NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0190:  FPT_FLS.1(2)/SelfTest Failure with Preservation of Secure State and Modular Network Devices

Publication Date
2017.04.11

Protection Profiles
PP_NDCPP_MACSEC_EP_V1.2

Other References
FPT_FLS.1(2)/SelfTest

Issue Description

For FPT_FLS.1(2)/SelfTest, both the SFR and Test 1 say that the TOE Security Function (TSF) shall shut down in the event of a specified failure.  The TSF may or may not include the entire device when the TOE is a modular network device.

Resolution

Section 4.2.2.9 of PP_NDCPP_MACSEC_EP_V1.2 is updated and replaced as follows:

4.2.2.9 FPT_FLS.1(2)/SelfTest Failure with Preservation of Secure State

FPT_FLS.1.1(2)/SelfTest Refinement: The TSF shall shut down when any of the following types of failures occur: failure of the power-on self-tests, failure of integrity check of the TSF executable image, failure of noise source health tests.

Application Note: The intent of this requirement is to express the fail secure capabilities that the TOE possesses. This means that the TOE must be able to attain a secure/safe state (shutdown) when any of the identified failures occur.  For a TOE with redundant failover capability (that continues to operate if POST passes on the redundant component), in the event of a POST failure on a redundant component, the specific component that received the POST failure will be shutdown.

 

Assurance Activity

TSS

The evaluator shall examine the TSS to determine that it indicates that the TSF will shut down in the event that a self-test failure is detected.  For TOEs with redundant failover capability, the evaluator shall examine the TSS to determine that it indicates that the failed components will shut down in the event that a self-test failure is detected.

 

AGD

The evaluator shall examine the operational guidance to verify that it describes the behavior of the TOE following a self-test failure and actions that an administrator should take if it occurs.

 

Test

The following test may require the vendor to provide access to a test platform that provides the evaluator with the ability to modify the TOE internals in a manner that is not provided to end customers:

Test 1: The evaluator shall modify the TSF in a way that will cause a self-test failure to occur. The evaluator shall determine that the TSF shuts down and that the behavior of the TOE is consistent with the operational guidance. The evaluator shall repeat this test for each type of self-test that can be deliberately induced to fail.  For TOEs with redundant failover capability, the evaluator shall determine that the failed components shut down and the behavior of the TOE is consistent with the operational guidance.  For each component, the evaluator shall repeat each type of self-test that can be deliberately induced to fail.
Justification

It is acceptable to allow a TOE with redundant failover capability to continue to operate if POST passes on the redundant component.

 
 
Site Map              Contact Us              Home