I-0369: Security Management Functions To Be Provided Must Be Enumerated
- Subject: I-0369: Security Management Functions To Be Provided Must Be Enumerated
- From: "Interpretations Working Group" <iwg@gibraltar.ncsc.mil>
- Date: Fri, 17 Nov 2000 08:46:39 -0800
- Content-type: Multipart/Mixed; boundary=Message-Boundary-8329
- Priority: normal
[0114] (221 lines) iwg@gibraltar.ncsc.mil 11/06/00 1824.58 gmt Mon Common_Criteria
Subject: I-0369: Security Management Functions To Be Provided Must Be Enumerated
This transaction consists of a proposal for a National Interpretation of
a Common Criteria document. It is being posted in accordance with the
procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to IWG@gibraltar.ncsc.mil in a form
suitable for posting. All comments should be posted no later than
Friday, December 1, 2000.
CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
_________________________________________________________________
I-0369: Security Management Functions To Be Provided Must Be Enumerated
_________________________________________________________________
NUMBER: I-0369
STATUS: Ready for External Review
TYPE: NIAP Interpretation
TITLE: Security Management Functions To Be Provided Must Be
Enumerated
SOURCE REFERENCE: CC v2.1 Part 2 Annex H FMT
CC v2.1 Part 2 Clause 8 FMT
CC v2.1 Part 2 Subclause 8.1 FMT_MOF
CC v2.1 Part 2 Subclause 8.2 FMT_MSA
CC v2.1 Part 2 Subclause 8.3 FMT_MTD
CC v2.1 Part 2 Subclause 8.NIAP-0369 FMT_NIAP-0369-SMF
CC v2.1 Part 2 Subclause H.NIAP-0369 FMT_NIAP-0369-SMF
RELATED TO: <None>
ISSUE:
The CC words for the FMT class specify restrictions on roles that may
perform security management functions, but fail to provide explicit
requirements that the TSF provide the security management functions
upon which the restrictions apply. A common argument is that
restricting the functions implicitly requires that they be provided.
However, implicit requirements are not tested; moreover, the implicit
requirements do not capture the fact that the functions must be
provided by the TSF.
STATEMENT OF INTERPRETATION:
A new family is added to the Common Criteria that allows specification
of management functions to be provided by the TOE.
SPECIFIC INTERPRETATION:
To address this interpretation, the following changes are made to CC
v2.1, Part 2: (additions marked _thusly_; deletions marked _[DEL:_
thusly _:DEL]_ )
* The following family is added to Clause 8, Class FMT:
8.NIAP-0369 Management Functions Provided (FMT_NIAP-0369-SMF)
Family Behavior
This family allows the specification of the management functions to
be provided by the TOE. Management functions are TSFI that allow
administrators to define the parameters that control the operation
of security-related aspects of the TOE, such as data protection
attributes, TOE protection attributes, audit attributes,
identification and authentication attributes, and so on. Management
functions also include those functions performed by an operator to
ensure continued operation of the TOE, such as backup and recovery.
This family works in conjunction with the other components in the
FMT class: the component in this family call out the functions, and
other families in FMT restrict the ability to use the management
functions.
Component Levelling
[There would be a graphic here showing one component in the
FMT_NIAP-0369-SMF family.]
FDP_NIAP-0369-SMF.1 Specification of Management Functions requires
that the TSF provide specific management functions.
Management: FMT_NIAP-0369-SMF.1
All management functions assigned in FMT_NIAP-0369-SMF.1 could be
considered for other management families in FMT Management in order
to restrict the ability to use those functions.
Audit: FMT_NIAP-0369.SMF.1
The following events should be auditable if FAU_GEN Security audit
data generation is included in the PP/ST:
a) Minimal, Basic, Detailed: Use of the management functions.
