[Public Interpretations Database]

I-0014: Meaning Of Trusted Recovery Below B3

 
NUMBER:               I-0014
STATUS:               Withdrawn
REASON:               This is OBE by the fact that we already accept extra
                      credit for requirements above the stated assurance.

TITLE:                Meaning Of Trusted Recovery Below B3

REQUIREMENT:          Trusted Recovery
CRITERIA CLASSES:     C1, C2, B1, B2
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:           <None>

STATEMENT:

The following interprets the requirement ``Procedures and/or mechanisms shall be provided to assure that, after an ADP system failure or other discontinuity, recovery without a protection compromise is obtained.'' at ratings below B3.

The mechanisms of Trusted Recovery may be evaluated independently, at evaluation levels below B3, from the assurances implied by the requirement. Any assertion of Trusted Recovery below B3 must include the standard assurance disclaimer.

PROJECTED IMPACT:

Most evaluations prior to this interpretation did not consider Trusted Recovery below B3. Had they done so, it is possible that some systems would have been evaluated as satisfying this additional requirement.

SUPPORT:

Some systems provide extensive mechanisms either for tolerating errors or recovering fully from errors. Since these mechanisms are intended to protect security-critical data as well as user data, they meet the intent of the Trusted Recovery requirement. In addition, the CMW Evaluation Criteria explicitly call for Trusted Recovery in CMW systems, which require no assurance above the TCSEC B1 evaluation level. It seems reasonable to give extra credit for extra mechanism, even in the absence of the higher level of assurance, just as is done for other mechanisms (such as B3 DAC). The standard disclaimer about higher-level features not implying higher-level assurance applies.