FPT_FLS.1 only requires that the TOE fail-secure, but the test is written such that only a shutdown is acceptable.

The Application Note for FPT_FLS.1 in MOD_MACSEC_V1.0 is modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underlines denoting addition:

Application Note: The intent of this requirement is to express the fail secure capabilities that the TOE possesses. This means that the TOE must be able to attain a secure/safe state (e.g., shutdown) when any of the identified failures occur. Fail secure is defined as a state where data cannot be passed without adhering to the TOE's security policies, and ensures the continued protection of any key material and user data. For a TOE with redundant failover capability (that continues to operate if poweron self-test (POST) passes on the redundant component), in the event of a POST failure on a redundant component, the specific component that received the POST failure will be shut down attain a secure/safe state (e.g., shutdown). For conformance with other PP-Modules it might be a requirement for the fail-secure state to be “shut down.”

The TSS Evaluation Activity for FPT_FLS.1 in MOD_MACSEC_V1.0-SD is modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underlines denoting addition:

TSS

The evaluator shall examine the TSS to determine that it indicates that the TSF will shut down attain a secure/safe state (e.g., shutdown) if a self-test failure is detected. For TOEs with redundant failover capability, the evaluator shall examine the TSS to determine that it indicates that the failed components will shut down attain a secure/safe state (e.g., shutdown) if a self-test failure is detected.

The Test 24 Evaluation Activity for FPT_FLS.1 in MOD_MACSEC_V1.0-SD is modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underlines denoting addition:

Test 24: The evaluator shall modify the TSF in a way that will cause a self-test failure to occur. The evaluator shall determine that the TSF shuts down and that the behavior of the TOE is consistent with the operational guidance. The evaluator shall repeat this test fFor each type of self-test failure mode specified in the ST that can be deliberately induced to fail, the evaluator shall ensure that the TOE attains a secure state (e.g., shutdown) after initiating each failure mode type. For TOEs with redundant failover capability, the evaluator shall determine that the failed components shut down attain a secure state and the behavior of the TOE is consistent with the operational guidance. For each component, the evaluator shall repeat each type of self-test that can be deliberately induced to fail.

See issue description.