NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0230:  ALC Assurance Activities for Server Virtualization and Base Virtualization PPs

Publication Date
2017.09.06

Protection Profiles
PP_BASE_VIRTUALIZATION_V1.0, PP_SV_V1.1

Other References
ALC_CMC.1, ALC_CMS.1

Issue Description

Incorrect assurance activities for ALC_CMC.1.1E and ALC_CMS.1.1E in both PP_BASE_VIRTUALIZATION_V1.0 and PP_SV_V1.1.

Resolution

For both PP_BASE_VIRTUALIZATION_V1.0 and PP_SV_V1.1, make the following change to the assurance activites of ALC_CMC.1.1E and ALC_CMS.1.1E:

1. Replace Assurance Activity for ALC_CMC.1.1E

Current:

The  evaluator  shall  verify  that  the  TOE  has  been  provided  with  its  unique reference labeled. The evaluator shall verify that the CM documentation has been  provided  and  that  it  describes  the  method  used  to  uniquely  identify each  configuration  item.  The  evaluator  shall  verify  that  the  developer  has used a CM system and that this system uniquely identifies each configuration
item.

New:

The evaluator shall check the ST to ensure that it contains an identifier(such as a product name/version number) that specifically identifies the version that meets the requirements of the ST.  Further, the evaluator shallcheck the AGD guidance and TOE samples received for testing to ensure that the version number is consistent with that in the ST. If the vendor maintains a web site advertising the TOE, the evaluator shall examine theinformation on the web site to ensure that the information in the ST is sufficient to distinguish the product.

2. Replace Assurance Activity for ALC_CMS.1.1E

Current:

The evaluator shall verify that the developer has provided a configuration list for the TOE  that  contains each  item  highlighted  above. The evaluator  shall verify  that  each  item  in  the  configuration  list  is  uniquely  identified  and  its developer is indicated.

New:

The evaluator shall ensure that the developer has identified (in public-facing development guidance for their platform) one or more development environments appropriate for use in developing applications for the developer’s platform. For each of these development environments, the developer shall provide information on how to configure the environment to ensure that buffer overflow protection mechanisms in the environment(s) are invoked (e.g., compiler and linker flags). The evaluator shall ensure that this documentation also includes an indication of whether such protections are on by default, or have to be specifically enabled.
The evaluator shall ensure that the TSF is uniquely identified (with respect to other products from the TSF vendor), and that documentation provided by the developer in association with the requirements in the ST is associated with the TSF  using this unique identification.

Justification

Incorrect assurance activities for ALC_CMC.1 and ALC_CMS.1.

 
 
Site Map              Contact Us              Home