Skip to main content

assurance-terminology-and-applicability

2.4 Assurance Terminology and Applicability

2.4.1 Terminology

The following terms "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may" and "optional" are used in accordance with the definitions in RFC2119 [ref 25]1.

2.4.2 Level of Assurance

The applicability levels are defined as follows

MandatoryThis requirement shall be met, as it is vital to meet the security objectives of the product.
AdvisoryThis requirement should be met unless there are sound product reasons (e.g. economic viability, hardware complexity). The reasons for deviating from the requirement and alternative countermeasures to reduce any security risk should be documented.

For example in the following tables, where it shows “M of 2 and above” assurance class, this means that the requirement is mandatory for the stated level and all higher levels i.e. 2, 3 & 4.

Footnotes

  1. IETF – RFC2119 “Key words for use in RFCs to Indicate Requirement Levels” [https://www.ietf.org/rfc/rfc2119.txt]