1.0 Access and Browse Database for CC Security Components SRS-001

System requirement specification

As a General User, I want to access and browse the database so that I can identify Common Criteria Security Components relevant to my project.

Assuming I am logged in as an authorized user:

I access the database containing the CC Security Components
Then I should be able to see the Security Class Types Assurance and Functional.
When I select a Security Class Type the list of all respective Security Classes is displayed.
Then I should be able return to the Security Class Type selection (see Step 5) or to select a Security Class (see Step 6).
When I return to the Security Class Type selection, I resume to Step 2.
When I select a Security Class, I should be able to see the content of the Security Class, and the list of Security Families pertaining to that Security Class.
Then I should be able to return to the list of Security Classes (see Step 8) or select a Security Family (see Step 9).
When I return to the list of Security Classes, I resume to Step 4.
Repeat Steps 5 to 7 traversing the hierarchical structure until a Security Requirement is reached.
At any time I am able to exit the database.

Acceptance criteria

General User can access the database.
General User can view and traverse the Common Criteria Security Components in their hierarchical structure
General User can view content of each Security Component element.
General User can access detailed information about each Security Component Element such as hierarchies, dependencies, and parent-child relations.
General User can exit the database at any time.

Parent links: MRS-030, MRS-036

Child links: TST-001 Test accessing and browsing the CC Database

Attribute	Value
author	Heinrich
acceptance	see above
date	13.09.2023
status	In Progress
importance	5
urgency	5
risk	1
outlay	2
type	F
rationale	Security Components are of core relevance in the CC process. Efficient browsing of these will significantly ease the process of identifying Security Components appropriate for the project.
version	0.1

2.0 Access and Navigation Through Knowledge Base SRS-014

System requirement specification

As a General User, I want to access and navigate through the Knowledge Base so that I can effortlessly locate and explore information relevant to my needs. Assuming I am on the Knowledge Base landing page:

I access the Knowledge Base interface.
Then I should see different sections/categories of the Knowledge Base.
When I select a section, a list of relevant articles or topics is displayed.
I can select an article or topic to view more details.
I can navigate back to the previous article or to other sections at any point.
At any time, I can exit the Knowledge Base.

Acceptance criteria

General User can access the Knowledge Base.
General User can view various sections or categories in the KB.
General User can view articles or topics under a selected section.
General User can navigate through articles and sections and exit at any time.

Parent links: MRS-032, MRS-039

Child links: TST-005 Test navigating the Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	Facilitating smooth access and navigation through the KB ensures that users can explore and understand the Common Criteria with ease, promoting effective usage of the provided information.
version	0.2

3.0 Comprehensive and User-Friendly Explanations SRS-015

System requirement specification

As a General User, I want to read comprehensive and user-friendly explanations of technical terms and concepts so that I can understand the Common Criteria without specialized prior knowledge. Assuming I am viewing an Article in the Knowledge Base 1. When I encounter a technical term or acronym, it should be clearly defined or explained in layman’s terms. 2. Optionally, a link to a detailed explanation or dedicated page for the term/acronym is available. 3. I can navigate to this detailed explanation Article, if available, and return to the original content.

Acceptance criteria

Technical terms and acronyms within articles are clearly defined or explained.
Detailed explanation pages or dedicated pages are optionally available and accessible.

Parent links: MRS-032, MRS-039

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	4
urgency	3
risk	1
outlay	2
type	F
rationale	Providing user-friendly explanations will demystify the complex language of the \nCommon Criteria, making it accessible and understandable to a wider audience.
version	0.2

4.0 Interconnected Framework and Seamless Navigation SRS-016

System requirement specification

As a General User, I want to traverse through interconnected Articles effortlessly via cross-references and hyperlinks, in markdown or exported HTML format, so that I can explore related concepts without difficulty.

Assuming I am viewing a Knowledge Article in the Knowledge Base:

I see hyperlinks or cross-references that guide me to related topics or articles, regardless of viewing format (markdown/HTML).
Clicking a hyperlink navigates me to the related topic or article with no broken links encountered.
If a linked article is not available, the hyperlink directs me to a standard placeholder article that communicates the upcoming availability of the desired content.
I can easily navigate back to the initial article or to other interconnected topics, with a clear and user-friendly navigation path.

Acceptance criteria

General User can navigate seamlessly between interconnected topics via cross-references and hyperlinks, both in markdown and exported HTML format.
No broken links are present, ensuring a consistent user experience and unhindered navigation.
Links leading to not-yet-available content direct users to a standard placeholder article, ensuring a consistent and clear message regarding upcoming content.
User can return to the initial KA or navigate to related articles easily, with clear paths to navigate back or explore further.

Parent links: MRS-032, MRS-039

Child links: TST-006 Test comprehensiveness of Knowledge Base, TST-007 Test interconnection of Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	A seamless and interconnected navigation system, which includes guidance to upcoming content via a standard placeholder, ensures a clear, consistent, and enriching user experience throughout the KB in both markdown and HTML formats.
version	0.3

5.0 Availability of Pragmatic Guidance and Best Practices SRS-017

System requirement specification

As a General User, I want to access pragmatic guidance and best practices in the Knowledge Base so that I can effectively implement the Common Criteria's requisites in a practical manner. Assuming I am viewing an article or topic in the Knowledge Base

The content includes actionable guidance and best practices related to the topic.
The guidance is presented in a user-friendly manner, offering tangible steps or advice.
I can navigate to related topics for additional information and guidance.

