Statement:

Closed Statement:

The national interpretation is an incorrect interpretation of the CC:

The RI problem statement assumes that one needs a formal Security Policy Model (ADV_SPM.3) to define secure states. This is an incorrect assumption: an informal Security Policy Model (ADV_SPM.1) is sufficient to define the secure states of a TOE. The current components in FPT_RCV all have dependencies on ADV_SPM.1, implementing this fact. CC Part 2 para 1236 expands on this by stating that if one can give a rationale why a particular state is secure, a full Security Policy Model is not necessary (and hence the dependency on ADV_SPM.1 can be deleted).

The suggested FPT_RCV.NIAP-0389-1 Recovery to Known State allows return to a previously known state, which cannot be considered to be a secure state (otherwise the author would use the stronger FPT_RCV.1). This means that the inclusion of FPT_RCV. NIAP-0389-1 may create vulnerabilities in a TOE, as attackers may use the fact that the TOE returns to a previously known state that they have reason to assume is insecure, as the following example illustrates:

“A TOE stores its state every five minutes and, in the case of failure/service discontinuity, restores its previous state. If an attacker induces a failure in the TOE within five minutes of an authorised user logging, the TOE restores the last stored state, and now thinks that the authorised user is still logged in.”