assurance-terminology-and-applicability
2.4 Assurance Terminology and Applicability
2.4.1 Terminology
The following terms "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may" and "optional" are used in accordance with the definitions in RFC2119 [RFC2119]1.
2.4.2 Level of Assurance
The applicability levels are defined as follows.
| Mandatory | This requirement shall be met, as it is vital to meet the security objectives of the product. |
|---|---|
| Advisory | This requirement should be met unless there are sound product reasons (e.g. economic viability, hardware complexity). The reasons for deviating from the requirement and alternative countermeasures to reduce any security risk should be documented. |
For example, in the following tables, where it shows “M of 2 and above” assurance class, this means that the requirement is mandatory for the stated level and all higher levels i.e. 2, 3 & 4.
Footnotes
-
IETF RFC7525, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", May2015. https://tools.ietf.org/html/rfc7525. ↩