NIAP: Assurance Continuity
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Curtiss-Wright Defense Solutions Data Transport System 1-Slot Hardware Encryption Layer

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The changes to the TOE include extra error and bounds checking. The impact of these changes is minor and do not directly impact the assurance. Changes include items such as additional auditing events, minor bug fixes, usability issue fixes, and added security checks beyond those required. The changes are described in the table below.

Change Description

Security Analysis

Fixed an issue at -45C where RNG source would not function correctly.


The EAR claimed the health check bottom range is -40.  This is outside the claimed range.

When PSK is erased, the action is logged.


Auditing is not an evaluated function.

Zeroizing the HW-Layer will now log a tamper event.


Auditing is not an evaluated function.

Enhanced validation of ATECC508A to ensure storage unwritten.


During a first ever power-up event (at the manufacturer), the firmware sets the ATECC508A storage portion to all 0’s (a known value).  What was previously happening was when writing the 0’s, it wasn’t being verified (write, read, verify). This is an added security check beyond those required.

Payload checksum was previously not calculating the command code nor the payload size. Must have software 3.00.03-fips loaded for this fix.

Added extra error checking to the interaction between the layers.  There exists a checksum of the payload being sent from the S/W layer to the H/W layer.  In previous versions, the command byte was not being included in this calculation.  If a bit error occurred on the I2C bus, then instead of one command (updating the sensors) it would then perform a zeroize PSK command. This is an added function and no SFRs are directly impacted by this change.

Fixed a problem where HW-Layer would enter an abort state while clearing sensitive data from the internal RAM.


This was an error condition being handled improperly.  This has been corrected and no SFRs are directly impacted by this change

Changed zeroize flag routine in attempt to fix valid PSK flag from getting corrupted.


This was an error condition being handled improperly.  This is a usability issue.

Increased size of buffer being passed to system configuration PROM functions.


This is an added bounds feature to ensure proper configuration passed.  This is added error checking and no SFRs are directly impacted by this change.

Fixed a problem when powering off the unit during a zeroize would erase the PSK and valid PSK flag.

There was a bug that occurs during zeroization that a single byte in the ATECC508A is getting corrupted.  This single byte indicates whether or not the PSK that is stored in the ATECC508A is valid or not.  If this flag gets erased, the H/W layer will no longer be able to create a user account because the PSK is no longer valid (i.e. the user token/HMAC cannot be encrypted/generated). This is a low level error detection issue and no SFRs are directly impacted by this change.


Vendor Information

Robin Lamb
Site Map              Contact Us              Home