The MDFPP has a blanket statement that the security strength of KEKs should be equal or greater than that of DEK they protect, but yet the PP’s high-strength use case selects AES-256 (and not AES-192). 

FCS_CKM_EXT.3.1    The TSF shall use [selection: asymmetric KEKs of [assignment: security strength greater than or equal to 112] security strength, symmetric KEKs of [selection: 128-bit, 256-bit] security strength corresponding to at least the security strength of the keys encrypted by the KEK].

The security strength of KEKs is at least the security strength of the keys they encrypt.