GB/T 18336.3-2024 English PDFUS$3154.00 ยท In stock
Delivery: <= 14 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 18336.3-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 3: Security assurance components Status: Valid GB/T 18336.3: Historical versions
Basic dataStandard ID: GB/T 18336.3-2024 (GB/T18336.3-2024)Description (Translated English): Cybersecurity technology - Evaluation criteria for IT security - Part 3: Security assurance components Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 158,122 Date of Issue: 2024-04-25 Date of Implementation: 2024-11-01 Older Standard (superseded by this standard): GB/T 18336.3-2015 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 18336.3-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 3: Security assurance components---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35:030 CCSL80 National Standards of People's Republic of China Partially replaces GB/T 18336:3-2015 Cybersecurity Technology Information Technology Security Assessment Criteria Part 3: Safety assurance components Published on April 25, 2024, implemented on November 1, 2024 State Administration for Market Regulation The National Standardization Administration issued Table of ContentsPreface V Introduction VII 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Overview 5 5 Safeguarding Paradigm 5 5:1 Overview 5 5:2 ISO /IEC 15408 Basic Method 5 5:3 Safeguard Methods 5 5:4 ISO /IEC 15408 Assessment Assurance Standards 7 6 Security Components 7 6:1 Overview 7 6:2 Security structure 7 6:3 Assurance Family Structure 9 6:4 Security component structure 9 6:5 Security elements 11 6:6 Component Classification 11 7 APE Category: Protection Profile Evaluation 11 7:1 Overview 11 7:2 PP Introduction (APE_INT) 12 7:3 Declaration of Conformity (APE_CCL) 12 7:4 Security Problem Definition (APE_SPD) 14 7:5 Security Objectives (APE_OBJ) 14 7:6 Extended Component Definition (APE_ECD) 15 7:7 Security Requirements (APE_REQ) 16 8 ACE Category: Protection Profile Configuration Assessment 18 8:1 Overview 18 8:2 PP-Module Introduction (ACE_INT) 19 8:3 PP-Module Declaration of Conformity (ACE_CCL) 19 8:4 PP-Module Security Problem Definition (ACE_SPD) 21 8:5 PP-Module Security Objective (ACE_OBJ) 21 8:6 PP-Module Extension Component Definition (ACE_ECD) 22 8:7 PP-Module Safety Requirements (ACE_REQ) 23 8:8 PP-Module Conformance (ACE_MCO) 25 8:9 PP-Configuration Consistency (ACE_CCO) 26 9 ASE Category: Safety Objective Assessment 28 9:1 Overview 28 9:2 Introduction to ST (ASE_INT) 29 9:3 Declaration of Conformity (ASE_CCL) 30 9:4 Security Problem Definition (ASE_SPD) 31 9:5 Security Objectives (ASE_OBJ) 32 9:6 Extended Component Definition (ASE_ECD) 33 9:7 Security Requirements (ASE_REQ) 34 9:8 TOE Summary Specification (ASE_TSS) 36 9:9 Composite Product Safety Objectives Conformance (ASE_COMP) 37 10 ADV category: Development 38 10:1 Rule 38 10:2 Security Architecture (ADV_ARC) 42 10:3 Functional Specification (ADV_FSP) 43 10:4 Implementation Representation (ADV_IMP) 50 10:5 TSF Internal (ADV_INT) 51 10:6 Security Policy Model (ADV_SPM) 54 10:7 TOE Design (ADV_TDS) 56 10:8 Composite Design Compliance (ADV_COMP) 61 11 AGD category: Guidance documents 63 11:1 Rule 63 11:2 Operation User Guide (AGD_OPE) 63 11:3 Preparation procedure (AGD_PRE) 64 12 ALC Class: Life Cycle Support 65 12:1 Rule 65 12:2 CM Capability (ALC_CMC) 66 12:3 CM Range (ALC_CMS) 72 12:4 Delivery (ALC_DEL) 75 12:5 Developer Environment Security (ALC_DVS) 76 12:6 Defect Correction (ALC_FLR) 77 12:7 Development Lifecycle Definition (ALC_LCD) 80 12:8 Development Components (ALC_TDA) 82 12:9 Tools and Techniques (ALC_TAT) 87 12:10 Composite Part Integration and Delivery Process Conformity Check (ALC_COMP) 89 13 ATE category: test 90 13:1 Rule 90 13:2 Coverage (ATE_COV) 91 13:3 Depth (ATE_DPT) 92 13:4 Functional Test (ATE_FUN) 95 13:5 Independent Test (ATE_IND) 97 13:6 Composite Function Test (ATE_COMP) 99 14 AVA category: vulnerability rating 100 14:1 Overview 100 14:2 Application Note 101 14:3 Vulnerability Analysis (AVA_VAN) 101 14:4 Composite Vulnerability Assessment (AVA_COMP) 105 15 ACO Class: Combination 106 15:1 Rule 106 