36 9:1 Rule 36 9:2 Packet Type 36 9:3 Package Dependencies 37 9:4 Evaluation methods and activities 37 10 Protection profile 37 10:1 Overview 37 10:2 Introduction to PP 37 10:3 Declaration of conformity and statement of conformity 38 10:4 Security requirements 39 10:5 Additional requirements common to strict and demonstrable compliance 40 10:6 Specific additional requirements for strict compliance 40 10:7 Specific additional requirements for which compliance may be demonstrated 41 10:8 Specific additional requirements for exact compliance 41 10:9 Use of PP 42 10:10 Statements and declarations of conformity in the case of multiple PPs 42 11 Modular requirements construction 42 11:1 Overview 42 11:2 PP-Module 43 11:3 PP-Configuration 46 12 Safety Goals 53 12:1 Rule 53 12:2 Declaration and statement of conformity 53 12:3 Security Requirements 55 12:4 Additional requirements for exact compliance 55 12:5 Additional requirements for multiple safeguards 56 13 Evaluation and evaluation results 58 13:1 Overview 58 13:2 Evaluation Content 60 13:3 Evaluation of PP and PP-configurations 60 13:4 ST Evaluation 60 13:5 Evaluation of TOE 61 13:6 Assessment methods and assessment activities 61 13:7 Evaluation Results 61 13:8 Multiple Assurance Assessment 62 14 Composite protection 63 14:1 Overview 63 14:2 Composite Model 63 14:3 Assessment Techniques for Providing Assurance in Composite Models 65 14:4 Requirements for evaluation using composite techniques 74 14:5 Assessment through composite and multiple assurance 76 Appendix A (Normative) Package Specifications 77 A:1 Objective and structure of this appendix 77 A:2 Package family 77 A:3 Package 77 Appendix B (normative) Specifications for protection profiles 81 B:1 Objectives and structure of this annex 81 B:2 Specification of PP81 B:3 Mandatory contents of PP82 B:4 References to other standards in PP 87 B:5 Direct fundamentals PP 88 B:6 Optional Contents of PP 90 Appendix C (normative) Specifications for PP-modules and PP-configurations 91 C:1 Objective and structure of this appendix 91 C:2 PP-Module Specification 91 C:3 PP-Configuration Specification 98 Appendix D (Normative) Safety Goal (ST) and Direct Rationale ST Specification 103 D:1 Objective and structure of this appendix 103 D:2 Use of ST 103 D:3 Mandatory content of ST104 D:4 Direct fundamentals ST 110 D:5 Other reference standards in ST 112 Annex E (normative) Conformity of PP/PP-configuration 113 E:1 Overview 113 E:2 Demonstrable compliance 113 E:3 Strict compliance 114 E:4 Exact compliance 114 References 118ForewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules for standardization documents" Drafting is required: This document is part 1 of GB/T 18336 "Cybersecurity Technology Information Technology Security Assessment Criteria": GB/T 18336 has been The following parts were published: --- Part 1: Introduction and general model; --- Part 2: Safety functional components; --- Part 3: Safety assurance components; --- Part 4: Normative framework for assessment methods and activities; --- Part 5: Predefined security requirements package: This document replaces GB/T 18336:1-2015 "Information Technology Security Technology Information Technology Security Evaluation Criteria Part 1: Simple Compared with GB/T 18336:1-2015, in addition to structural adjustments and editorial changes, the main technical changes are as follows: --- Added the "exact compliance" type and related requirements (see 6:3:2, 10:3, 10:8, E:4); --- Deleted "low protection profile" (see B:11 of the:2015 edition); --- Added the term "direct basic principle" (see 3:34); --- Added the term "multiple assurance assessment" (see 3:60); --- Applicable situations and related requirements (see 6:3:4:3, 12:5, 13:8); --- Added "PP-Module" and "PP-Configuration" for modular evaluation (Chapter 11); --- Added a chapter on "Composite Security" (see Chapter 14); --- Added the content requirements of "direct fundamental protection profile" and "direct fundamental safety goal" (see B:5, D:4): This document is equivalent to ISO /IEC 15408-1:2022 "Information security, network security and privacy protection information technology security assessment standards" Part 1: Introduction and general model: The following minimal editorial changes were made to this document: --- In order to coordinate with the existing standards, the name of the standard will be changed to "Cybersecurity Technology Information Technology Security Assessment Criteria Part 1: Simple Introduction and General Model"; --- Added "Footnote" (see Chapter 1): Please note that some of the contents of this document may involve patents: The issuing organization of this document does not assume the responsibility for identifying patents: This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260): This document was drafted by: China Information Security Evaluation Center, Tsinghua University, the Third Research Institute of the Ministry of Public Security, and the First Research Institute of China Electronics Technology Group Corporation: The 15th Research Institute, Jilin Information Security Evaluation Center, China Cyber Security Review Technology and Certification Center, China Electronics Technology Standardization Institute, Huawei Technologies Co:, Ltd:, Peking University, Institute of Information Engineering, Chinese Academy of Sciences, China Institute of Cyberspace, Beijing Kuaishou Technology Co:, Ltd: Shanghai Guanan Information Technology Co:, Ltd:, Unigroup Tongxin Microelectronics Co:, Ltd:, Kelai Network Technology Co:, Ltd:, Sangfor Technologies Co:, Ltd: Technology Co:, Ltd:, Hangzhou Deep Technology Co:, Ltd:, Beijing