[Public Interpretations Database]

I-0470: FPT_AMT When There Are No Operational (IT) Environment Objectives

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0470
STATUS:               Sent to CCEVS Management and CCIMB for Review

TITLE:                FPT_AMT When There Are No Operational (IT) Environment
                      Objectives

FIRST POST:            [cc-cmt 00560]

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause J.1 FPT_AMT
RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0253

ISSUE:

A protection profile contains the FPT_AMT.1 SFR. This SFR states:

"the TSF shall run a suite of tests .... to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the TSF".

Consider the case of an ST being evaluated against that PP. The ST in question makes no assumptions about the IT aspects of the operational environment (i.e., the IT environment). Thus, it has no objectives allocated to the IT Environment. Must such an ST contain functions to satisfy FPT_AMT.1? If not, can PP compliance still be claimed?

STATEMENT

FPT_AMT is only applicable when there are either explicit IT environment objectives or TSF SFRs have clear dependencies on the correct operation of a particular function provided by the IT environment.

For PPs/STs that include FPT_AMT but not FPT_TST, and that have all objectives for the IT environment being met by TSF SFRs, FPT_AMT must be included and must test that the IT environmental objectives are satisfied.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to Part 2 of CC v2.1:

  • The following is added after Paragraph 1177 in Annex J.1 of Part 2, CC v2.1:

    In STs where there are no objectives or assumptions about the underlying IT environment, it is acceptable for a dependency on FPT_AMT to be met with justification that there are no requirements to test.

    Similarly, in such an ST, it is acceptable to claim compliance with a PP including FPT_AMT with the justification that the SFR FPT_AMT is vacuously satisfied, under the proviso that the PP does not have any objectives for the IT Environment, or a convincing argument is provided that all IT Environment objectives have been satisified by the TSF directly.

    However, for PPs/STs that include FPT_AMT but not FPT_TST, and that have all objectives for the IT environment being met by TSF SFRs, FPT_AMT must be included and must test that the IT environmental objectives are satisfied.

SUPPORT:

First, note that if a PP or ST contains assumptions about the operational (IT) environment, these assumptions need to be traced to objectives allocated to the operational environment. Similarly, if a TSF SFR depends on the correct operation of a function in the IT environment, there should be a specific objective that said IT environment function operates correctly; otherwise, the TSF objective cannot be claimed to completly cover its corresponding threat or policy. Thus, all dependencies on correct operation of the IT environment should be captured in the IT environment objectives.

The CC and CEM make it clear that FPT_AMT applies to the abstract machine that provides the operating environment:

  • ADV_HLD.x.5c uses the same notion (i.e., "underlying TSF") to refer to the hardware components upon which the TSF has been implemented. In this case, CEM guidance explicitly notes (paragraph 721) that: "If the ST contain no security requirements for the IT environment, this work unit is not applicable and is therefore considered to be satisfied."

  • FPT_AMT.1 requires the "tests to demonstrate the correct operation of the security assumptions..." Security Assumptions are a part of the Environment section of the ST (as opposed to TOE requirements), which implies that if there are no IT environmental requirements in this section, there is no need for hardware diagnostic tests.

  • FPT_TST.1 focuses directly on the TOE providing "self tests" (as opposed to environmental tests) to demonstrate the correct operation of the TSF.

Based on this, the Abstract Machine corresponds to the functions provided by the IT environment. If there are no objectives for the IT environment, then there is nothing to test about the Abstract Machine, and FPT_AMT.1 is vacuously satisfied. In such cases, the TSF need not contain explicit functions to address FPT_AMT.1.

Given that a protection profile cannot, a priori, know the operating environment of any compliant STs, PPs will include FPT_AMT.1 to "cover the bases". If the ST, however, has no IT environment objectives, it is acceptable for the ST to omit explicitly listing the vacuously satisfied FPT_AMT.1, noting instead in the PP compliance rationale that the requirement is vacuously satisfied and omitted. PP/ST authors including FPT_AMT should consider including FPT_TST as well to cover such situations.

Note that there is one special case: situations when FPT_AMT is included but FPT_TST is not. This indicates a desire of the PP/ST author to have the IT environment objects always be tested. When those objectives are met by the TSF, and there is no other testing (i.e., FPT_TST) available in the operational environment, the goal of having those objectives tested is met only if FPT_AMT has functions in the ST.