15:2 Basic principles of combination (ACO_COR) 109 15:3 Development Evidence (ACO_DEV) 109 15:4 Dependencies of dependent components (ACO_REL) 112 15:5 Combined TOE Test (ACO_CTT) 113 15:6 Combined Vulnerability Analysis (ACO_VUL) 115 Appendix A (Informative) Development (ADV) 118 A:1 ADV_ARC: Supplementary material for security architecture 118 A:2 ADV_FSP: Supplementary material for functional specifications 120 A:3 ADV_INT: TSF internal supplementary material 126 A:4 ADV_TDS: Subsystems and Modules 128 A:5 Supplementary Materials on Formal Methods 132 Appendix B (Informative) Combination (ACO) 135 B:1 Overview 135 B:2 The need for combined TOE evaluation 135 B:3 Performing security goal assessment of combined TOE 136 B:4 Interactions between combined IT entities 136 Appendix C (Informative) Cross-references to Component Dependencies 141 Appendix NA (Informative) Abbreviations 146 References 147ForewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules for standardization documents" Drafting: This document is part 3 of GB/T 18336 "Cybersecurity Technology Information Technology Security Assessment Criteria": GB/T 18336 has been Post the following parts: --- Part 1: Introduction and general model; --- Part 2: Safety functional components; --- Part 3: Safety assurance components; --- Part 4: Normative framework for assessment methods and activities; --- Part 5: Predefined security requirements package: This document and GB/T 18336:4-2024 "Cybersecurity Technology Information Technology Security Assessment Criteria Part 4: Assessment Methods and GB/T 18336:5-2024 "Cybersecurity Technology Information Technology Security Assessment Criteria Part 5: Predefined The information technology security requirements package will replace GB/T 18336:3-2015 "Information Technology Security Technology Information Technology Security Evaluation Criteria Part 3" Part: Security Assurance Components: This document partially replaces GB/T 18336:3-2015 "Information Technology Security Technology Information Technology Security Assessment Criteria Part 3: Compared with GB/T 18336:3-2015, in addition to structural adjustments and editorial changes, the main technical changes are as follows: --- Changed the terminology (see Chapter 3, Chapter 3 of the:2015 edition); --- Added precise compliance types (see 7:3:2, 8:3:2, 8:9:2 and 9:3:2); --- Deleted the assessment assurance level and combined assurance package (see Chapter 7 and Chapter 8 of the:2015 edition); --- Added the protection profile of the direct basic principle (see 7:7:3 and 9:7:3); --- Added PP-modules and PP-configurations for modular evaluation (see Chapter 8); --- Added multiple assurance level assessment (see 8:9:2, 9:2:2 and 9:7:3); --- Added composite product assessment safety assurance components (see 9:9, 10:8, 12:10, 13:6 and 14:4): This document is equivalent to ISO /IEC 15408-3:2022 "Information security, network security and privacy protection information technology security assessment standards" Part 3: Security Assurance Components: The following minimal editorial changes were made to this document: --- In order to coordinate with the existing standards, the name of the standard will be changed to "Cybersecurity Technology Information Technology Security Assessment Criteria Part 3: Security Full protection components"; --- Added informative Appendix NA "Abbreviations": Please note that some of the contents of this document may involve patents: The issuing organization of this document does not assume the responsibility for identifying patents: This document is proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260): This document was drafted by: China Information Security Evaluation Center, China National Accreditation Service for Conformity Assessment, the Third Research Institute of the Ministry of Public Security, China Electronics The 15th Research Institute of Zi Technology Group Corporation, Tsinghua University, Huawei Technologies Co:, Ltd:, Beijing Topsec Network Security Technology Co:, Ltd:, China Institute of Information Engineering, Chinese Academy of Sciences, Fudan University, Wuhan University, Jishou University, Zhejiang