Zhongce Anhua Technology Co:, Ltd:, China Trade Promotion Information Technology Co:, Ltd: Company, Chengdu Zhongke Zhishan Information Technology Co:, Ltd:, Guangdong-Hong Kong-Macao Greater Bay Area Precision Medicine Research Institute (Guangzhou), China Communications Service Consulting and Design Institute Co:, Ltd:, Mashang Consumer Finance Co:, Ltd:, China Software Testing Center, National Computer Network Emergency Response Technology Coordination Center, China Academy of Space Systems Science and Engineering, National Radio and Television Administration Radio and Television Science Research Institute, iFLYTEK Co:, Ltd:, Beijing Jingdong Shangke Information Technology Co:, Ltd:, OPPO Guangdong Mobile Communications Co:, Ltd:, Changyang Technology (Beijing) Co:, Ltd:, Beijing CYBERENGE TECHNOLOGY LIMITED: The main drafters of this document are: Zhang Baofeng, Gao Jinping, Yang Yongsheng, Shi Hongsong, Wang Yanan, Gao Song, Xie Shihua, Ye Xiaojun, Shangguan Xiaoli, Huo Shanshan, Guo Hao, Xie Anming, Wang Xiaonan, Luo Hongwei, Li Fengjuan, Xu Yuan, Sun Yafei, Xiong Qi, Pang Bo, Wang Feng, Yang Yuanyuan, Liu Jian, He Yang, Liu Zhanfeng, Feng Yun, Tan Ru, Sun Nan, Zheng Liang, Liu Jilin, Zuo Jian, Tang Chuan, Xie Jiang, Jiang Wei, Wu Wei, Kong Yong, Li Jing, Yu Mingming, Sheng Zhifan, Tan Xiaosheng, Zhao Tian, Pu Xiong, Wang Xiaopeng, Yang Bo, Chen Liang, Ding Feng, Jiang Ning, Feng Na, Zhao Hua, Li Gen, Jia Wei, Bi Haiying, Deng Hui, Chen Feng: This document was first published in:2001 as GB/T 18336:1-2001, revised for the first time in:2008, and revised for the second time in:2015: This is the third revision:IntroductionGB/T 18336 provides a set of general security functions and safeguards for information technology (IT) products in security assessment: The requirements provide guidance for the development, evaluation and procurement of IT products with security functions: The process establishes a confidence level for the security features of IT products and their safeguards in meeting these requirements, allowing independent security assessors to The evaluation results are comparable and can help consumers determine whether the IT product meets their security requirements: GB/T 18336 is proposed to consist of five parts: --- Part 1: Introduction and general model: Provide an overall overview of GB/T 18336 and define the general concept of information technology security assessment: concepts and principles, and presents a general model for evaluation: --- Part 2: Safety functional components: Establish a set of standardized templates for functional components used to describe safety functional requirements: These functional components are used to describe safety functional requirements: The components can be organized into classes and families, and specific safety functions can be constructed through component selection, refinement, and cutting: Feature request: --- Part 3: Security Assurance Components: Establish a set of standardized templates for security assurance components used to describe security assurance requirements: The full support components are structured in the form of classes and families, defining the criteria for evaluating PP, ST and TOE: Specific security requirements are constructed through component selection, refinement, and tailoring: --- Part 4: Normative framework for evaluation methods and activities: Provides a standardized framework for normative evaluation methods and activities: The assessment methods and activities are contained in the PP, ST and any supporting documents for the assessor to use: The evaluation work is carried out based on the models described in other parts of GB/T 18336: --- Part 5: Predefined security requirement packages: Provide security assurance requirements and security functional requirements commonly used by stakeholders Examples of packages provided include Evaluation Assurance Level (EAL) and Combined Assurance Package (CAP): GB/T 18336 has great flexibility and applies the assessment method to a range of security attributes of a range of IT products: Therefore, users should be careful when using GB/T 18336 to avoid misusing the flexibility of this standard: Taking inappropriate assessment methods/activities, selecting irrelevant security attributes, or targeting inappropriate IT products may lead to meaningless of the evaluation results: Therefore, the fact that an IT product has been evaluated is only relevant if it refers to which security attributes were selected and what evaluation methods were used: The evaluation authority needs to carefully review the product, safety attributes and evaluation methods to determine whether the evaluation can produce meaningful results: In addition, the buyer of the product being evaluated also needs to carefully consider the specific circumstances of the evaluation to determine whether the product is useful and can Whether it meets its specific usage scenarios and needs: GB/T 18336 is committed to protecting assets from unauthorized information disclosure, data tampering, or loss of availability: This type of protection is consistent with three types of The corresponding security failure conditions are usually called confidentiality, integrity and availability: In addition, GB/T 18336 also applies to these three conditions: GB/T 18336 is used to consider risks caused by human (whether malicious or not) and non-human factors: In addition, GB/T 18336 is also applied to other fields of IT technology, but no statement is made on its applicability outside the security field: Some issues are not within the scope of GB/T 18336 because they involve professional