/ ep.json
ep.json
1 { 2 "$schema": "https://json-schema.org/draft-07/schema", 3 "$id": "http://example.com/example.json", 4 "title": "Evaluation Plan", 5 "description": "The purpose of this document is to outline the approach, scope, and details of the evaluation process for an IT product.", 6 "type": "object", 7 "default": {}, 8 "required": ["ep"], 9 "properties": { 10 "ep": { 11 "type": "object", 12 "default": {}, 13 "required": [ 14 "changelog", 15 "information", 16 "definitions", 17 "productDescription", 18 "resources", 19 "qualityPlan", 20 "securityPlan", 21 "acronyms", 22 "documentReferences" 23 ], 24 "properties": { 25 "changelog": { 26 "title": "Changelog", 27 "description": "Information is not immutable. It is common that during the course of an evaluation some details may change (e.g. TOE version). It is important to track every change so CBs understand the context of the assessment.", 28 "type": "array", 29 "default": [], 30 "items": { 31 "type": "object", 32 "required": [ 33 "version", 34 "date", 35 "authors", 36 "reason", 37 "changes" 38 ], 39 "properties": { 40 "version": { 41 "title": "Version", 42 "description": "Version of the document in 1.0 format.", 43 "pattern": "^\\d\\.\\d$", 44 "type": "string", 45 "examples": ["1.0", "2.0"] 46 }, 47 "date": { 48 "title": "Date", 49 "description": "Issue date of the version.", 50 "type": "string", 51 "format": "date", 52 "examples": ["2021-11-18", "2021-11-19"] 53 }, 54 "authors": { 55 "title": "Authors", 56 "description": "Who made the changes.", 57 "type": "array", 58 "items": { 59 "type": "string", 60 "examples": ["AGJ"] 61 }, 62 "examples": [["AGJ"], ["AGJ"]] 63 }, 64 "reason": { 65 "title": "Reason", 66 "description": "Why these changes were necessary.", 67 "type": "string", 68 "examples": ["Initial version", "Update"] 69 }, 70 "changes": { 71 "title": "Changes", 72 "description": "Changes that have been applied to the document.", 73 "type": "array", 74 "items": { 75 "type": "string", 76 "examples": [ 77 "Creation of the document", 78 "New evaluator added to the evaluation plan." 79 ] 80 }, 81 "examples": [ 82 ["Creation of the document"], 83 [ 84 "New evaluator added to the evaluation plan." 85 ] 86 ] 87 } 88 }, 89 "examples": [ 90 { 91 "version": "1.0", 92 "date": "2021-11-18", 93 "authors": ["AGJ"], 94 "reason": "Initial version", 95 "changes": ["Creation of the document"] 96 }, 97 { 98 "version": "2.0", 99 "date": "2021-11-19", 100 "authors": ["AGJ"], 101 "changes": [ 102 "New evaluator added to the evaluation plan." 103 ], 104 "reason": "Update" 105 } 106 ] 107 }, 108 "examples": [ 109 [ 110 { 111 "version": "1.0", 112 "date": "2021-11-18", 113 "authors": ["AGJ"], 114 "reason": "Initial version", 115 "changes": ["Creation of the document"] 116 }, 117 { 118 "version": "2.0", 119 "date": "2021-11-19", 120 "authors": ["AGJ"], 121 "changes": [ 122 "New evaluator added to the evaluation plan." 123 ], 124 "reason": "Update" 125 } 126 ] 127 ] 128 }, 129 "information": { 130 "title": "Information", 131 "description": "It is necessary to know to which dossier the document that has been sent to SGOC corresponds, as well as its author, who has approved it...", 132 "type": "object", 133 "default": {}, 134 "required": [ 135 "dossierCode", 136 "authors", 137 "reviewedBy", 138 "approvedBy", 139 "signature", 140 "projectCode" 141 ], 142 "properties": { 143 "dossierCode": { 144 "title": "Dossier code", 145 "description": "Reference to the evaluation dossier.", 146 "type": "string", 147 "default": "", 148 "examples": ["2021-001"] 149 }, 150 "authors": { 151 "title": "Authors", 152 "description": "Indicate who were the evaluators who authored the document. It can be one or several.", 153 "type": "array", 154 "default": [], 155 "items": { 156 "type": "string", 157 "examples": ["AGJ", "DAT"] 158 }, 159 "examples": [["AGJ", "DAT"]] 160 }, 161 "reviewedBy": { 162 "title": "Reviewed by", 163 "description": "Indicates who has reviewed the document.", 164 "type": "string", 165 "default": "", 166 "examples": ["JTG"] 167 }, 168 "approvedBy": { 169 "title": "Approved by", 170 "description": "Indicates who has approved the document.", 171 "type": "string", 172 "default": "", 173 "examples": ["JTG"] 174 }, 175 "signature": { 176 "title": "Signature", 177 "description": "Assures non-repudiation of the document.", 178 "type": "string", 179 "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", 180 "default": "", 181 "examples": ["SlRTRUNCRVlPTkRJVFNFQ1VSSVRZU0wK"] 182 }, 183 "projectCode": { 184 "title": "Project code", 185 "description": "It allows ITSEF to identify the project without using the same identifier as the CB.", 186 "type": "string", 187 "default": "", 188 "examples": ["CC_MANUFACTURER_PROJECT"] 189 } 190 }, 191 "examples": [ 192 { 193 "dossierCode": "2021-001", 194 "authors": ["AGJ", "DAT"], 195 "reviewedBy": "JTG", 196 "approvedBy": "JTG", 197 "signature": "SlRTRUNCRVlPTkRJVFNFQ1VSSVRZU0wK", 198 "projectCode": "CC_MANUFACTURER_PROJECT" 199 } 200 ] 201 }, 202 "definitions": { 203 "title": "Definitions", 204 "description": "There are some terms that need to be defined prior to the initiation of the evaluation such as 'Operational Environment' or 'TOE'.", 205 "type": "array", 206 "default": [], 207 "items": { 208 "type": "object", 209 "required": ["term", "meaning"], 210 "properties": { 211 "term": { 212 "title": "Term", 213 "description": "Name that is going to be defined.", 214 "type": "string", 215 "examples": [ 216 "Operational environment", 217 "Target Of Evaluation" 218 ] 219 }, 220 "meaning": { 221 "title": "Meaning", 222 "description": "Definition of the term.", 223 "type": "string", 224 "examples": [ 225 "Environemt where the TOE operates.", 226 "Software, firmware and/or hardware under evaluation." 