Acceptance criteria

Articles contain actionable guidance and best practices for implementing the Common Criteria.
The guidance provided is pragmatic, offering step-by-step instructions or tangible advice for application.

Parent links: MRS-032, MRS-039

Child links: TST-008 Test currency of Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	13.09.2023
status	In Progress
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	Facilitating users with pragmatic guidance and best practices assists them in effectively implementing the Common Criteria, bridging the gap between theory and practical application, and enhancing organizational security practices.'
version	0.2

6.0 Continuous Updates and Assurance of Current Information SRS-018

System requirement specification

As a General User, I want assurance that the information in the Knowledge Base is up-to-date and relevant to specific CC versions, so that I can trust and effectively utilize the provided insights. Assuming I am viewing an article or topic in the Knowledge Base: 1. I can see a timestamp or revision history indicating the last update or revision date. 2. The content reflects the most current information of the Common Criteria. 3. The articles or topics are reviewed and updated with each new release of the Common Criteria. 4. The relevant CC version(s) are clearly indicated on the articles or within general sections of the Knowledge Base.

Acceptance criteria

The Knowledge Base articles are reviewed and updated with each new issuance of the Common Criteria.
A revision history or last-updated timestamp is visible to users to ensure transparency regarding the currency of the information.
Each article or general section of the Knowledge Base clearly states the version(s) of the Common Criteria it is relevant to.

Parent links: MRS-032, MRS-039

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	4
urgency	3
risk	1
outlay	2
type	F
rationale	Ensuring that the Knowledge Base reflects the most recent information of the Common Criteria guarantees users access to the most relevant and applicable insights.
version	0.2

7.0 Integration of Multimedia Elements in Knowledge Articles SRS-019

System requirement specification

As a Content Developer, I want to integrate multimedia elements in Knowledge Articles, so that I can enhance the learning and user experience. 1. When creating or editing a Knowledge Article, I should have the ability to embed multimedia elements such as images, videos, and interactive diagrams. 2. Then, these multimedia elements should be accessible and interactable (if applicable) when viewing through markdown editors and in the exported HTML format. 3. I should also be able to provide alternative descriptions for multimedia elements to ensure accessibility.

Acceptance criteria

Multimedia elements such as images, videos, and interactive diagrams are embeddable in the Knowledge Articles.
Users can access and interact (if applicable) with the multimedia elements when viewing through markdown editors and in the exported HTML format.
Alternative descriptions for multimedia elements are present and accurately describe the \ncontent or function of the media.

Parent links: MRS-032

Child links: TST-009 Test cosmetic features of Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
dependence	['SRS-014']
status	Not Started
importance	2
urgency	1
risk	1
outlay	3
type	F
rationale	Embedding multimedia elements enhances learning experiences by catering to various learning styles and enriching textual content, thus increasing user engagement and understanding.
version	0.1

8.0 Integrating Links to FAQ Section SRS-020

System requirement specification

As a General User, I want to have direct access to a relevant FAQ section from Knowledge Articles, so that I can swiftly find concise answers to related questions. 1. While reading a Knowledge Article, I should encounter links that direct me to an FAQ section. 2. These links should be contextually relevant and provide additional, succinct information pertaining to the content being read. 3. Links should direct users to a placeholder page if the FAQ section is not yet developed or available.

Acceptance criteria

Users can access an internal or external FAQ section via links embedded within the Knowledge Articles.
Links to the FAQ section are relevant, accurate and guide users toward information pertinent\n to the Knowledge Article's context.

Parent links: MRS-032, MRS-040

Child links: TST-009 Test cosmetic features of Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
dependence	['SRS-014']
status	Not Started
importance	2
urgency	2
risk	1
outlay	2
type	F
rationale	Providing direct links to an FAQ section allows users to quickly access concise, straightforward answers to potential queries, enhancing user efficiency and satisfaction in interacting with the platform.
version	0.1

9.0 Provision of General Link to a CC-Specific Forum SRS-021

System requirement specification

As a General User, I want a straightforward way to access a CC-specific forum from the Knowledge Base, so that I can explore, contribute to, and learn from discussions and interactions within a community of CC practitioners and experts. 1. When I am on the main page or any part of the Knowledge Base, I should easily identify and access a link that navigates to a CC-specific forum. 2. The link directs me to a forum where I can view and participate in discussions related to the Common Criteria.

Acceptance criteria

A prominently visible link to a CC-specific forum is available on the main page or navigation bar of the Knowledge Base.
Users can effortlessly navigate to the forum to participate in or view discussions related to CC topics.

Parent links: MRS-032, MRS-040

Child links: TST-009 Test cosmetic features of Knowledge Base

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
dependence	['SRS-014']
status	Not Started
importance	2
urgency	2
risk	1
outlay	1
type	F
rationale	A CC-specific forum enhances user engagement and community interaction by providing a platform for discussions, knowledge-sharing, and collaborative problem-solving related to Common Criteria, without overcomplicating the navigation within the Knowledge Base.
version	0.1

10 Data Storage and Format Mapping SRS-022

System requirement specification

As a System, ensure that the CC data model is stored in a format that maintains a mapping to the available CC XML-file and can be validated against the corresponding DTD file while preserving semantic relationships between CC concepts.