technology or are less important to IT security: For example, Surface content: a) GB/T 18336 does not include security assessments that are administrative security measures and are not directly related to IT security measures: However, it is known that some important safety components can be achieved through organizational, personnel, physical, procedural This can be achieved through administrative management measures such as control: b) GB/T 18336 does not involve the application of the evaluation methods of this document: Note 1: GB/T 30270 defines the basic assessment method, GB/T 18336:4 is used to further derive assessment activities and methods from GB/T 302705: c) GB/T 18336 does not cover the administrative and legal framework for the use of this document by assessment authorities, but GB/T 18336 is also used evaluation within this framework: d) The procedure for using the evaluation results for product approval is not within the scope of GB/T 18336: Product approval is an administrative process: The process by which an IT product (or a collection of them) is permitted to be used in its entire operating environment: The assessment focuses on the product's IT security The assessment results are an important input to the accreditation process: However, since other techniques are more suitable for assessing non-IT related attributes and their relationship to IT security components, the Different clauses should be formulated for each of these situations: e) GB/T 18336 does not include clauses related to the evaluation of the inherent quality of cryptographic algorithms: If the mathematical properties of cryptographic algorithms need to be evaluated, If an independent assessment is to be carried out, special provisions shall be formulated for the relevant evaluation in the assessment system using GB/T 18336: Note 2: This document uses bold and italic words in some cases to distinguish terms from the rest of the text: Bold highlights are used for all new requirements: For layered components, when requirements are enhanced or modified beyond the In addition, any new or enhanced allowed operations beyond those of the previous component are also indicated using Bold highlights: Italics are used to indicate text with precise meaning: For safety assurance requirements, this convention also applies to Special verbs related to estimate: Cybersecurity Technology Information Technology Security Assessment Criteria Part 1: Introduction and general model1 ScopeThis document establishes the general concepts and principles for information technology security assessment and specifies the requirements given in the various parts of ISO /IEC 15408: This general evaluation model can be used as a basis for evaluating the security attributes of IT products as a whole: This document gives a general overview of ISO /IEC 15408 (all parts)1): It describes the content of each part of ISO /IEC 15408: The content of this paper is as follows: It defines the terms and abbreviations used in each section; establishes the core concept of the object of evaluation (TOE); describes the evaluation background and evaluation criteria; This document also provides the basic security concepts required for the evaluation of information technology products: 1) ISO /IEC 15408-1~ISO /IEC 15408-5 were adopted to correspond to my country's national standards GB/T 18336:1~GB/T 18335:5 respectively: This document describes: --- Core concepts such as protection profile (PP), PP-module, PP-configuration, package, safety target (ST) and conformance type; --- An organized description of the security components in the entire model; --- Defines the allowed use when customizing the functional components and assurance components given in ISO /IEC 15408-2 and ISO /IEC 15408-3 Various operations; --- General information on the evaluation methods given in ISO /IEC 18045; ---Guidelines for the application of ISO /IEC 15408-4 to the development of evaluation methods (EM) and assessment activities derived from ISO /IEC 18045 (EA); --- General information on the predefined Evaluation Assurance Levels (EALs) in ISO /IEC 15408-5; --- Information on the scope of the assessment system:2 Normative referencesThe contents of the following documents constitute the essential clauses of this document through normative references in this document: For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to This document: GB/T 18336:2-2024 Cybersecurity technology Information technology security assessment criteria Part 2: Security functional components (ISO /IEC 15408-2:2022, IDT) GB/T 18336:3-2024 Cybersecurity technology Information technology security assessment criteria Part 3: Security assurance components (ISO /IEC 15408-3:2022, IDT) ISO /IEC 15408-2 Information security, network security and privacy protection Information technology security evaluation criteria Part 2: Security functions ISO /IEC 15408-3 Information security, network security and privacy protection Information technology security evaluation criteria Part 3: Security protection ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 18336.1-2024_English be delivered?Answer: Upon your order, we will start to translate GB/T 18336.1-2024_English as soon as possible, and keep you informed of the progress. The lead time is typically 8 ~ 12 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 18336.1-2024_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 18336.1-2024_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 18336.1-2024?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 18336.1-2024 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
