[Public Interpretations Database]

I-0379: How To Require User/Admin Documentation For Functional Components

 
TYPE:                 Request for Interpretation
NUMBER:               I-0379
STATUS:               In CCIMB RI Queue

TITLE:                How To Require User/Admin Documentation For Functional
                      Components

EFFECTIVE:            2000-03-27

SOURCE REFERENCE:     CC v2.1 Part 2
                      CC v2.1 Part 3 Clause 11 AGD
                      CC v2.1 Part 3 Subclause 2.1.4
DOCUMENT(S):          User Guidance; Administrator Guidance
RELATED TO:
     I-0001           Delayed Enforcement Of Authorization Change
     I-0002           Delayed Revocation Of DAC Access
     I-0003           Access Validation After Object Label Change
     I-0004           Enforcement Of Audit Settings Consistent With Protection Goals
     I-0005           Action For Audit Log Overflow
     I-0020           DAC Authority For Assignment
     I-0183           Restrictions On Untrusted Programs In Low Assurance Products
     I-0288           Actions Allowed Before I&A
CCIMB ENTRY:          CCIMB-INTERP-0113

ISSUE:

The CC does not currently provide a clear mechanism to allow a functional component to indicate information that must be present in user or administrator guidance.

PROPOSED RESOLUTION

Not yet determined.

SPECIFIC RESOLUTION

There is no concensus resolution for this problem, although there are four potential solutions:

  1. Allow assignments in the Part 3 Guidance family, and provide for functional components a USER/ADMINISTRATOR GUIDANCE section, similar to the audit section, that allows specification of the information to be contained in the user/administrator guidance when the component is included in a PP/ST.

  2. If provision of such information is an acceptable refinement for Class AGD, then provide in Part 2 a SUGGESTED GUIDANCE REFINEMENT section to specify the information to be contained in the user/administrator guidance when the component is included in the PP/ST. There should also be an application note for Class AGD in Part 3 indicating that specific documentation of functions that must be present in guidance documentation should be provided through refinement.

  3. If provision of such information is a consequence of environmental factors, then provide a SUGGESTED ENVIRONMENTAL CONSIDERATIONS in the Part 2 functional components to specify the environmental factors to be considered when the component is included in the PP/ST.

  4. Provide explicit guidance in the CEM for the Class AGD components, indicating for each functional component what information should be present in the guidance.

SUPPORT:

There are many examples of where functional components require clear guidance to the administrator or user in order for their correct operation:

  • Administrator Guidance:

    • Description of when authorization changes take effect.

    • Description of when changes to security attributes take effect.

    • Description of when changes to audit parameters take effect.

    • Description of the available options when the audit trail is full.

    • Description of the impact of assigning privileges and a description of implemented privileges.

    • Description of the discontinuities from which the TSF is excepted to be able to recover.

    • Description of the potential amount of audit data that might be lost in the face of a discontinuity.

    • Description for the policy on the reuse of user identifiers.

    • Guidance on the use of programs outside the TSF when privilege is present.

    • Cautions about actions available before a product reaches its secure state.

    • Descriptions about how any output labels are to be interpreted.

  • User Documentation:

    • Description of how a user controls sharing of objects under an access control policy, especially if the sharing is not under the direct control of the user.

    • Description of how a user controls sharing of objects when multiple access control or information flow policies are present.

    • Description of how a user controls sharing of objects when relevant access control policies are order-dependent.

  • Both:

    • Description of the risks and responsibilities regarding removable media, in particular, how residual information must be addressed when the media is removed from an ADP system and any physical security requirements.

Some of these examples are PP/ST issues: the requirement is completed from a broad Common Criteria element, and it is up to the PP/ST author to add explicitly specified assurance elements for the additional guidance information. In such cases, the best that can be done is a note in the Part 2 annex providing suggestions as to information that might be needed in the guidance documentation, as the CC authors cannot know apriori how the assignments will be completed.

However, in other cases, it is possible to know apriori when guidance is required to complement a functional element. In such cases, it should be possible to have the Common Criteria specify, as part of the functional element, the information that must be present in guidance documentation.

This interpretation presents four possible solutions to this problem.

The first adds the ability to perform assignments solely to the guidance elements, and adds a corresponding section in the functional components to specify what information should be included in the assignment if the functional component is included in a PP/ST. A variant of this approach would be to have the section in the functional component indicate that this guidance information should be called out as an explicitly specified element. Which of these variants is better depends on how one assesses the bias against explicitly specified elements, and whether it is felt appropriate for functional elements to call out explicitly specified assurance elements.

The second approach works only if the provision of the additional functional guidance is a valid refinement of the existing AGD components. If the guidance is a valid refinement, then this approach suggests adding a list of suggested assurance refinements to the functional components.

The third approach is based on the notion that the functional guidance arises because of aspects of the environment of use (reuse of removable media might be an example of this). If so, then an approach to address this is to provide hints to the PP/ST author about environmental aspects to consider when writing the PP/ST. This would then translate into requirements on the environment, which must then be included in the guidance.

The last approach uses the CEM to provide the guidance. In this approach, the CEM sections that discuss the guidance documentation would provide the functional cases as specific examples of information that must be present.