Acceptance criteria

The System is able to store the CC data model in a specific format.
The stored format maintains a mapping to the available CC XML-file.
The System can validate the stored data against the corresponding DTD file.
The System preserves semantic relationships between CC concepts during storage and retrieval.

Parent links: MRS-032, MRS-037

Child links: TST-010 Inspect CC Database-DTD mapping, TST-011 Test correctness of CC Database, TST-012 Test validity and conistency of bidirectional transformation

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	4
urgency	1
risk	3
outlay	3
type	F
rationale	Ensuring that the CC data model is stored and mapped accurately in a format that can be validated against the DTD file and maintains semantic relationships is critical for the integrity, reliability, and usability of the CC data. Accurate data storage and mapping are essential for ensuring that CC data retrieval, modification, and usage within the system are correct and reliable.
version	1.0

11 Bidirectional Transformation and Consistency SRS-023

System requirement specification

As a Data Administrator/General User, I want the system to ensure the automatic transformation of content from and to the CC defined XML format, so that I can trust that the data remains consistent and coherent across all stored data and representations, ensuring that data retrievals, modifications, and other interactions with the data are reliable and accurate.

Acceptance criteria

The system can successfully transform content from CC defined XML format to an internal representation.
The system can transform content from the internal representation back to the CC defined XML format.
Consistency and coherence of the stored data and representations are maintained during transformations.
Data transformations adhere to the defined mappings and respect the structural and semantic integrity of the original CC XML format.

Parent links: MRS-032, MRS-038

Child links: TST-012 Test validity and conistency of bidirectional transformation

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	3
urgency	1
risk	3
outlay	4
type	F
rationale	The ability to perform bidirectional transformations between the internal data representation and the CC defined XML format is crucial to facilitate data exchanges and modifications while maintaining data integrity and consistency. Ensuring that the transformation processes are naccurate and coherent safeguards the quality and reliability of the stored Common Criteria data, supporting its effective usage and application.
version	1.0

12 Threats, Risks, and Countermeasures Database SRS-024

System requirement specification

As a General User,I want the system to provide a database that encompasses generic threats, risks, and countermeasures, so that I can leverage a comprehensive and integrated source of security-related data that assimilates content from BSI Grundschutz, ISO 27005, NIST SPs, and the CC, ensuring diverse and standards-compliant support for dealing with security considerations in varied contexts. 1. TBD

Acceptance criteria

The System provides a database that includes generic threats, risks, and countermeasures.
The database can integrate content from BSI Grundschutz, ISO 27005, NIST SPs, and the CC.

Parent links: MRS-041, MRS-042

Child links: TST-013 Test threats, risks, and countermeasures database

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Open
importance	4
urgency	2
risk	1
outlay	4
type	F
rationale	Maintaining a database that encompasses and integrates diverse and generic threats, risks, and countermeasures from different standardized sources (like BSI Grundschutz, ISO 27005, NIST SPs, and the CC) ensures that the system can provide a comprehensive and standards-compliant set of data for users or other system components dealing with security-related aspects. This centralized and integrated approach facilitates streamlined, consistent, and efficient handling and mitigation of security-related concerns.
version	1.0

13 Support Mechanism for EUCC Additional Evaluation Evidence SRS-025

System requirement specification

As a Security Evaluator, I want the system to implement a support mechanism that assists in generating additional evaluation evidence and provides guides for tailoring existing evaluation evidence, so that I can ensure that all produced evidence is conformant with EUCC requirements and navigate the EUCC evaluation process effectively and efficiently.

Acceptance criteria

The System implements a mechanism that assists in generating additional evaluation evidence as required by the EUCC.
The System provides guides that assist in tailoring existing evaluation evidence to be conformant with EUCC requirements.

Parent links: MRS-044

Child links: TST-014 Test EUCC support

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Open
importance	3
urgency	1
risk	1
outlay	4
type	F
rationale	Implementing a support mechanism that assists in generating additional evaluation evidence and guides for tailoring existing evidence to conform with EUCC requirements ensures that the system adheres to relevant regulatory standards and efficiently navigates the EUCC evaluation process. This not only fosters compliance and mitigates regulatory risks but also enhances the robustness and credibility of the system by aligning it with established European cybersecurity standards and practices.
version	1.0

14 Storing Generic Security Objectives of CSA Article 51 SRS-026

System requirement specification

As a Security Analyst, I want the system to store and provide accessibility to the generic Security Objectives defined by Article 51 of the CSA, So that I can efficiently retrieve, analyze, and utilize these objectives for compliance, evaluation, and management processes in a manner that is interoperable with both human and automated (machine) activities and assessments. 1. TBD.

Acceptance criteria

The System stores generic Security Objectives as defined by Article 51 of the CSA.
The stored Security Objectives are in a structured format.
The stored Security Objectives are accessible and readable by both humans and machines.