227 ] 228 } 229 }, 230 "examples": [ 231 { 232 "term": "Operational environment", 233 "meaning": "Environemt where the TOE operates." 234 }, 235 { 236 "term": "Target Of Evaluation", 237 "meaning": "Software, firmware and/or hardware under evaluation." 238 } 239 ] 240 }, 241 "examples": [ 242 [ 243 { 244 "term": "Operational environment", 245 "meaning": "Environemt where the TOE operates." 246 }, 247 { 248 "term": "Target Of Evaluation", 249 "meaning": "Software, firmware and/or hardware under evaluation." 250 } 251 ] 252 ] 253 }, 254 "productDescription": { 255 "title": "Product description", 256 "description": "In order to start the evaluation, a description of the product needs to be provided. This section shall contain the general product features, as well as the security ones.", 257 "type": "object", 258 "default": {}, 259 "required": [ 260 "generalProductFeatures", 261 "securityProductFeatures" 262 ], 263 "properties": { 264 "generalProductFeatures": { 265 "title": "General product features", 266 "description": "Description of the general features of the product.", 267 "type": "string", 268 "default": "", 269 "examples": [ 270 "This is the general product features." 271 ] 272 }, 273 "securityProductFeatures": { 274 "title": "Security product features", 275 "description": "To protect against threats, the TOE must implement a number of security features. This section contains a brief description of each of the security functions it implements.", 276 "type": "array", 277 "default": [], 278 "items": { 279 "type": "object", 280 "required": ["sf", "description"], 281 "properties": { 282 "sf": { 283 "title": "Security Function", 284 "description": "Name of the security function that is going to be tested during the evaluation.", 285 "type": "string", 286 "examples": ["FAU", "FCS"] 287 }, 288 "description": { 289 "title": "Description", 290 "description": "Description of the security function that is going to be tested during the evaluation.", 291 "type": "string", 292 "examples": [ 293 "This is the description of the FAU security function", 294 "This is the description of the FCS security function" 295 ] 296 } 297 }, 298 "examples": [ 299 { 300 "sf": "FAU", 301 "description": "This is the description of the FAU security function" 302 }, 303 { 304 "sf": "FCS", 305 "description": "This is the description of the FCS security function" 306 } 307 ] 308 }, 309 "examples": [ 310 [ 311 { 312 "sf": "FAU", 313 "description": "This is the description of the FAU security function" 314 }, 315 { 316 "sf": "FCS", 317 "description": "This is the description of the FCS security function" 318 } 319 ] 320 ] 321 } 322 }, 323 "examples": [ 324 { 325 "generalProductFeatures": "This is the general product features.", 326 "securityProductFeatures": [ 327 { 328 "sf": "FAU", 329 "description": "This is the description of the FAU security function" 330 }, 331 { 332 "sf": "FCS", 333 "description": "This is the description of the FCS security function" 334 } 335 ] 336 } 337 ] 338 }, 339 "resources": { 340 "title": "Resources", 341 "description": "The evaluation plan shall contain the resources needed to carry the evaluation.", 342 "type": "object", 343 "default": {}, 344 "required": [ 345 "staff", 346 "equipmentAndTestEnvironment", 347 "itsefTechnicalQualification", 348 "trainingActions", 349 "toolsDevelopment", 350 "developerEvidence", 351 "evaluationActivities", 352 "evaluationMethodology", 353 "evaluationSupportActivities", 354 "timePlanning" 355 ], 356 "properties": { 357 "staff": { 358 "title": "Staff", 359 "description": "Personnel of the ITSEF that is going to be involved in the evaluation.", 360 "type": "array", 361 "default": [], 362 "items": { 363 "type": "object", 364 "required": [ 365 "alias", 366 "name", 367 "surname", 368 "bio", 369 "projectInvolvement", 370 "level" 371 ], 372 "properties": { 373 "alias": { 374 "title": "Alias", 375 "description": "Alias of the evaluator that is going to be used during the evaluation when referring to them.", 376 "type": "string", 377 "examples": ["DAT", "AGJ"] 378 }, 379 "name": { 380 "title": "Name", 381 "description": "First name of the evaluator.", 382 "type": "string", 383 "examples": ["Darío", "Álvaro"] 384 }, 385 "surname": { 386 "title": "Surname", 387 "description": "Last name of the evaluator.", 388 "type": "string", 389 "examples": [ 390 "Abad Tarifa", 391 "García Jaén" 392 ] 393 }, 394 "bio": { 395 "title": "Bio", 396 "description": "Summary of the evaluator's professional and academic biography.", 397 "type": "string", 398 "examples": [ 399 "Darío studied Computer Science...", 400 "Álvaro studied Computer Science..." 