Trusted Channel (FTP_ITC.1) is optional but not mandated for the FPT_STM_EXT.1.2 in cPP_ND_v2.0E and cPP_FW_v2.0E.  However, when an NTP server is used to set the TOE clock, the time is considered TSF data, and the authentication and integrity of the NTP communication must be protected.

Updated 5/30/18: The effective date of this Technical Decision is July 1, 2018.

For all NIAP evaluations and CCRA member nations product evaluations posted on the NIAP PCL, when an NTP server is used to set the TOE clock, the time is considered TSF data, and the authentication and integrity of the NTP communication must be protected.

Therefore,  Application Note 35 in NDcPP2.0E and Application Note 36 in FWcPP2.0E for FPT_STM_EXT.1 are modified as follows:

Reliable time stamps are expected to be used with other TSF, e.g. for the generation of audit data to allow the Security Administrator to investigate incidents by checking the order of events and to determine the actual local time when events occurred. The decision about the required level of accuracy of that information is up to the Administrator. The TOE depends on external time and date information, either provided manually by the Security Administrator or through the use of one or more external time sources like NTP servers. The corresponding option(s) shall be chosen from the selection in FPT_STM_EXT.1.2. The use of a local real-time clock and the automatic synchronisation with an external time source (e.g. NTP server) is recommended but not mandated. If a Security Administrator is modifying the system time remotely they must use a protected communication path as specified in FPT_TRP.1/Admin. If the TOE uses an external entity to modify the system time (NTP Server, or non-NTP external entity), such connections must be performed in accordance with FTP_ITC.1. External time source entities that do not use cryptography for authentication and integrity verification are not allowed. The ST author describes in the TSS how the external time and date information is received by the TOE and how this information is maintained.

The term “reliable time stamps” refers to the strict use of the time and date information, that is provided externally, and the logging of all discontinuous changes to the time settings including information about the old and new time. With this information the real time for all audit data can be determined. Note, that all discontinuous time changes, Administrator actuated or changed via an automated process, must be audited. No audit is needed when time is changed via use of kernel or system facilities – such as daytime (3) – that exhibit no discontinuities in time.

For distributed TOEs it is expected that the Security Administrator ensures synchronization between the time settings of different TOE components. All TOE components shall either be in sync (e.g. through synchronisation between TOE components or through synchronisation of different TOE components with external NTP servers) or the offset should be known to the Administrator for every pair of TOE components. This includes TOE components synchronized to different time zones.

See issue description.