Parent links: MRS-045

Child links: TST-015 Test availabilty of CSA Article 51 defined Security Objectives

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Open
importance	3
urgency	1
risk	1
outlay	3
type	F
rationale	Ensuring the storage and accessibility of generic Security Objectives as defined by Article 51 of the CSA in a structured, human, and machine-readable format enables efficient retrieval, analysis, and utilization of the objectives for various purposes such as compliance checks, threat modeling, or security analysis. This supports maintaining alignment with regulatory requirements and fosters a standardized approach towards handling and considering CSA-defined security objectives in cybersecurity evaluation and management processes.
version	1.0

15 Unified Storage Mechanism for CC Artifacts and Security Elements SRS-027

System requirement specification

As a User, I want the CC toolbox within the C5-DEC software to enable consistent and structured storage of various CC artifacts and security elements, ensuring ease of data management and integrity.

When I choose to store SFRs/SARs, Security Functional Classes, Security Assurance Classes, Evaluation Activities, and Packages in the CC toolbox,
I want the storage process to utilize the same open file format used for all artifacts ensuring uniformity,
And store all elements in a structured, human and machine-readable format within the C5-DEC document-based data store, enabling efficient data retrieval and management.
Thus, I can consistently and efficiently manage, access, and utilize the stored data in varied formats without loss of integrity and structure.

Acceptance criteria

User can store SFRs/SARs and all relevant CC artifacts and security elements in the CC toolbox.
All stored artifacts utilize the same open file format ensuring consistent data management.
Data for all elements (including Security Functional Classes, Security Assurance Classes, etc.) is stored in a structured, human and machine-readable format.
User can retrieve and manage the stored data efficiently without loss of integrity and structure.

Parent links: MRS-030, MRS-036

Child links: TST-016 Test uniformity of storage mechanisms in CCT module

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	In Progress
importance	3
urgency	2
risk	3
outlay	4
type	F
rationale	Implementing a unified and structured storage mechanism ensures that data related to SFRs/SARs and other CC elements is consistently stored and managed within the C5-DEC document-based data store, facilitating efficient data retrieval, management, and overall system reliability.
version	1.0

16 Automated Rationale and Traceability Matrix Generation SRS-028

System requirement specification

As a Developer, I want the system to automatically generate rationales as required by the CC, that captures and justifies each parent-child relation, so that documentation adheres to CC requirements and maintains a structured and justified linkage throughout the development and evaluation processes. 1. TBD

Acceptance criteria

For each created parent-child relationship a rationale is defined.
A traceability matrix between all parent-child elements of a given level is automatically generated.
A list of justifications, justifying each parent-child link, is automatically compiled.

Parent links: MRS-032

Child links: TST-017 Test automated rationale and traceability matrix generation

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Open
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	To comply with the Common Criteria, ensuring that every parent-child link within the CC data model is justified and traceable is crucial. Automated generation of a traceability matrix and rationale compilation facilitates consistent documentation and adherence to these requirements.
version	1.0

17 Verification of Rationales and Traceability Matrices SRS-029

System requirement specification

As an Evaluator, I want the system to validate that the generated rationales and traceability matrices comprehensively cover all parent-child elements and are in strict adherence with CC requirements, so that I can confidently validate and certify the coherence and completeness of the security documentation. 1. TBD.

Acceptance criteria

The system verifies that every parent-child relationship has an associated rationale.
A traceability matrix is provided that covers all parent-child elements of a given level.
An exhaustive list of justifications is available, ensuring full coverage of all parent-child links.

Parent links: MRS-032

Child links: TST-018 Test verificaiton of rationales and traceability matrices

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Not Started
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	For an Evaluator, ensuring that the provided rationales and traceability matrices comprehensively cover all elements and adhere to CC standards is paramount for validating the coherence and comprehensiveness of the security documentation.
version	1.0

18 Detailed Consistency and Completeness Checks SRS-030

System requirement specification

As an Administrator, I want the system to perform detailed automated consistency and completeness checks on CC data, specifically validating relationships, attributes, and dependencies, so that the integrity, quality, and reliability of the stored data are ensured and maintained in adherence with predefined standards. 1. TBD.

Acceptance criteria

Automated consistency checks validate relationships, attributes, and dependencies within the CC data.
Automated completeness checks ensure all necessary data points are present and properly configured in the CC data.
All data adheres to predefined standards, maintaining its integrity and quality.

Parent links: MRS-032

Child links: TST-019 Test automated consistency and completeness checks

Attribute	Value
author	Heinrich
acceptance	see above
date	03.01.2023
status	Open
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	Employing automated checks that validate relationships, attributes, and dependencies and ensure completeness in CC data not only safeguards the data integrity and quality but also bolsters reliability and adherence to predefined standards.
version	1.0

18.1 Query the Database of Security Components. SRS-002

System requirement specification

As a General User, I want to search and filter the database for Security Component Elements using full-text search and/or attributes.

Assuming I am logged in as an authorized user:

I access the database containing the CC Security Components.
Then I am able to define a query and search the database.
When I query the database I am provided with best matching results in descending order, from best to worst.
When I select a match, the respective Security Component Element is shown.
Then I can traverse the Security Component structure as defined in SRS-001 or define a new query.
When I define a new query, I resume to Step 3.
At all times I am able to exit the database.