401 ] 402 }, 403 "projectInvolvement": { 404 "title": "Project involvement", 405 "description": "Describes what the evaluator's tasks will be.", 406 "type": "string", 407 "examples": [ 408 "Darío will focus in AVA...", 409 "Darío will review the evidence generated by the ITSEF" 410 ] 411 }, 412 "level": { 413 "title": "Level", 414 "description": "Level of the evaluator (e.g. from L1 to L5).", 415 "type": "string", 416 "pattern": "^L[1-5]$", 417 "examples": ["L3"] 418 } 419 }, 420 "examples": [ 421 { 422 "alias": "DAT", 423 "name": "Darío", 424 "surname": "Abad Tarifa", 425 "bio": "Darío studied Computer Science...", 426 "projectInvolvement": "Darío will focus in AVA...", 427 "level": "L3" 428 }, 429 { 430 "alias": "AGJ", 431 "name": "Álvaro", 432 "surname": "García Jaén", 433 "bio": "Álvaro studied Computer Science...", 434 "projectInvolvement": "Darío will review the evidence generated by the ITSEF", 435 "level": "L3" 436 } 437 ] 438 }, 439 "examples": [ 440 [ 441 { 442 "alias": "DAT", 443 "name": "Darío", 444 "surname": "Abad Tarifa", 445 "bio": "Darío studied Computer Science...", 446 "projectInvolvement": "Darío will focus in AVA...", 447 "level": "L3" 448 }, 449 { 450 "alias": "AGJ", 451 "name": "Álvaro", 452 "surname": "García Jaén", 453 "bio": "Álvaro studied Computer Science...", 454 "projectInvolvement": "Darío will review the evidence generated by the ITSEF", 455 "level": "L3" 456 } 457 ] 458 ] 459 }, 460 "equipmentAndTestEnvironment": { 461 "title": "Equipment and test environment", 462 "description": "Description of the special equipment needed for the evaluation.", 463 "type": "string", 464 "default": "", 465 "examples": [ 466 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 467 ] 468 }, 469 "itsefTechnicalQualification": { 470 "title": "ITSEF technical qualification", 471 "description": "Description of the training actions and tools needed to carry out the evaluation.", 472 "type": "string", 473 "default": "", 474 "examples": [ 475 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 476 ] 477 }, 478 "trainingActions": { 479 "title": "Training actions", 480 "description": "Actions carried out to train the evaluators assigned to the project.", 481 "type": "string", 482 "default": "", 483 "examples": [ 484 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 485 ] 486 }, 487 "toolsDevelopment": { 488 "title": "Tools development", 489 "description": "Tools developed to carry out the evaluation.", 490 "type": "string", 491 "default": "", 492 "examples": [ 493 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 494 ] 495 }, 496 "developerEvidence": { 497 "title": "Developer evidence", 498 "description": "Evidence requested from the developer necessary for the evaluation.", 499 "type": "string", 500 "default": "", 501 "examples": [ 502 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 503 ] 504 }, 505 "evaluationActivities": { 506 "title": "Evaluation activities", 507 "description": "Description of the evaluation activities that are going to be performed during the evaluation.", 508 "type": "string", 509 "default": "", 510 "examples": [ 511 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 512 ] 513 }, 514 "evaluationMethodology": { 515 "title": "Evaluation methodology", 516 "description": "Methodology and criteria to be followed during evaluation.", 517 "type": "string", 518 "default": "", 519 "examples": [ 520 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 521 ] 522 }, 523 "evaluationSupportActivities": { 524 "title": "Evaluation support activities", 525 "description": "Additional support activities necessary to carry out the evaluation.", 526 "type": "string", 527 "default": "", 528 "examples": [ 529 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 530 ] 531 }, 532 "timePlanning": { 533 "title": "Time planning", 534 "description": "Effort estimation for each evaluation task.", 535 "type": "array", 536 "default": [], 537 "items": { 538 "type": "object", 539 "required": [ 540 "alias", 541 "name", 542 "estimatedEffort", 543 "resources", 544 "dependencies", 545 "justification", 546 "startDate", 547 "endDate" 548 ], 549 "properties": { 550 "alias": { 551 "title": "Alias", 552 "description": "Alias for the task.", 553 "type": "string", 554 "examples": ["ASE", "ATE"] 555 }, 556 "name": { 557 "title": "Name", 558 "description": "Brief description of the task", 559 "type": "string", 560 "examples": [ 561 "Security Target evaluation" 562 ] 563 }, 564 "estimatedEffort": { 565 "title": "Estimated effort", 566 "description": "Estimation of the number of effort days for the task.", 567 "type": "integer", 568 "examples": [20] 569 }, 570 "resources": { 571 "title": "Resources", 572 "description": "List of evaluator aliases that will participate in the assignment.", 573 "type": "array", 574 "items": { 575 "type": "string", 576 "examples": ["AGJ", "DAT"] 577 }, 