NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Archived U.S. Government Approved Protection Profile - Protection Profile for Email Clients Version 1.0
This document provides a baseline set of Security Functional Requirements (SFRs) for an Email client, which is the Target of Evaluation (TOE).
Email clients are applications used to send, receive, access and manage email provided by an email server. The complexity of email content and email clients has grown over time. Modern email clients can render HTML as well as plaintext, and may include functionality to display common attachment formats, such as Adobe PDF and Microsoft Word documents. Some email clients allow their functionality to be modified by users through the addition of extensions or plug-ins. Protocols have also been defined for communicating between email clients and servers. Some clients support multiple protocols for doing the same task, allowing them to be configured according to email server specifications.
The complexity and rich feature set of modern email clients make them a target for attackers, introducing security concerns. This document is intended to facilitate the improvement of email client security by requiring use of operating system security services, cryptographic standards, and environmental mitigations. Additionally, the requirements in this document define acceptable behavior for email clients regardless of the security features provided by the operating system.
The requirements apply to all email clients that run on any operating system, regardless of the composition of the underlying platform. For purposes of this document, an application is defined as software that runs on an operating system and performs tasks on behalf of the user or owner of the platform. An email client is an application that retrieves and manages email provided by an email server. Extensions and plug-ins are code packages that can be loaded by the email client to introduce new or specialized functionality to the client.
This U.S. Government Approved Protection Profile is not assigned to any Validated Products
This U.S. Government Approved Protection Profile does not have any related Technical Decisions