Acceptance criteria

General User can access the database.
General User can define full-text and/or attributes queries to search the database.
General User is successfully presented with search matches in descending order, from best to worst.
General User can select a match to view the respective Security Component Element.
General User can traverse the Security Component structure.
General User can define a new query.
General User can exit the database at any time.

Parent links: MRS-028, MRS-030, MRS-036

Child links: TST-002 Test query the CC Database

Attribute	Value
author	Heinrich
acceptance	see above
date	13.09.2023
dependence	['SRS-001']
status	In Progress
importance	3
urgency	3
risk	1
outlay	2
type	F
rationale	In addition to the browsing option, the General User should be able to query the database for keywords, further enhancing the identification process.
version	0.1

18.2 Export Security Components SRS-003

System requirement specification

As a Developer, I want to be able to (select Security Components and) export (their respective) Security Requirements into a file so that I can e.g. import them into my project's REM system.

Assuming that I am logged in as an authorized user:

I access the database containing the CC Security Components
Then I am able to specify or select a (set of) Security Component/s of type 'functional' and/or 'assurance'.
When I specify or select a (set of) Security Component/s I expect the system to automatically assess the validatiy of the selection in terms of consideration of hierarchical and dependency relationships and to display the result
Then I am able to export the selected Security Components' Security Requirements.
When I select the export option I expect the system to warn me in case of an invalid selection
Then I am able to ignore the warning or adjust my selection.
When I proceed I am able to (at least) define the - filepath, - filename, - and format (csv, xlsx). Additional customizability to ease export to project's REM system format is desirable.
Then all Security Requirements of the selected Security Components are exported to the defined filepath with the filename and in the defined format.

Acceptance criteria

Developer can specify or select a set of Security Components
Selection is automatically validated in terms of the components' hierarchical and dependency relationships.
Respective Security Requirements are correctly exported according to the defined settings.

Parent links: MRS-053, MRS-055

Child links: TST-003 Test exporting Security Components

Attribute	Value
author	Heinrich
acceptance	see above
date	13.09.2023
dependence	['SRS-001', 'SRS-002']
status	In Progress
importance	3
urgency	3
type	F
version	0.1

18.3 Tailor Security Requirements. SRS-004

System requirement specification

As a Developer, I want to tailor Security Requirements to my project's needs, So that the tailoring process and the resultant Security Requirements comply with the Common Criteria. Assuming I am logged in as an authorized user:

Option 1: Export tailoring

I access the database containing the CC Security Components\n
Then I am able to specify or select a (set of) Security Component/s of type 'functional' and/or 'assurance'.\n
When I specify or select a (set of) Security Component/s I expect the system to automatically assess the validatiy of the selection in terms of consideration of hierarchical and dependency relationships and to display the result\n
Then I am able to export the selected Security Components' Security Requirements.\n
When I proceed to export I will be able to iterate through all Security Requirements and tailor each\n to my project's needs. \n
Then the system tracks the changes made to the original Security Requirements and includes the Common Criteria \ required information in the exported file. \n

Option 2: Parse tailored Requirements

I access the database containing the CC Security Components
Then I am able to provide a (set of) tailored Security Requirement/s in (TBD) format
When I provide a (set of) tailored Security Requirements the system is able to automatically validate made changes and generate the Common Criteria required information for the tailored Security Requirement.
Then I am able to export the provided (set of) tailored Security Requirement(s) with the additional information.

Acceptance criteria

The system successfully parses and validates Security Requirements against the DTD.
The system allows manipulations of the requirement according to defined operations.
The system provides options to select and edit operations as needed.
The tailored requirement provides a detailed list of conducted operations and modifications.

Parent links: MRS-032, MRS-053, MRS-055

Child links: TST-004 Test tailoring Security Requirements

Attribute	Value
author	Heinrich
acceptance	see above
date	13.09.2023
dependence	['SRS-003']
status	Open
importance	3
urgency	3
risk	1
type	F
rationale	Ensuring that the Security Requirements can be tailored in compliance with the Common Criteria is crucial for aligning the project needs with standardized security benchmarks. Facilitating a structured and traceable method of managing requirement modifications while maintaining an archival system of original requirements ensures auditability and adherence to the Common Criteria, particularly for PP/ST.
version	0.1

18.4 Flagging and Addressing Failed Work Units with Cascading Flags SRS-040

System requirement specification

As a User, I want failed work units to be visibly flagged and to inhibit progression until resolved. Additionally, I want all items linked to a flagged work unit to also be flagged, so that all issues and potential dependent problems are duly addressed, ensuring a reliable, thorough, and systematic evaluation and development process. 1. TBD.

Acceptance criteria

Failed work units are visibly flagged.
Items linked to the flagged work units are also flagged.
Progress cannot continue until flagged items are addressed.

