assurance-terminology-and-applicability
2.4 Assurance Terminology and Applicability
2.4.1 Terminology
The following terms "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may" and "optional" are used in accordance with the definitions in RFC2119 [ref 25]1.
2.4.2 Level of Assurance
The applicability levels are defined as follows
Mandatory | This requirement shall be met, as it is vital to meet the security objectives of the product. |
Advisory | This requirement should be met unless there are sound product reasons (e.g. economic viability, hardware complexity). The reasons for deviating from the requirement and alternative countermeasures to reduce any security risk should be documented. |
For example in the following tables, where it shows “M of 2 and above” assurance class, this means that the requirement is mandatory for the stated level and all higher levels i.e. 2, 3 & 4.
Footnotes
-
IETF – RFC2119 “Key words for use in RFCs to Indicate Requirement Levels” [https://www.ietf.org/rfc/rfc2119.txt] ↩