578 "examples": [ 579 ["AGJ", "DAT"], 580 ["AGJ", "DAT"] 581 ] 582 }, 583 "dependencies": { 584 "title": "Dependencies", 585 "description": "List of tasks aliases that this task depends on.", 586 "type": "array", 587 "items": { 588 "type": "string", 589 "default": "", 590 "examples": ["ASE"] 591 }, 592 "examples": [[], ["ASE"]] 593 }, 594 "justification": { 595 "title": "Justification", 596 "description": "Justification for the estimated effort assigned for the task.", 597 "type": "string", 598 "examples": [ 599 "Lorem ipsum dolor sit amet, consectetur adipiscing elit." 600 ] 601 }, 602 "startDate": { 603 "title": "Start date", 604 "description": "When the task is going to start.", 605 "type": "string", 606 "format": "date", 607 "examples": ["2023-03-02"] 608 }, 609 "endDate": { 610 "title": "End date", 611 "description": "When the task is going to end.", 612 "type": "string", 613 "format": "date", 614 "examples": ["2023-10-03"] 615 } 616 }, 617 "examples": [ 618 { 619 "alias": "ASE", 620 "name": "Security Target evaluation", 621 "estimatedEffort": 20, 622 "resources": ["AGJ", "DAT"], 623 "dependencies": [], 624 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 625 "startDate": "2023-03-02", 626 "endDate": "2023-10-03" 627 }, 628 { 629 "alias": "ATE", 630 "name": "Security Target evaluation", 631 "estimatedEffort": 20, 632 "resources": ["AGJ", "DAT"], 633 "dependencies": ["ASE"], 634 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 635 "startDate": "2023-03-02", 636 "endDate": "2023-10-03" 637 } 638 ] 639 }, 640 "examples": [ 641 [ 642 { 643 "alias": "ASE", 644 "name": "Security Target evaluation", 645 "estimatedEffort": 20, 646 "resources": ["AGJ", "DAT"], 647 "dependencies": [], 648 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 649 "startDate": "2023-03-02", 650 "endDate": "2023-10-03" 651 }, 652 { 653 "alias": "ATE", 654 "name": "Security Target evaluation", 655 "estimatedEffort": 20, 656 "resources": ["AGJ", "DAT"], 657 "dependencies": ["ASE"], 658 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 659 "startDate": "2023-03-02", 660 "endDate": "2023-10-03" 661 } 662 ] 663 ] 664 } 665 }, 666 "examples": [ 667 { 668 "staff": [ 669 { 670 "alias": "DAT", 671 "name": "Darío", 672 "surname": "Abad Tarifa", 673 "bio": "Darío studied Computer Science...", 674 "projectInvolvement": "Darío will focus in AVA...", 675 "level": "L3" 676 }, 677 { 678 "alias": "AGJ", 679 "name": "Álvaro", 680 "surname": "García Jaén", 681 "bio": "Álvaro studied Computer Science...", 682 "projectInvolvement": "Darío will review the evidence generated by the ITSEF", 683 "level": "L3" 684 } 685 ], 686 "equipmentAndTestEnvironment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 687 "itsefTechnicalQualification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 688 "trainingActions": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 689 "toolsDevelopment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 690 "developerEvidence": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 691 "evaluationActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 692 "evaluationMethodology": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 693 "evaluationSupportActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 694 "timePlanning": [ 695 { 696 "alias": "ASE", 697 "name": "Security Target evaluation", 698 "estimatedEffort": 20, 699 "resources": ["AGJ", "DAT"], 700 "dependencies": [], 701 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 702 "startDate": "2023-03-02", 703 "endDate": "2023-10-03" 704 }, 705 { 706 "alias": "ATE", 707 "name": "Security Target evaluation", 708 "estimatedEffort": 20, 709 "resources": ["AGJ", "DAT"], 710 "dependencies": ["ASE"], 711 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 712 "startDate": "2023-03-02", 713 "endDate": "2023-10-03" 714 } 715 ] 716 } 717 ] 718 }, 719 "qualityPlan": { 720 "title": "Quality plan", 721 "description": "Any evaluation needs to be carried following a quality plan. This section describes/references the manual that is going to be followed during the evaluation to assure the necessary quality.", 722 "type": "string", 723 "default": "", 724 "examples": ["This is the Quality Plan"] 725 }, 726 "securityPlan": { 727 "title": "Security plan", 728 "description": "Any evaluation needs to be carried following a security plan. This section describes/references the manual that is going to be followed during the evaluation to assure the necessary security.", 729 "type": "string", 730 "default": "", 731 "examples": ["This is the Security Plan"] 732 }, 733 "acronyms": { 734 "title": "Acronyms", 735 "description": "In many cases, it is necessary to refer to different concepts or technologies by their acronyms. To avoid possible confusion and to make life easier for those readers who do not know the meaning of an abbreviation, it is necessary to include a field to indicate its meaning.", 736 "type": "array", 737 "default": [], 738 "items": { 739 "type": "object", 740 "required": ["acronym", "meaning"], 741 "properties": { 742 "acronym": { 743 "title": "Acronym", 744 "description": "Abbreviation.", 745 "type": "string", 746 "examples": [ 747 "PP", 748 "CC", 749 "TOE", 750 "TSF", 751 "TSFi", 752 "OSP", 753 "EAL", 754 "ST", 755 "IT" 756 ] 757 }, 758 "meaning": { 759 "title": "Meaning", 760 "description": "Meaning of the acronym.", 761 "type": "string", 762 "examples": [ 763 "Protection Profile", 764 "Common Criteria", 765 "Target of Evaluation", 766 "TOE Security Functionality", 767 "TSF interface", 768 "Organisational Security Policies", 769 "Evaluation Assurance Level", 770 "Security Target", 771 "Information Technology" 772 ] 773 } 774 }, 775 "examples": [ 776 { 777 "acronym": "PP", 778 "meaning": "Protection Profile" 779 }, 780 { 781 "acronym": "CC", 782 "meaning": "Common Criteria" 783 }, 784 { 785 "acronym": "TOE", 786 "meaning": "Target of Evaluation" 787 }, 788 { 789 "acronym": "TSF", 790 "meaning": "TOE Security Functionality" 791 }, 792 { 793 "acronym": "TSFi", 794 "meaning": "TSF interface" 795 }, 796 { 797 "acronym": "OSP", 798 "meaning": "Organisational Security Policies" 799 }, 800 { 801 "acronym": "EAL", 802 "meaning": "Evaluation Assurance Level" 803 }, 804 { 805 "acronym": "ST", 806 "meaning": "Security Target" 807 }, 808 { 809 "acronym": "IT", 810 "meaning": "Information Technology" 811 } 812 ] 813 }, 814 "examples": [ 815 [ 816 { 817 "acronym": "PP", 818 "meaning": "Protection Profile" 819 }, 820 { 821 "acronym": "CC", 822 "meaning": "Common Criteria" 823 }, 824 { 825 "acronym": "TOE", 826 "meaning": "Target of Evaluation" 827 }, 828 { 829 "acronym": "TSF", 830 "meaning": "TOE Security Functionality" 831 }, 832 { 833 "acronym": "TSFi", 834 "meaning": "TSF interface" 835 }, 836 { 837 "acronym": "OSP", 838 "meaning": "Organisational Security Policies" 839 }, 840 { 841 "acronym": "EAL", 842 "meaning": "Evaluation Assurance Level" 843 }, 844 { 845 "acronym": "ST", 846 "meaning": "Security Target" 847 }, 848 { 849 "acronym": "IT", 850 "meaning": "Information Technology" 851 } 852 ] 853 ] 854 }, 855 "documentReferences": { 856 "title": "Document references", 857 "description": "On many occasions, during the drafting of a document, reference is made to other documents. For this reason, a field is needed to collect the documents cited. The aim is to be able to reference them throughout the document with the same name to avoid inconsistencies, while the name and version are declared in this section.", 858 "type": "array", 859 "default": [], 860 "items": { 861 "type": "object", 862 "required": ["reference", "document"], 863 "properties": { 864 "reference": { 865 "title": "Reference", 866 "description": "Used document reference.", 867 "type": "string", 868 "examples": [ 869 "CC31R5P1", 870 "CC31R5P2", 871 "CC31R5P3", 872 "CEM31R5P3", 873 "PRE-2740-2007", 874 "INT10", 875 "EVIDENCELIST", 876 "ORLIST", 877 "ASE", 878 "AGD", 879 "ADV", 880 "ALC", 881 "ATE", 882 "AVA", 883 "VA", 884 "PT", 885 "TP", 886 "TS" 887 ] 888 }, 889 "document": { 890 "title": "Document", 891 "description": "Title and version of the referenced document.", 892 "type": "string", 893 "examples": [ 894 "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 1: Introduction and general model", 895 "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 2: Security functional components", 896 "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 3: Security assurance components", 897 "Common Criteria Evaluation methodology, Version 3.1, Revision 5", 898 "Reglamento de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información 19/09/2007", 899 "Organismo de Certificación. Centro Criptológico Nacional. Evaluación de la clase ASE en Common Criteria v0.6", 900 "Evidence List last version", 901 "Observation Report list last version", 902 "ASE Evaluation partial report last version", 903 "AGD Evaluation partial report last version", 904 "ADV Evaluation partial report last version", 905 "ALC Evaluation partial report last version", 906 "ATE Evaluation partial report last version", 907 "AVA Evaluation partial report last version", 908 "Vulnerability Analysis last version", 909 "Pentest Plan and Report last version", 910 "Independent Test Plan and Report last version", 911 "Test Scenarios last version" 912 ] 913 } 914 }, 915 "examples": [ 916 { 917 "reference": "CC31R5P1", 918 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 1: Introduction and general model" 919 }, 920 { 921 "reference": "CC31R5P2", 922 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 2: Security functional components" 923 }, 924 { 925 "reference": "CC31R5P3", 926 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 3: Security assurance components" 927 }, 928 { 929 "reference": "CEM31R5P3", 930 "document": "Common Criteria Evaluation methodology, Version 3.1, Revision 5" 931 }, 932 { 933 "reference": "PRE-2740-2007", 934 "document": "Reglamento de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información 19/09/2007" 935 }, 936 { 937 "reference": "INT10", 938 "document": "Organismo de Certificación. Centro Criptológico Nacional. Evaluación de la clase ASE en Common Criteria v0.6" 939 }, 940 { 