![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0069: Claiming compliance to FPT_AMT.1
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-10-23 |
| Last Modified | 2006-08-02 |
Issue
A protection profile contains the FPT_AMT.1 SFR. This SFR states:
"the TSF shall run a suite of tests .... to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the TSF".
Consider the case of an ST being evaluated against that PP. The ST in question makes no assumptions about the IT aspects of the operation environment (i.e., the IT environment). Must such an ST contain functions to satisfy FPT_AMT.1? If not, can PP compliance still be claimed?
Resolution
The CC and CEM make it clear that FPT_AMT applies to the abstract machine that provides the operating environment:
-
ADV_HLD.x.5c uses the same notion (i.e., "underlying TSF") to refer to the hardware components upon which the TSF has been implemented. In this case, CEM guidance explicitly notes (paragraph 721) that: "If the ST contain no security requirements for the IT environment, this work unit is not applicable and is therefore considered to be satisfied."
-
FPT_AMT.1 requires the "tests… to demonstrate the correct operation of the security assumptions..." Security Assumptions are a part of the Environment section of the ST (as opposed to TOE requirements), which implies that if there are no IT environmental requirements in this section, there is no need for hardware diagnostic tests.
-
There is another CC requirement (FPT_TST.1) that focuses directly on the TOE providing "self tests" (as opposed to environmental tests) to demonstrate the correct operation of the TSF.
Based on this, if there are no assumptions being made about the IT aspects of the operating environment, FPT_AMT.1 is vacuously satisfied, and the TSF need contain no explicit functions to address FPT_AMT.1.
Given that a protection profile cannot, a priori, know the operating environment of any compliant STs, PPs will include FPT_AMT.1 to "cover the bases". If the ST, however, has no IT aspects in the operating environment, it is acceptable for the ST to omit explicitly listing the vacuously satisfied FPT_AMT.1, noting instead in the PP compliance rationale that the requirement is vacuously satisfied and omitted.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1 Part2 FPT_AMT
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0195