[cPP CHANGE] Allowed TOE Types & Module Guidance

[GugelChris]

What is the change request for the cPP? Please describe.
Section 1.2 of the cPP provides an overview of the TOE and provides multiple TOE type categories but does not describe those categories in great detail, nor does it provide guidance on when to claim the Modules.

The PP currently describes at least 3 TOE types that are allowed:
a. Enterprise Desktop Applications - software on an end user device meant to be used by a single user at a time
b. Enterprise Server Applications - software on a server device meant to be used by multiple users and/or having a larger role within the network environment
c. Enterprise Server Applications with their Agent(s) - software on a server device meant to be used by multiple users and/or having a larger role within the network environment that includes software that is distributed on other systems

This Section currently describes 'Enterprise-grade Mobile Applications' but this TOE type cannot currently be evaluated based upon not having assurance activities for mobile apps.

The following TOE 'types' need additional guidance:
a. Distrubuted Server applications where there are multiple distributed Server software components but none of the software is truly characterized as an agent
b. Central management software component with one or more distributed software components performing other purposes

Describe the solution you'd like
Section 1.2 needs to be updated to address the following:

1. Provide a description and examples for the types of TOEs allowed - in a single location (currently there are multiple lists that don't coorrelate well)

2. Provide guidance for when Modules apply in more detail then stating "Separate PP Modules will provide additional requirements for Enterprise Server Applications and Enterprise grade Mobile Applications"
   a. Enterprise Server Applications - Server Module must be claimed
   b. Enterprise Server Applications with their Agent(s) - Server and Agent must be claimed. The ST must make it clear which TOE component(s) apply to these Modules.

3. Determine if 2a or 2b will cover distrubuted Server applications. Either would likely be acceptable based upon current SFRs but may want to consider future use cases.

4. Determine how to claim a TOE with a 'Central management software component'. This may be the same as 'distrubuted Server applications'.

5. Move 'Enterprise-grade Mobile Applications' to the not currently covered list as there are no assurance ativities defined for these environments. This should be addressed in future PP updates.

6. "Virtualized and Containerized applications (e.g. running in a Docker container)" move this to the not currently covered list as there are no assurance activites that cover this type. This should be addressed in future PP updates.