Dahua Technology Co:, Ltd:, China Science and Technology Information Security Co:, Ltd: National Engineering Research Center for Information Security Technology Co:, Ltd:, Jilin Information Security Evaluation Center, Shaanxi Network and Information Security Evaluation Center, Chengdu Virtual Gu Weiye Technology Co:, Ltd:, Anhui Zhongke Guochuang High-Reliability Software Co:, Ltd:, Beijing Zhongce Anhua Technology Co:, Ltd:, Honor Terminal Co:, Ltd: Company, Kelai Network Technology Co:, Ltd:, Yidu Cloud (Beijing) Technology Co:, Ltd:, Beijing CEC Huada Electronic Design Co:, Ltd:, Hefei Tianwei Information Security Technology Co:, Ltd:, Beijing Shuanxing Technology Co:, Ltd:, and Jinzhuan Xinke Co:, Ltd: The main drafters of this document are: Zhang Baofeng, Bi Haiying, Deng Hui, Gao Jinping, Yang Yongsheng, Shi Hongsong, Xie Shihua, Jia Wei, Xu Yuan, Li Fengjuan, Niu Xingrong, Li Hong, Meng Yahao, Wu Teng, Dong Jingjing, Ye Xiaojun, Yao Junning, Wang Yan, Liu Qixu, Feng Yun, Xu Zhipeng, Cheng Junjun, Yu Rongwei, Li Zongshou, Ying Tianyuan, Guo Hao, Liu Zhanfeng, Hu Jianxun, Yan Yuyun, Ming Yuzhuo, Su Decai, Ji Jinlong, Huang Haijun, Chen Hongjin, Zuo Jian, Zhu Kelei, Zhu Ruijin, Luo Yang, Mao Junjie, Wang Yuhang, Chen Jiazhe, Wei Wei, Liang Wentao, Liu Jian, Wu Jianshuang, Liu Yuhong, Xue Zhihui, Yi Pengda, Sun Ruigang, Wu Yadi and Zhu Ye: This document was first published in:2001 as GB/T 18336:3-2001, revised for the first time in:2008, and revised for the second time in:2015: Third revision:IntroductionThe safety assurance components defined in this document are defined in a safety assurance package, a protection profile (PP), a PP-module, a PP-configuration or a safety target (ST): The basis for describing the security assurance requirements is described in : These requirements establish a standard approach to describing assurance requirements for an Object of Evaluation (TOE): This document lists a set of assurance components, families, and Class, also defines the criteria for evaluating PP, PP-configuration, PP-module and ST: GB/T 18336 is proposed to consist of five parts: --- Part 1: Introduction and general model: This aims to provide an overall overview of GB/T 18336 and define the basic principles of information technology security assessment: It introduces general concepts and principles and gives a general model for evaluation: --- Part 2: Safety functional components: Aims to establish a set of standardized templates for functional components that can be used to describe safety functional requirements: These functional components are structured in the form of classes and families, and specific functions are constructed through component selection, refinement, and cutting: safety functional requirements: --- Part 3: Security assurance components: Aims to establish a set of standardized templates for security assurance components that can be used to describe security assurance requirements: These security assurance components are structured in classes and families, defining the criteria for evaluation of PP, ST, and TOE: Then, specific security requirements are constructed through component selection, refinement, and tailoring: --- Part 4: Normative framework for evaluation methods and activities: Aims to provide a standardized framework for normative evaluation methods and activities: These assessment methods and activities are included in the PP, ST and any supporting documents for assessors to use based on The evaluation work is carried out based on the models described in other parts of GB/T 18336: --- Part 5: Predefined security requirement packages: Aims to provide security assurance requirements and security functions commonly used by stakeholders Required packages, examples of packages provided include Evaluation Assurance Level (EAL) and Combined Assurance Package (CAP): The target readers of this document mainly include consumers, developers, technical working groups, evaluators, etc: of secure IT products: GB/T 18336:1- Chapter 5 of 2024 provides additional information on the target readers of GB/T 18336 and how the target reader groups use GB/T 18336: Information: These