941 "reference": "EVIDENCELIST", 942 "document": "Evidence List last version" 943 }, 944 { 945 "reference": "ORLIST", 946 "document": "Observation Report list last version" 947 }, 948 { 949 "reference": "ASE", 950 "document": "ASE Evaluation partial report last version" 951 }, 952 { 953 "reference": "AGD", 954 "document": "AGD Evaluation partial report last version" 955 }, 956 { 957 "reference": "ADV", 958 "document": "ADV Evaluation partial report last version" 959 }, 960 { 961 "reference": "ALC", 962 "document": "ALC Evaluation partial report last version" 963 }, 964 { 965 "reference": "ATE", 966 "document": "ATE Evaluation partial report last version" 967 }, 968 { 969 "reference": "AVA", 970 "document": "AVA Evaluation partial report last version" 971 }, 972 { 973 "reference": "VA", 974 "document": "Vulnerability Analysis last version" 975 }, 976 { 977 "reference": "PT", 978 "document": "Pentest Plan and Report last version" 979 }, 980 { 981 "reference": "TP", 982 "document": "Independent Test Plan and Report last version" 983 }, 984 { 985 "reference": "TS", 986 "document": "Test Scenarios last version" 987 } 988 ] 989 }, 990 "examples": [ 991 [ 992 { 993 "reference": "CC31R5P1", 994 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 1: Introduction and general model" 995 }, 996 { 997 "reference": "CC31R5P2", 998 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 2: Security functional components" 999 }, 1000 { 1001 "reference": "CC31R5P3", 1002 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 3: Security assurance components" 1003 }, 1004 { 1005 "reference": "CEM31R5P3", 1006 "document": "Common Criteria Evaluation methodology, Version 3.1, Revision 5" 1007 }, 1008 { 1009 "reference": "PRE-2740-2007", 1010 "document": "Reglamento de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información 19/09/2007" 1011 }, 1012 { 1013 "reference": "INT10", 1014 "document": "Organismo de Certificación. Centro Criptológico Nacional. Evaluación de la clase ASE en Common Criteria v0.6" 1015 }, 1016 { 1017 "reference": "EVIDENCELIST", 1018 "document": "Evidence List last version" 1019 }, 1020 { 1021 "reference": "ORLIST", 1022 "document": "Observation Report list last version" 1023 }, 1024 { 1025 "reference": "ASE", 1026 "document": "ASE Evaluation partial report last version" 1027 }, 1028 { 1029 "reference": "AGD", 1030 "document": "AGD Evaluation partial report last version" 1031 }, 1032 { 1033 "reference": "ADV", 1034 "document": "ADV Evaluation partial report last version" 1035 }, 1036 { 1037 "reference": "ALC", 1038 "document": "ALC Evaluation partial report last version" 1039 }, 1040 { 1041 "reference": "ATE", 1042 "document": "ATE Evaluation partial report last version" 1043 }, 1044 { 1045 "reference": "AVA", 1046 "document": "AVA Evaluation partial report last version" 1047 }, 1048 { 1049 "reference": "VA", 1050 "document": "Vulnerability Analysis last version" 1051 }, 1052 { 1053 "reference": "PT", 1054 "document": "Pentest Plan and Report last version" 1055 }, 1056 { 1057 "reference": "TP", 1058 "document": "Independent Test Plan and Report last version" 1059 }, 1060 { 1061 "reference": "TS", 1062 "document": "Test Scenarios last version" 1063 } 1064 ] 1065 ] 1066 } 1067 }, 1068 "examples": [ 1069 { 1070 "changelog": [ 1071 { 1072 "version": "1.0", 1073 "date": "2021-11-18", 1074 "authors": ["AGJ"], 1075 "reason": "Initial version", 1076 "changes": ["Creation of the document"] 1077 }, 1078 { 1079 "version": "2.0", 1080 "date": "2021-11-19", 1081 "authors": ["AGJ"], 1082 "changes": [ 1083 "New evaluator added to the evaluation plan." 1084 ], 1085 "reason": "Update" 1086 } 1087 ], 1088 "information": { 1089 "dossierCode": "2021-001", 1090 "authors": ["AGJ", "DAT"], 1091 "reviewedBy": "JTG", 1092 "approvedBy": "JTG", 1093 "signature": "SlRTRUNCRVlPTkRJVFNFQ1VSSVRZU0wK", 1094 "projectCode": "CC_MANUFACTURER_PROJECT" 1095 }, 1096 "definitions": [ 1097 { 1098 "term": "Operational environment", 1099 "meaning": "Environemt where the TOE operates." 1100 }, 1101 { 1102 "term": "Target Of Evaluation", 1103 "meaning": "Software, firmware and/or hardware under evaluation." 1104 } 1105 ], 1106 "productDescription": { 1107 "generalProductFeatures": "This is the general product features.", 1108 "securityProductFeatures": [ 1109 { 1110 "sf": "FAU", 1111 "description": "This is the description of the FAU security function" 1112 }, 1113 { 1114 "sf": "FCS", 1115 "description": "This is the description of the FCS security function" 1116 } 1117 ] 1118 }, 1119 "resources": { 1120 "staff": [ 1121 { 1122 "alias": "DAT", 1123 "name": "Darío", 1124 "surname": "Abad Tarifa", 1125 "bio": "Darío studied Computer Science...", 1126 "projectInvolvement": "Darío will focus in AVA...", 1127 "level": "L3" 1128 }, 1129 { 1130 "alias": "AGJ", 1131 "name": "Álvaro", 1132 "surname": "García Jaén", 1133 "bio": "Álvaro studied Computer Science...", 1134 "projectInvolvement": "Darío will review the evidence generated by the ITSEF", 1135 "level": "L3" 1136 } 1137 ], 1138 "equipmentAndTestEnvironment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1139 "itsefTechnicalQualification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1140 "trainingActions": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1141 "toolsDevelopment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1142 "developerEvidence": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1143 "evaluationActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1144 "evaluationMethodology": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1145 "evaluationSupportActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1146 "timePlanning": [ 1147 { 1148 "alias": "ASE", 1149 "name": "Security Target evaluation", 1150 "estimatedEffort": 20, 1151 "resources": ["AGJ", "DAT"], 1152 "dependencies": [], 1153 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1154 "startDate": "2023-03-02", 1155 "endDate": "2023-10-03" 1156 }, 1157 { 1158 "alias": "ATE", 1159 "name": "Security Target evaluation", 1160 "estimatedEffort": 20, 1161 "resources": ["AGJ", "DAT"], 1162 "dependencies": ["ASE"], 1163 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1164 "startDate": "2023-03-02", 1165 "endDate": "2023-10-03" 1166 } 1167 ] 1168 }, 1169 "qualityPlan": "This is the Quality Plan", 1170 "securityPlan": "This is the Security Plan", 1171 "acronyms": [ 1172 { 1173 "acronym": "PP", 1174 "meaning": "Protection Profile" 1175 }, 1176 { 1177 "acronym": "CC", 1178 "meaning": "Common Criteria" 1179 }, 1180 { 1181 "acronym": "TOE", 1182 "meaning": "Target of Evaluation" 1183 }, 1184 { 1185 "acronym": "TSF", 1186 "meaning": "TOE Security Functionality" 1187 }, 1188 { 1189 "acronym": "TSFi", 1190 "meaning": "TSF interface" 1191 }, 1192 { 1193 "acronym": "OSP", 1194 "meaning": "Organisational Security Policies" 1195 }, 1196 { 1197 "acronym": "EAL", 1198 "meaning": "Evaluation Assurance Level" 1199 }, 1200 { 1201 "acronym": "ST", 1202 "meaning": "Security Target" 1203 }, 1204 { 1205 "acronym": "IT", 1206 "meaning": "Information Technology" 1207 } 1208 ], 1209 "documentReferences": [ 1210 { 1211 "reference": "CC31R5P1", 1212 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 1: Introduction and general model" 1213 }, 1214 { 1215 "reference": "CC31R5P2", 1216 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 2: Security functional components" 1217 }, 1218 { 1219 "reference": "CC31R5P3", 1220 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 3: Security assurance components" 1221 }, 1222 { 1223 "reference": "CEM31R5P3", 1224 "document": "Common Criteria Evaluation methodology, Version 3.1, Revision 5" 1225 }, 1226 { 1227 "reference": "PRE-2740-2007", 1228 "document": "Reglamento de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información 19/09/2007" 1229 }, 1230 { 1231 "reference": "INT10", 1232 "document": "Organismo de Certificación. Centro Criptológico Nacional. Evaluación de la clase ASE en Common Criteria v0.6" 1233 }, 1234 { 1235 "reference": "EVIDENCELIST", 1236 "document": "Evidence List last version" 1237 }, 1238 { 1239 "reference": "ORLIST", 1240 "document": "Observation Report list last version" 1241 }, 1242 { 1243 "reference": "ASE", 1244 "document": "ASE Evaluation partial report last version" 1245 }, 1246 { 1247 "reference": "AGD", 1248 "document": "AGD Evaluation partial report last version" 1249 }, 1250 { 1251 "reference": "ADV", 1252 "document": "ADV Evaluation partial report last version" 1253 }, 1254 { 1255 "reference": "ALC", 1256 "document": "ALC Evaluation partial report last version" 1257 }, 1258 { 1259 "reference": "ATE", 1260 "document": "ATE Evaluation partial report last version" 1261 }, 1262 { 1263 "reference": "AVA", 1264 "document": "AVA Evaluation partial report last version" 1265 }, 1266 { 1267 "reference": "VA", 1268 "document": "Vulnerability Analysis last version" 1269 }, 1270 { 1271 "reference": "PT", 1272 "document": "Pentest Plan and Report last version" 1273 }, 1274 { 1275 "reference": "TP", 1276 "document": "Independent Test Plan and Report last version" 1277 }, 1278 { 1279 "reference": "TS", 1280 "document": "Test Scenarios last version" 1281 } 1282 ] 1283 } 1284 ] 1285 } 1286 }, 1287 "examples": [ 1288 { 1289 "ep": { 1290 "changelog": [ 1291 { 1292 "version": "1.0", 1293 "date": "2021-11-18", 1294 "authors": ["AGJ"], 1295 "reason": "Initial version", 1296 "changes": ["Creation of the document"] 1297 }, 1298 { 1299 "version": "2.0", 1300 "date": "2021-11-19", 1301 "authors": ["AGJ"], 1302 "changes": [ 1303 "New evaluator added to the evaluation plan." 1304 ], 1305 "reason": "Update" 1306 } 1307 ], 1308 "information": { 1309 "dossierCode": "2021-001", 1310 "authors": ["AGJ", "DAT"], 1311 "reviewedBy": "JTG", 1312 "approvedBy": "JTG", 1313 "signature": "SlRTRUNCRVlPTkRJVFNFQ1VSSVRZU0wK", 1314 "projectCode": "CC_MANUFACTURER_PROJECT" 1315 }, 1316 "definitions": [ 1317 { 1318 "term": "Operational environment", 1319 "meaning": "Environemt where the TOE operates." 1320 }, 1321 { 1322 "term": "Target Of Evaluation", 1323 "meaning": "Software, firmware and/or hardware under evaluation." 