I-0420: Attribute Inheritance/Modification Rules Need To Be Included In Policy

TYPE:                 NIAP Interpretation
NUMBER:               I-0420
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Attribute Inheritance/Modification Rules Need To Be
                      Included In Policy
SUPERSEDES:
     I-0363           Attribute Inheritance/Modification Rules Need To Be Included In Policy
APPROVAL POSTING:     [cc-cmt 00143]

EFFECTIVE:            2002-08-22

SOURCE REFERENCE:     CC v2.1 Part 2 Annex F FDP
                      CC v2.1 Part 2 Clause 6 FDP
RELATED TO:
     I-0363           Attribute Inheritance/Modification Rules Need To Be Included In Policy
CCIMB ENTRY:          CCIMB-INTERP-0107

ISSUE:

STATEMENT

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1, Part 2 (additions marked thusly; deletions marked thusly):

• Clause 6, Paragraph 167, item b) is modified as follows:

  b) Forms of user data protection:

  - FDP_ACF Access control functions;

  - FDP_NIAP-0420-ATR Security attribute policy;

  - FDP_IFF Information flow control functions;

  - FDP_ITT Internal TOE transfer;

  - FDP_RIP Residual information protection;

  - FDP_ROL Rollback; and

  - FDP_SDI Stored data integrity.

• Clause 6, Figure 6.2, is modified to show a new family, FDP_NIAP-0420-ATR that has a single hierarchical component.

• The following new family (FDP_NIAP-0420-ATR, Security Attribute Policy) is added to Clause 6:

  6.NIAP-0420 FDP_NIAP-0420-ATR Security Attribute Policy

  Family Behaviour

  This family defines the policy rules to be enforced during security attribute establishment or modification.

  Component Levelling

  (a diagram would go here indicating that this family has only one component)

  FDP_NIAP-0420-ATR.1 Security Attribute Management and Inheritance addresses the policy rules to be enforced during the establishment and modification of security attributes.

  Management: FDP_NIAP-0420-ATR.1

  The following actions could be considered for the management functions in FMT:

  a) specification of the role permitted to establish or modify security attributes.

  Audit: FDP_NIAP-0420-ATR.1

  The following events should be auditable if FAU_GEN Security audit data generation is includes in a PP/ST:

  a) Minimal, Basic: Failure to establish or modify an object's security attributes due to the enforcement of a policy rule.

  b) Detailed: All decisions about establishing or modifying an object's security attributes due to the enforcement of a policy rule.

  FDP_NIAP-0420-ATR.1 Security Attribute Management and Inheritance

  Hierarchical To: No Components

  FDP_NIAP-0420-ATR.1.1. As part of the [assignment: access control SFP, information flow control SFP], the TSF shall enforce the following policy rules with respect to security attribute establishment: [selection: [assignment: list of rules governing security attribute inheritance], "none"]

  FDP_NIAP-0420-ATR.1.2. As part of the [assignment: access control SFP, information flow control SFP], the TSF shall enforce the following policy rules with respect to security attribute modification: [selection: choose one of [assignment: list of rules governing security attribute modification], "none"]

  Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control]

• Clause F, Figure F.2, is modified to show a new family, FDP_NIAP-0420-ATR that has a single hierarchical component.

• The following is added to Annex F:

  F.NIAP-0420 FDP_NIAP-0420-ATR Security Attribute Management and Inheritance

  Family Behaviour

  This family defines the policy rules to be enforced during security attribute establishment or modification.

  FDP_NIAP-0420-ATR.1 Security Attribute Management and Inheritance

  User application notes

  This component allows specification of policy rules to be enforced on the establishment or modification of security attributes. This might include rules such as how new objects inherit security attributes from creating subjects, or ancillary rules that control security attribute modification. For example, this would be used to specify a rule that a Mandatory Access Control SFPs policy must be satisfied in order to set security attributes controlled under a Discretionary Access Control policy. This component should be constrasted with FMT_MSA.1.1, which allows the specification of the roles permitted to make selected security attribute modifications.

  Operations

  Selection:

  For FDP_NIAP-0420-ATR.1.1, the PP/ST author should select "none" if there is no specific policy to be enforced at the time of attribute establishment.

  For FDP_NIAP-0420-ATR.1.2, the PP/ST author should select "none" if there is no specific policy to be enforced at the time of attribute modification.

  Although the operations permit "none" to be selected for both elements, such a selection would result in no useful functionality.

  Assignment:

  For FDP_NIAP-0420-ATR.1.1, the PP/ST author should assign the policy to be enforced when attributes are established for an entity under control of an SFP. This assignment need not be completed if "none" was selected.

  For FDP_NIAP-0420-ATR.1.2, the PP/ST author should assign the policy to be enforced when attributes are modified for an entity under control of an SFP. This assignment need not be completed if "none" was selected.

SUPPORT:

One might think that such rules could be specified under FDP_ACF or FDP_ICF. However, those families allow specification of rules related to access of objects, not how security attributes obtain values. Providing a place to specify such rules appears to be an omission in the CC. This interpretation corrects that omission.