[Public Interpretations Database]

I-0068: Timing Of Security Policy Model Development

 
NUMBER:               I-0068
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Timing Of Security Policy Model Development

FIRST POST:            [criteria 1883]
MOST RECENT REPOST:    [criteria 2467]

REQUIREMENT:          Design Specification and Verification
CRITERIA CLASSES:     B1, B2, B3, A1
DOCUMENT(S):          Security Policy Model
RELATED TO:           <None>

STATEMENT:

The following interprets the requirement that ``A[n informal or] formal model of the security policy supported by the TCB shall be maintained over the life cycle of the ADP system ...''

For the purposes of this requirement, the phrase "ADP system" is interpreted as "evaluated product". This means that:

  1. During the development portion of the life-cycle of the evaluated product, a model of the behavior of evaluated security functions shall be developed.

  2. During the maintenance portion of the life-cycle of the evaluated product, the documented security policy model shall be maintained concurrently with other design documentation for the evaluated product.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

In an ideal world, products would have their security functions modeled before the design was completed; the development of the model and the design would be a concurrent process.

However, products that are being retrofitted for evaluation may have had some or all of their security functions developed before evaluation was considered and, possibly, without a good software engineering process in place. Usually, such products had an informal design of the security function behavior as a model for the designers, although this was not necessarily a true security policy model. Requiring such products to have a TCSEC-style model for original security functions is often impractical, and does not serve to benefit the overall assurance in the product. For such products, their evaluation-relevant life cycle is assumed to begin at the beginning of the security retrofit. It is at this time that the informal security function design must be translated into a TCSEC-style model.

The evaluation process requires that the model be completed in sufficient time for evaluators to assess the model along with other delivered design documentation evidence.

The emphasis on life-cycle requires that the model be a living document, and reviewed as the product is updated during product maintenance. It is unreasonable to make significant design changes, and then examine their effect on the policy model after the fact. Review of changes with respect to the model should be an ongoing process during ratings maintenance.