Parent links: MRS-032, MRS-043

Child links: TST-029 Test flagging failed Work Units and affected artifacts

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-037', 'SRS-036']
status	Open
importance	3
urgency	2
risk	1
outlay	3
type	F
rationale	Explicitly flagging failed work units and inhibiting progression until they are addressed ensures that nissues are rectified promptly. Cascading these flags to linked items ensures a rigorous and thorough evaluation and validation process, maintaining the integrity and reliability of the evaluation and development process and ensuring that dependent elements are not overlooked.
version	1.0

18.5 Automated Validation of Relationships, Attributes, and Dependencies SRS-031

System requirement specification

As a Developer, I want the system to automatically validate relationships, attributes, and dependencies between data points, and ensure the completeness of all necessary data entries within the CC data, so that development is guided by accurate, reliable, and complete data, thereby reducing the potential for errors and rework. 1. TBD

Acceptance criteria

The system identifies and alerts to any inconsistencies or incomplete data entries within the CC\n data.
Relationships, attributes, and dependencies between data points are automatically validated by the system.
A report log can be generated to provide insights into the validation checks and any issues identified.

Parent links: MRS-032

Child links: TST-020 Test automated validation

Attribute	Value
author	Heinrich
acceptance	see above
date	03.10.2023
status	Open
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	Ensuring the validity of relationships, attributes, and dependencies and the completeness of CC data entries ensures a robust and reliable data structure, which in turn streamlines development activities by reducing the potential for errors and unnecessary rework, thus ensuring compliance and efficiency in adhering to CC.
version	1.0

18.6 Seamless Aggregation and Presentation of SARs and Work Units SRS-032

System requirement specification

As an Evaluator, I want the system to seamlessly aggregate and present SARs and associated work units, aligning them with specific security assurance components, so that the process of evaluating the readiness and compliance of a Target of Evaluation (TOE) is simplified and streamlined.

When I select an SAR to assess the readiness or compliance of a TOE, I want to see the SAR description and the associated Work Unit description.

Acceptance criteria

SARs and work units are accurately and seamlessly aggregated by the system.
The system displays SARs and work units in an organized manner, aligned with the respective security assurance components.
Evaluators can easily navigate and interpret the aggregated data to assess the readiness and compliance of the TOE.

Parent links: MRS-032

Child links: TST-021 Test aggregation of SARs and Work Units

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['MRS-030']
status	In Progress
importance	4
urgency	3
risk	1
outlay	3
rationale	The efficient evaluation of the TOE readiness and compliance with relevant standards is vital for ensuring the security and reliability of the developed system. By automatically aggregating and presenting SARs and work units in alignment with respective security assurance components, evaluators can swiftly and accurately assess adherence to security assurance requirements, ensuring robust evaluation processes and confidence in the TOE.
version	1.0

18.7 API Provision for Threat Importation SRS-033

System requirement specification

As a Security Analyst, I want the system to provide APIs for seamless importation of threats from external repositories like MITRE ATT&CK and CVE, so that I can efficiently integrate and utilize external threat data within C5-DEC. 1. TBD.

Acceptance criteria

APIs enable seamless importation of threats from MITRE ATT&CK and CVE.
Imported threats are accurately represented within C5-DEC.

Parent links: MRS-032, MRS-041

Child links: TST-022 Test API provision for threat import

Attribute	Value
author	Heinrich
date	03.10.2023
status	Open
importance	3
urgency	2
risk	1
outlay	3
type	F
rationale	Integrating external threat data from reputable sources like MITRE ATT&CK and CVE enriches the C5-DEC database, providing a comprehensive threat landscape for better-informed security analysis and decision-making.
version	1.0

18.8 Transformation of Imported Threats to CC-conformant Format SRS-034

System requirement specification

As a Developer, I want the system to provide transformation templates, guidelines, and custom mapping options for converting imported threats into a CC-conformant format, so that all threats, native or imported, ensure compliance with CC standards and integration within the C5-DEC encoded CC data model. 1. TBD.

Acceptance criteria

The system provides templates, guidelines, and custom mapping options for transforming imported threats.
Transformed threats comply with CC standards and integrate with the C5-DEC CC data model.

Parent links: MRS-032, MRS-041

Child links: TST-023 Test transforming imported threats to CC-conformant format

Attribute	Value
author	Heinrich
date	03.10.2023
status	Open
importance	3
urgency	2
risk	1
type	F
rationale	Ensuring that all threats, whether internally defined or imported from external sources, adhere to CC standards and can be seamlessly integrated within the C5-DEC data model promotes consistency, traceability, and compliance throughout the security evaluation and assurance processes.
version	1.0

18.9 Automated Evaluation Checklist Creation SRS-035

System requirement specification

As a Developer or Evaluator, I want to select a set of Security Assurance Components or Assurance Package and have the system automatically generate an Evaluation Checklist, so that I can efficiently assess the evaluation readiness of or evaluate a Target of Evaluation.

When I select a set of Security Assurance Components or a pre-defined Assurance Package (e.g. EAL 2) to assess the readiness of or to evaluate a Target of Evaluation.
Then I expect the system to automatically validate the selected set of components in terms of the consideration of hierarchical and dependency relationships.
When a valid set is selected I want the system to create an Evaluation Checklist based on the selected set.
Then I want to have the option to start the evaluation using the created Evaluation Checklist.

Acceptance criteria

User can select and de-select security assurance components or assurance packages (augmentations also allowed)
Based on the (valid) selection, a checklist is generated that contains Evaluation Items that correspond to the respective Work Units.
Each Evaluation Item contains all relevant information for the Work Unit, i.e., Evaluator Action Element, Content or Developer Element, and the Work Unit task.
Furthermore, the User must be able to assign each Evaluation Item an Evaluator, an Evaluation Date, the Evaluation Evidence, and the Evaluation Verdict.
An index of required evaluation evidence documentation is created.