1324 } 1325 ], 1326 "productDescription": { 1327 "generalProductFeatures": "This is the general product features.", 1328 "securityProductFeatures": [ 1329 { 1330 "sf": "FAU", 1331 "description": "This is the description of the FAU security function" 1332 }, 1333 { 1334 "sf": "FCS", 1335 "description": "This is the description of the FCS security function" 1336 } 1337 ] 1338 }, 1339 "resources": { 1340 "staff": [ 1341 { 1342 "alias": "DAT", 1343 "name": "Darío", 1344 "surname": "Abad Tarifa", 1345 "bio": "Darío studied Computer Science...", 1346 "projectInvolvement": "Darío will focus in AVA...", 1347 "level": "L3" 1348 }, 1349 { 1350 "alias": "AGJ", 1351 "name": "Álvaro", 1352 "surname": "García Jaén", 1353 "bio": "Álvaro studied Computer Science...", 1354 "projectInvolvement": "Darío will review the evidence generated by the ITSEF", 1355 "level": "L3" 1356 } 1357 ], 1358 "equipmentAndTestEnvironment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1359 "itsefTechnicalQualification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1360 "trainingActions": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1361 "toolsDevelopment": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1362 "developerEvidence": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1363 "evaluationActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1364 "evaluationMethodology": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1365 "evaluationSupportActivities": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1366 "timePlanning": [ 1367 { 1368 "alias": "ASE", 1369 "name": "Security Target evaluation", 1370 "estimatedEffort": 20, 1371 "resources": ["AGJ", "DAT"], 1372 "dependencies": [], 1373 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1374 "startDate": "2023-03-02", 1375 "endDate": "2023-10-03" 1376 }, 1377 { 1378 "alias": "ATE", 1379 "name": "Security Target evaluation", 1380 "estimatedEffort": 20, 1381 "resources": ["AGJ", "DAT"], 1382 "dependencies": ["ASE"], 1383 "justification": "Lorem ipsum dolor sit amet, consectetur adipiscing elit.", 1384 "startDate": "2023-03-02", 1385 "endDate": "2023-10-03" 1386 } 1387 ] 1388 }, 1389 "qualityPlan": "This is the Quality Plan", 1390 "securityPlan": "This is the Security Plan", 1391 "acronyms": [ 1392 { 1393 "acronym": "PP", 1394 "meaning": "Protection Profile" 1395 }, 1396 { 1397 "acronym": "CC", 1398 "meaning": "Common Criteria" 1399 }, 1400 { 1401 "acronym": "TOE", 1402 "meaning": "Target of Evaluation" 1403 }, 1404 { 1405 "acronym": "TSF", 1406 "meaning": "TOE Security Functionality" 1407 }, 1408 { 1409 "acronym": "TSFi", 1410 "meaning": "TSF interface" 1411 }, 1412 { 1413 "acronym": "OSP", 1414 "meaning": "Organisational Security Policies" 1415 }, 1416 { 1417 "acronym": "EAL", 1418 "meaning": "Evaluation Assurance Level" 1419 }, 1420 { 1421 "acronym": "ST", 1422 "meaning": "Security Target" 1423 }, 1424 { 1425 "acronym": "IT", 1426 "meaning": "Information Technology" 1427 } 1428 ], 1429 "documentReferences": [ 1430 { 1431 "reference": "CC31R5P1", 1432 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 1: Introduction and general model" 1433 }, 1434 { 1435 "reference": "CC31R5P2", 1436 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 2: Security functional components" 1437 }, 1438 { 1439 "reference": "CC31R5P3", 1440 "document": "Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, Part 3: Security assurance components" 1441 }, 1442 { 1443 "reference": "CEM31R5P3", 1444 "document": "Common Criteria Evaluation methodology, Version 3.1, Revision 5" 1445 }, 1446 { 1447 "reference": "PRE-2740-2007", 1448 "document": "Reglamento de Evaluación y Certificación de la Seguridad de las Tecnologías de la Información 19/09/2007" 1449 }, 1450 { 1451 "reference": "INT10", 1452 "document": "Organismo de Certificación. Centro Criptológico Nacional. Evaluación de la clase ASE en Common Criteria v0.6" 1453 }, 1454 { 1455 "reference": "EVIDENCELIST", 1456 "document": "Evidence List last version" 1457 }, 1458 { 1459 "reference": "ORLIST", 1460 "document": "Observation Report list last version" 1461 }, 1462 { 1463 "reference": "ASE", 1464 "document": "ASE Evaluation partial report last version" 1465 }, 1466 { 1467 "reference": "AGD", 1468 "document": "AGD Evaluation partial report last version" 1469 }, 1470 { 1471 "reference": "ADV", 1472 "document": "ADV Evaluation partial report last version" 1473 }, 1474 { 1475 "reference": "ALC", 1476 "document": "ALC Evaluation partial report last version" 1477 }, 1478 { 1479 "reference": "ATE", 1480 "document": "ATE Evaluation partial report last version" 1481 }, 1482 { 1483 "reference": "AVA", 1484 "document": "AVA Evaluation partial report last version" 1485 }, 1486 { 1487 "reference": "VA", 1488 "document": "Vulnerability Analysis last version" 1489 }, 1490 { 1491 "reference": "PT", 1492 "document": "Pentest Plan and Report last version" 1493 }, 1494 { 1495 "reference": "TP", 1496 "document": "Independent Test Plan and Report last version" 1497 }, 1498 { 1499 "reference": "TS", 1500 "document": "Test Scenarios last version" 1501 } 1502 ] 1503 } 1504 } 1505 ] 1506 }