NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0118:  FAU_GEN.1 Application of Audit Requirements Update

Publication Date
2016.10.27

Protection Profiles
PP_MD_v2.0, PP_MD_v3.0

Other References
FAU_GEN.1.1; FAU_GEN.1.2

Issue Description

It may be useful to revise the FAU_GEN requirements since success/failure of update is not expected (just initiation). FAU_GEN.1.2 mandates outcome (success or failure) which is likely causing confusion in this area.

Resolution

For PP_MD_V2.0:

FAU_GEN.1.1 Application Note
If FAU_GEN.1 is included in the ST, it is acceptable to include individual SFRs from Table 10 in the ST, without including the entirety of Table 10.

FAU_GEN.1.2 Application Note
For each audit event selected from Table 10 in FAU_GEN.1.1 if additional information is required to be recorded within the audit record, it should be included in this selection.

Table 10 Application Note
If FMT_SMF_EXT.1 is included in the ST, it is acceptable for the initiation of the software update to be audited without indicating the outcome (success or failure) of the update.

     

For PP_MD_V3.0:

Table 2 Application Note
If FMT_SMF_EXT.1 is included in the ST, it is acceptable for the initiation of the software update to be audited without indicating the outcome (success or failure) of the update.

Justification

It is acceptable that zero requirements from Table 10 are included in evaluations against MDF v2.0. This is an objective requirement and so, it is not required for any of the devices being evaluated to meet them.

Given that FAU_GEN.1 are objective requirements, if a subset of devices in the evaluation meets them, that's ok.  It just needs to be clearly distinguishable which device meets the SFR (and which doesn't) in the ST.     

 
 
Site Map              Contact Us              Home