audience groups use this document as follows: a) Consumers select components to describe the protection requirements to meet the security objectives set out in the PP or ST, thereby determining the required security protection: This document can be used at any level of disability; b) Developers, when constructing TOEs to respond to actual or anticipated consumer security requirements, may refer to this document to explain the safeguards Requires a statement and identification of the TOE assurance approach; c) Assessors, when determining the assurance level of the TOE and evaluating the PPs and STs, use the assurance requirements defined in this document as an assessment tool: Mandatory statement of assessment criteria: Note: This document uses bold and italic fonts in some cases to distinguish terms from the rest of the text: For layered components, when a requirement is enhanced or modified beyond the requirements of the previous component, When required, they are shown in bold: In addition, any new or enhanced allowed operations in addition to the previous components are also highlighted in bold: Italics are used to indicate text with a precise meaning: For security assurance requirements, this convention also applies to special verbs related to assessment: Cybersecurity Technology Information Technology Security Assessment Criteria Part 3: Safety assurance components1 ScopeThis document defines the assurance requirements of ISO /IEC 15408, including the assessment assurance levels and other requirements included in ISO /IEC 15408-5: The various assurance packages of other packages, as well as the evaluation criteria for PP, PP-configuration, PP-module and ST:2 Normative referencesThe contents of the following documents constitute the essential clauses of this document through normative references in this document: For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to This document: GB/T 30270-2024 Cybersecurity technology Information technology security assessment method (ISO /IEC 18045:2022, IDT) ISO /IEC 15408-1 Information security, network security and privacy protection Information technology security evaluation criteria Part 1: Introduction and Note: GB/T 18336:1-2024 Cybersecurity technology Information technology security assessment criteria Part 1: Introduction and general model (ISO /IEC 15408- 1:2022,IDT) ISO /IEC 15408-2 Information security, network security and privacy protection Information technology security evaluation criteria Part 2: Security functions Note: GB/T 18336:2-2024 Cybersecurity technology Information technology security evaluation criteria Part 2: Security functional components (ISO /IEC 15408- 2:2022,IDT) ISO /IEC 15408-4 Information security, network security and privacy protection Information technology security evaluation criteria Part 4: Evaluation criteria Note: GB/T 18336:4-2024 Cybersecurity technology Information technology security assessment criteria Part 4: Normative framework for assessment methods and activities (ISO /IEC 15408-4:2022, IDT) ISO /IEC 15408-5 Information security, network security and privacy protection Information technology security evaluation criteria Part 5: Predefined Note: GB/T 18336:5-2024 Cybersecurity technology Information technology security assessment criteria Part 5: Predefined security requirements package (ISO / IEC 1540-5:2022, IDT)3 Terms and definitionsISO /IEC 15408-1, ISO /IEC 15408-2, ISO /IEC 15408-4, ISO /IEC 15408-5, ISO /IEC 18045 and For this document, the terms and definitions defined in ISO /IEC IEEE 24765 and the following apply: ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 18336.3-2024_English be delivered?Answer: Upon your order, we will start to translate GB/T 18336.3-2024_English as soon as possible, and keep you informed of the progress. The lead time is typically 10 ~ 14 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 18336.3-2024_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 18336.3-2024_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 18336.3-2024?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 18336.3-2024 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