Parent links: MRS-032, MRS-043

Child links: TST-024 Test automated creation of Evaluation Checklist

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-034']
status	In Progress.
importance	3
urgency	1
risk	1
outlay	3
type	F
rationale	Enabling automated creation of Evaluation Checklists ensures that the evaluators can efficiently initialize the evaluation process by quickly defining the scope and requirements of the evaluation, thereby ensuring compliance and readiness from the project inception.
version	1.0

18.10 Evaluation Progress Tracking SRS-036

System requirement specification

As a User, I want the system to track and display the evaluation progress of the Evaluation, as well as the evaluation status of individual Evaluation Items, so that the ongoing status of the Evaluation is clear and easily accessible.

When I load an Evaluation Checklist I expect to see the overall evaluation progress, as well as the evaluation status (pass, fail, inconclusive) of each Evaluation Item.
When I select and edit an Evaluation Item I expect the Item's status as well as the overall evaluation progress to account for the changes in real time.

Acceptance criteria

The overall evaluation progress is accurately and visually represented in the system, e.g., as a percentage of passed evaluation items.
The status of each Evaluation Item is accurately and visually represented, e.g., as [X],[O], or [ ] for failed, passed, or inconclusive, respectively.
Both the overall evaluation progress and the Item's status are updated in real time, i.e., evaluation progess and status are immediately updated when changes are made.
At all times the evaluation progress as well as any Evaluation Item's status can be extracted.

Parent links: MRS-032, MRS-043

Child links: TST-025 Test evaluation progress tracking

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	[{'SRS-035': None}]
status	In Progress
importance	3
urgency	1
risk	1
outlay	3
type	F
rationale	Tracking the evaluation progress centrally and transparently supports project management by allowing all stakeholders to have a clear, real-time insight into the ongoing evaluation status, thereby enabling timely decision-making and issue mitigation.
version	1.0

18.11 Work Unit Artifact Linking SRS-037

System requirement specification

As a User, I want to link work units within an Evaluation Checklist to applicable artifacts, so that there is clear traceability between work units and related project artifacts.

When I treat an Evaluation Item and hence the associated Work Unit and want to link relevant artifacts to the Evaluation Item/Work Unit.
Then I want to be able to differentiate between linking internal (items stored in the same open file format and managed by C5-DEC) and external artifacts.
When I want to link internal artifacts I can do so by providing the artifact's item UID.
Then I expect the system to acknowledge linking the artifact to the Evaluation Item or inform me (visually) if the UID is invalid.
When I want to link internal artifacts I want to be able to define queries to search for the artifact. (OPTIONAL) 6 Then I expect the system to provide potentially matching items with a preview of the item's content. (OPTIONAL) 7 When I select a match I want the system to link the Evaluation Item to the selected item. (OPTIONAL)
When I want to link external artifacts I can do so by providing the path to the external resource.
When I select an Evaluation Item's link
Then I want to be able to modify, remove, or open/preview the linked Item.

Acceptance criteria

Users can create, modify, and remove links between work units and applicable artifacts.
Links are visibly represented and can be navigated within the system.
Links are differentiated between internal and external links.

Parent links: MRS-032, MRS-043

Child links: TST-026 Test Work Unit-Artifact linking

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-035']
status	Open
importance	4
urgency	3
risk	1
outlay	3
type	F
rationale	Ensuring traceability between work units and related artifacts reinforces the transparency and verifiability of the evaluation process, thereby strengthening the credibility and compliance of the evaluation outcome.
version	1.0

18.12 Automated OR Generation SRS-038

System requirement specification

As a User, I want the system to generate Observation Reports (ORs), so that issues encountered during the evaluation are summarized and communicated effectively. 1. TBD.

Acceptance criteria

The system gathers and compiles information related to failed work units.
An OR is generated, summarizing issues encountered during the evaluation.

Parent links: MRS-032, MRS-043

Child links: TST-027 Test automated generation of Observation Reports

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-037', 'SRS-036', 'SRS-035']
status	Open
importance	3
urgency	2
risk	1
outlay	3
type	F
rationale	Automated generation of Observation Reports (ORs) ensures that any discrepancies, issues, or failures during the evaluation are systematically documented and communicated, which is vital for transparency and subsequent remediation activities.
version	1.0

18.13 Automated ETR Generation SRS-039

System requirement specification

As a User, I want the system to generate the Evaluation Technical Report (ETR) upon completion of the evaluation, so that all verdicts and evaluation results are summarized and the overall verdict is derived according to predefined rules.

Acceptance criteria

All verdicts and evaluation results are summarized in the ETR.
The overall verdict in the ETR is derived based on individual verdicts and predefined rules.

Parent links: MRS-032, MRS-043

Child links: TST-028 Test automated generation of Evaluation Technical Report

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-035', 'SRS-036', 'SRS-037', 'SRS-038']
status	Open
importance	3
urgency	2
risk	1
outlay	3
type	F
rationale	Streamlining the creation of the Evaluation Technical Report (ETR) by automating the compilation and derivation of overall verdicts ensures a swift, consistent, and objective consolidation of evaluation outcomes, which is crucial for substantiating evaluation claims and finalizing the evaluation process.
version	1.0

18.14 Logging evaluated Work Units SRS-041

System requirement specification

As a User, I want evaluated work units to be logged and stored, so that a clear record of successful evaluations is maintained for future reference and auditing.