FMT_NIAP-0369-SMF.1 Specification of Management Functions
Hierarchical To: No other components
FMT_NIAP-0369-SMF.1.1 The TSF shall be capable of performing the
following security management functions: [assignment: list of
security management functions to be provided by the TSF,
categorized as either "security attribute management", "TSF data
management", or "security function management"]
Dependencies: None
* The following subclause is added to Annex H, Security Management:
H.NIAP-0369. Management Functions Provided (FMT_NIAP-0369-SMF)
This family allows the specification of the management functions to
be provided by the TOE. Management functions are TSFI that allow
administrators to define the parameters that control the operation
of security-related aspects of the TOE, such as data protection
attributes, TOE protection attributes, audit attributes,
identification and authentication attributes, and so on. Management
functions also include those functions performed by an operator to
ensure continued operation of the TOE, such as backup and recovery.
This family works in conjunction with the other components in the
FMT class: the component in this family call out the functions, and
other families in FMT restrict the ability to use the management
functions.
FMT_NIAP-0369-SMF.1 Specification of Management Functions
This component specifies the management functions to be provided.
User Application Note
PP/ST authors should consult the "Management" sections for
components included in their PP/ST to provide a basis for the
management functions to be listed via this component.
Operations
Assignment:
In FMT_NIAP-0369-SMF.1, the PP/ST author should specify the
management functions to be provided by the TSF, and indicate for
each whether it is categorized as either "security attribute
management", "TSF data management", or "security function
management".
* Clause 8, Figure 8.1, is modified to show an additional family,
FMT_NIAP-0369-SMF.1 Specification of Management Functions, with
one hierarchical component.
* Clause H, Figure H.1, is modified to show an additional family,
FMT_NIAP-0369-SMF.1 Specification of Management Functions, with
one hierarchical component.
* FMT_MOF.1 is relabeled as FMT_MOF.1-NIAP-0369. Unless otherwise
noted in these changes, all normative and informative material
associated with FMT_MOF.1 is incorporated unchanged into
FMT_MOF.1-NIAP-0369, and all references to FMT_MOF.1 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FMT_MOF.1-NIAP-0369.
* The following change is made to FMT_MOF.1-NIAP-0369:
Dependencies: FMT_SMR.1 Security Roles
_FPT_NIAP-0369-SMF.1 Specification of Management Functions_
* FMT_MSA.1 is relabeled as FMT_MSA.1-NIAP-0369. Unless otherwise
noted in these changes, all normative and informative material
associated with FMT_MSA.1 is incorporated unchanged into
FMT_MSA.1-NIAP-0369, and all references to FMT_MSA.1 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FMT_MSA.1-NIAP-0369.
* The following change is made to FMT_MSA.1-NIAP-0369 [Note: The
relabeling of FDP_ACC.1 and FDP_IFC.1 are the result of other
interpretations]:
Dependencies: [FDP_ACC.1-NIAP-0416 Subset access control or
FDP_IFC.1-NIAP-0417 Subset information flow control]
FMT_SMR.1 Security Roles
_FPT_NIAP-0369-SMF.1 Specification of Management Functions_
* FMT_MTD.1 is relabeled as FMT_MTD.1-NIAP-0369. Unless otherwise
noted in these changes, all normative and informative material
associated with FMT_MTD.1 is incorporated unchanged into
FMT_MTD.1-NIAP-0369, and all references to FMT_MTD.1 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FMT_MTD.1-NIAP-0369.
* The following change is made to FMT_MTD.1-NIAP-0369:
Dependencies: FMT_SMR.1 Security Roles
_FPT_NIAP-0369-SMF.1 Specification of Management Functions_
FURTHER CONSIDERATIONS:
Related to this, the PP or ST evaluation process should ensure that
there are appropriate management functions for the other functional
elements in the PP/ST. This should be done either through additional
APE_REQ and ASE_REQ requirements, or clarifications in the CEM.
PROJECTED IMPACT:
Negligible impact anticipated.
SUPPORT:
This interpretation addresses the issue by requiring that the security
functions to be provided by a TOE be explicitly listed to allow
evaluation of the PP/ST to determine if it satisfies its objectives.
Note that the goal of this queue entry might be achievable by adding
elements to specific existing FMT families, although the approach
specified above collects all function specification into a single
location.
---[0114]---
0369.pdf
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov