Assurance Continuity - Cisco Network Convergence System 1000 Series
Date of Maintenance Completion: 2020.09.09CC Certificate Validation Report Assurance Activity
Product Type: Router
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Original Evaluated TOE: 2020.07.07 - Cisco Network Convergence System (NCS) 1000 Series
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report Administrative Guide
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with this latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
Each of the software fixes to Cisco Network Convergence System 1000 Series fell into the following categorization:
Software bug fixes resulted in what were considered to be “Minor Changes”. There were 12 bug fixes implemented in all, between IOS-XR version 7.0 and 7.2.1. The rational in the IAR for each was inspected and the overall Minor Change characterization was considered appropriate. Changes related to the Optical Service Channel; pluggable registration; FPD downgrade; Reload errors; Install Commit log message failures and re-applying the Network Terminal Loopback; No functionality, as defined in the SFRs, was impacted, and none of the software updates affected the security functionality or the SFRs identified in the Security Target.
Each individual change was unit tested, and the IOS-XR 7.2.1 software image has had a limited amount of automated regression testing covering all major areas of baseline client functionality. Testing was completed by Cisco Business Unit engineers and developers. There were no changes to any SFR or SAR therefore detailed regression testing was not required.
NIST CAVP Certificates:
The operational environment under which the validated cryptographic algorithm implementation was tested is the same as the operational environment as the changed TOE. Therefore, the cryptographic algorithm implementation validated for CAVP conformance also applies to the changed TOE.
A public search for vulnerabilities that might affect the TOE was performed on August 17, 2020. All vulnerabilities found using the national sites and search terms below have been addressed in the release of IOS-XR 7.2.1 (version of the TOE under Assurance Maintenance).
A search of the following national sites was conducted:
· National Vulnerability Database: https://nvd.nist.gov
· US-CERT: https://www.us-cert.gov
· Security Focus: www.securityfocus.com
The following key words, product, and vendor were each selected for search criteria:
o Cisco Network Convergence System 1000 Series (NCS 1001)
o Cisco Network Convergence System 1000 Series (BCS 1004)
o Cisco IOS-XR 7.2
o Intel Atom C2516
o Intel Atom C3758
o Cisco FIPS Object Module 6.0
Summary of the analysis
The vulnerability search returned 15 results. Most issues were protocol and code vulnerabilities discovered in the IOS XR software that were mitigated in version 7.2.1. Other vulnerabilities discovered did not directly impact the TOE or were not relevant to the evaluated configuration.
Cisco Systems, Inc.