[Public Interpretations Database]

I-0369: Security Management Functions To Be Provided Must Be Enumerated

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0369
STATUS:               Withdrawn
REASON:               The need for this interpretation is eliminated with the
                      approval of CCIMB-INTERP-0065.

TITLE:                Security Management Functions To Be Provided Must Be
                      Enumerated

SOURCE REFERENCE:     CC v2.1 Part 2 Annex H FMT
                      CC v2.1 Part 2 Clause 8 FMT
                      CC v2.1 Part 2 Subclause 8.1 FMT_MOF
                      CC v2.1 Part 2 Subclause 8.2 FMT_MSA
                      CC v2.1 Part 2 Subclause 8.3 FMT_MTD
RELATED TO:           <None>

ISSUE:

The CC words for the FMT class specify restrictions on roles that may perform security management functions, but fail to provide explicit requirements that the TSF provide the security management functions upon which the restrictions apply. A common argument is that restricting the functions implicitly requires that they be provided. However, implicit requirements are not tested; moreover, the implicit requirements do not capture the fact that the functions must be provided by the TSF.

STATEMENT

A new family is added to the Common Criteria that allows specification of management functions to be provided by the TOE.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1, Part 2: (additions marked thusly; deletions marked thusly)

  • The following family is added to Clause 8, Class FMT:

    8.NIAP-0369 Management Functions Provided (FMT_NIAP-0369-SMF)

    Family Behavior

    This family allows the specification of the management functions to be provided by the TOE. Management functions are TSFI that allow administrators to define the parameters that control the operation of security-related aspects of the TOE, such as data protection attributes, TOE protection attributes, audit attributes, and identification and authentication attributes. Management functions also include those functions performed by an operator to ensure continued operation of the TOE, such as backup and recovery. This family works in conjunction with the other components in the FMT class: the component in this family call out the functions, and other families in FMT restrict the ability to use the management functions.

    Component Levelling

    [There would be a graphic here showing one component in the FMT_NIAP-0369-SMF family.]

    FDP_NIAP-0369-SMF.1 Specification of Management Functions requires that the TSF provide specific management functions.

    Management: FMT_NIAP-0369-SMF.1

    All management functions assigned in FMT_NIAP-0369-SMF.1 could be considered for other management families in FMT Management in order to restrict the ability to use those functions.

    Audit: FMT_NIAP-0369.SMF.1

    The following events should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

    a) Minimal, Basic, Detailed: Use of the management functions.

    FMT_NIAP-0369-SMF.1 Specification of Management Functions

    Hierarchical To: No other components

    FMT_NIAP-0369-SMF.1.1 The TSF shall be capable of performing the following security management functions: [assignment: list of security management functions to be provided by the TSF, categorized as either "security attribute management", "TSF data management", or "security function management"]

    Dependencies: None

  • The following subclause is added to Annex H, Security Management:

    H.NIAP-0369. Management Functions Provided (FMT_NIAP-0369-SMF)

    This family allows the specification of the management functions to be provided by the TOE. Management functions are TSFI that allow administrators to define the parameters that control the operation of security-related aspects of the TOE, such as data protection attributes, TOE protection attributes, audit attributes, identification and authentication attributes, and so on. Management functions also include those functions performed by an operator to ensure continued operation of the TOE, such as backup and recovery. This family works in conjunction with the other components in the FMT class: the component in this family call out the functions, and other families in FMT restrict the ability to use the management functions.

    FMT_NIAP-0369-SMF.1 Specification of Management Functions

    This component specifies the management functions to be provided.

    User Application Note

    PP/ST authors should consult the "Management" sections for components included in their PP/ST to provide a basis for the management functions to be listed via this component.

    Operations

    Assignment:

    In FMT_NIAP-0369-SMF.1, the PP/ST author should specify the management functions to be provided by the TSF, and indicate for each whether it is categorized as either "security attribute management", "TSF data management", or "security function management".

  • Clause 8, Figure 8.1, is modified to show an additional family, FMT_NIAP-0369-SMF.1 Specification of Management Functions, with one hierarchical component.

  • Clause H, Figure H.1, is modified to show an additional family, FMT_NIAP-0369-SMF.1 Specification of Management Functions, with one hierarchical component.

  • FMT_MOF.1 is relabeled as FMT_MOF.1-NIAP-0369. Unless otherwise noted in these changes, all normative and informative material associated with FMT_MOF.1 is incorporated unchanged into FMT_MOF.1-NIAP-0369, and all references to FMT_MOF.1 in the CC, CEM, or other Common Criteria documentation is changed to refer to FMT_MOF.1-NIAP-0369.

  • The following change is made to FMT_MOF.1-NIAP-0369:

    Dependencies: FMT_SMR.1 Security Roles

    FPT_NIAP-0369-SMF.1 Specification of Management Functions

  • FMT_MSA.1 is relabeled as FMT_MSA.1-NIAP-0369. Unless otherwise noted in these changes, all normative and informative material associated with FMT_MSA.1 is incorporated unchanged into FMT_MSA.1-NIAP-0369, and all references to FMT_MSA.1 in the CC, CEM, or other Common Criteria documentation is changed to refer to FMT_MSA.1-NIAP-0369.

  • The following change is made to FMT_MSA.1-NIAP-0369 [Note: The relabeling of FDP_ACC.1 and FDP_IFC.1 are the result of other interpretations]:

    Dependencies: [FDP_ACC.1-NIAP-0416 Subset access control or FDP_IFC.1-NIAP-0417 Subset information flow control]

    FMT_SMR.1 Security Roles

    FPT_NIAP-0369-SMF.1 Specification of Management Functions

  • FMT_MTD.1 is relabeled as FMT_MTD.1-NIAP-0369. Unless otherwise noted in these changes, all normative and informative material associated with FMT_MTD.1 is incorporated unchanged into FMT_MTD.1-NIAP-0369, and all references to FMT_MTD.1 in the CC, CEM, or other Common Criteria documentation is changed to refer to FMT_MTD.1-NIAP-0369.

  • The following change is made to FMT_MTD.1-NIAP-0369:

    Dependencies: FMT_SMR.1 Security Roles

    FPT_NIAP-0369-SMF.1 Specification of Management Functions

FURTHER CONSIDERATIONS:

Corresponding methodology changes may be needed to add explanatory text to the work units that address completeness and consistency in APE_REQ and ASE-REQ. Specifically, explanatory text may be necessary to discuss ensuring that all management functions referenced but not explicitly manadated in other elements are mandated through FMT_MTD.1.

Note that the goal of this queue entry might be achievable by adding elements to specific existing FMT families, although the approach taken in the SPECIFIC INTERPRETATION collects all function specification into a single location.

SUPPORT:

This interpretation addresses the issue by requiring that the security functions to be provided by a TOE be explicitly listed to allow evaluation of the PP/ST to determine if it satisfies its objectives.