NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Cisco Network Convergence System 1000 Series

Date of Maintenance Completion:  2020.09.09

Product Type:    Router
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1

Original Evaluated TOE:  2020.07.07 - Cisco Network Convergence System (NCS) 1000 Series

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

Each of the software fixes to Cisco Network Convergence System 1000 Series fell into the following categorization:

Major Changes

None.

Minor Changes

 

Software bug fixes resulted in what were considered to be “Minor Changes”. There were 12 bug fixes implemented in all, between IOS-XR version 7.0 and 7.2.1. The rational in the IAR for each was inspected and the overall Minor Change characterization was considered appropriate. Changes related to the Optical Service Channel; pluggable registration; FPD downgrade; Reload errors; Install Commit log message failures and re-applying the Network Terminal Loopback; No functionality, as defined in the SFRs, was impacted, and none of the software updates affected the security functionality or the SFRs identified in the Security Target.

Regression Testing:

Each individual change was unit tested, and the IOS-XR 7.2.1 software image has had a limited amount of automated regression testing covering all major areas of baseline client functionality. Testing was completed by Cisco Business Unit engineers and developers. There were no changes to any SFR or SAR therefore detailed regression testing was not required. 

NIST CAVP Certificates:

The operational environment under which the validated cryptographic algorithm implementation was tested is the same as the operational environment as the changed TOE.  Therefore, the cryptographic algorithm implementation validated for CAVP conformance also applies to the changed TOE.

Vulnerability Analysis:

A public search for vulnerabilities that might affect the TOE was performed on August 17, 2020. All vulnerabilities found using the national sites and search terms below have been addressed in the release of IOS-XR 7.2.1 (version of the TOE under Assurance Maintenance).

A search of the following national sites was conducted:

·         National Vulnerability Database:  https://nvd.nist.gov

·         US-CERT:  https://www.us-cert.gov

·         Security Focus:  www.securityfocus.com 

The following key words, product, and vendor were each selected for search criteria:

Product:

o   Cisco Network Convergence System 1000 Series (NCS 1001)

o   Cisco Network Convergence System 1000 Series (BCS 1004)

o   IOS-XR

o   Cisco IOS-XR 7.2

o   Intel Atom C2516

o   Intel Atom C3758

o   Cisco FIPS Object Module 6.0 

Vendor:

o   Cisco

Summary of the analysis 

The vulnerability search returned 15 results. Most issues were protocol and code vulnerabilities discovered in the IOS XR software that were mitigated in version 7.2.1. Other vulnerabilities discovered did not directly impact the TOE or were not relevant to the evaluated configuration.

Vendor Information


Cisco Systems, Inc.
Cert Team
4103094862
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home