Acceptance criteria

Evaluated work units are logged and stored as Doorstop items.
Users can review the log of passed work units.

Parent links: MRS-032, MRS-043

Child links: TST-030 Test auditability of Evaluation Items

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-036']
status	In Progess
importance	3
urgency	2
risk	1
outlay	3
type	F
rationale	Systematically logging and archiving evaluated work units provides a clear record, which can be vital for future reviews, audits, and project insights, thereby supporting transparency and historical tracking of project evolution.
version	1.0

18.15 Extend Data Model Across Entire CC Ecosystem SRS-042

System requirement specification

As a User, I want the data model to accurately encompass and interrelate all entities and documents within the CC ecosystem, so that I can efficiently navigate, manage, and derive insights from comprehensive, interconnected CC data, ensuring that the manipulation, association, and interpretation of all CC-relevant entities are coherent and traceable. 1. TBD

Acceptance criteria

The data model encompasses all entities and documents within the CC ecosystem.
Each entity in the CC ecosystem can be represented, related, and manipulated within the system.

Parent links: MRS-032

Child links: TST-031 Test extended data model

Attribute	Value
author	Heinrich
date	03.10.2023
status	Open
importance	3
urgency	1
risk	1
outlay	3
type	N
rationale	Extending the data model across the entire CC ecosystem ensures consistent and comprehensive management and manipulation of all CC entities and documents. It enables thorough adherence to CC standards and ensures all CC-relevant data can be accurately represented, related, and manipulated within the system.
version	1.0

18.16 Provide CC Document Templates SRS-043

System requirement specification

As a User, I want access to predefined templates for each type of CC document, so that I can efficiently create standardized, CC-compliant documents and optionally export them to supported formats. 1. TBD.

Acceptance criteria

Templates for each type of CC document are available and adhere to CC standards.
Users can select, utilize, and export templates to supported formats (e.g., .docx, .tex, .xml).

Parent links: MRS-032

Child links: TST-032 Test CC templates

Attribute	Value
author	Heinrich
date	03.10.2023
dependence	['SRS-042']
status	Open
importance	3
urgency	2
risk	1
type	F
rationale	Providing predefined templates for each type of CC document simplifies and standardizes the document creation process. It ensures that users can efficiently create documents adhering to CC content and formatting standards without requiring detailed manual input, thus enhancing consistency and reducing the potential for error across CC documentation.
version	1.0

18.17 Validate Hierarchies and Dependencies in Security Components SRS-044

System requirement specification

As a User, I want the system to validate the hierarchies and dependencies among the selected security components, so that I can ensure that my set of components is coherent and conforms to the CC.

When I select or provide a set of Security Components
Then I expect the system's validation mechanism to check whether the provided component set meets the hierarchical and dependency requirements of each selected Security Component.
When I provide an invalid set
Then I expect the system to classify the set as 'invalid' and optionally to provide potential valid sets based on the provided selection.
When I provide a valid set
Then I expect the system to classify the set as 'valid'

Acceptance criteria

The system enables the selection or provision of security components for a project.
Upon selection, the system automatically validates the hierarchical and dependency relationships among the chosen components, in accordance with CC guidelines.
The system provides clear feedback about the validation status, highlighting any inconsistencies or deviations from the CC guidelines.
Adjustments made to the components are accurately reflected and can be re-validated by the system.

Parent links: MRS-032, MRS-053, MRS-055

Child links: TST-033 Test validation of hierarchies and dependencies of Security Component sets

Attribute	Value
author	Heinrich
date	03.10.2023
status	In Progress
importance	3
urgency	3
risk	1
outlay	3
type	F
rationale	To ensure that the specified and selected security components are coherent and abide by the CC guidelines, all hierarchical and dependency relations among them must be validated.
version	1.0

18.18 Generate Impact Analysis Reports for Certification Maintenance. SRS-045

System requirement specification

As a Developer, I want the system to automatically infer the impact of changes in both code and documentation, So that these insights are summarized in comprehensive Impact Analysis Reports (IARs), ensuring effective management of compliance and certification aspects throughout project alterations. 1. TBD

Acceptance criteria

The system must identify and track changes in both code and documentation.
The system must automatically infer the impacts of these changes.
An Impact Analysis Report (IAR) is generated, summarizing the inferred impacts.
The IAR must be comprehensible and encapsulate all necessary impact details.
The IAR should be structured to support certification maintenance and incremental certification processes.

Parent links: MRS-032, MRS-053, MRS-055

Child links: TST-034 Test generation of Impact Analysis Report

Attribute	Value
author	Heinrich
date	03.10.2023
status	Open
importance	2
urgency	2
risk	2
type	F
rationale	To maintain existing certifications and facilitate incremental certification processes in the face of changes, the system needs to automatically deduce and report the impacts stemming from alterations in code and documentation. Impact Analysis Reports (IARs) crystallize these impacts in a structured format, offering a clear overview of potential repercussions and are a required evaluation evidence for certification maintanence.
version	1.0