Archived U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03

The NSA/IA Director has approved the sunsetting of the SKPP based on extensive research and documentation by the IAD Vulnerability Analysis and Operations organization. The following three documents provide the reasoning for this decision:

  1. Email sent to affected commercial partners
  2. “Separation Kernels on Commodity Workstations”
  3. “SKPP Sunset Q&A”

Short Name: pp_skpp_hr_v1.03

Technology Type: Operating System

CC Version: 2.x

Date: 29 June 2007

Sunset Date: 01 September 2011 [Sunset Icon]

Conformance Claim: High Robustness



This “U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness” (SKPP) specifies the security functional and assurance requirements for a class of separation kernels [10]. Unlike those traditional security kernels which perform all trusted functions for a secure operating system, a separation kernel’s primary security function is to partition (viz. separate) the subjects and resources of a system into security policy-equivalence classes, and to enforce the rules for authorized information flows between and within partitions.

Products that conform to this protection profile support information flow control, resource isolation, trusted initialization, trusted delivery, trusted recovery and audit capabilities. [6] The isolation and information flow policies are defined by the separation kernel’s configuration data. A conformant product also includes the support tools and procedures used to accurately generate and securely distribute that configuration data. Specific assurance requirements are allocated to those support tools and procedures.

A separation kernel evaluated against this PP provides a highly robust foundation for system services and applications in mission-critical systems, and a high degree of assurance for the enforcement of related security policies. Such policies include those for the management of classified and other high-valued information, whose confidentiality, integrity or releasability must be protected. For example, SKPP separation mechanisms, when integrated within a high assurance security architecture, are appropriate to support critical security policies for the Department of Defense (DoD), Intelligence Community, the Department of Homeland Security, Federal Aviation Administration, and industrial sectors such as finance and manufacturing.

The claim that products conforming to this protection profile are candidates for use in National Security Systems[1] derives from its basis in DoD and National Information Assurance (IA) guidance and policies. However, conformance to this protection profile, by itself, does not offer sufficient confidence that national security information is appropriately protected in the context of a larger system in which the conformant product is integrated. Designers of such systems must apply appropriate systems security engineering principles and techniques to afford acceptable protection for national security information. In particular, it is the responsibility of the system designer and authorized administrator to define support for a coherent application-level security policy in the separation kernel’s configuration data, as well as to ensure that the configuration data itself is coherent and self-consistent. It is only with well-formed configuration data that the separation kernel can be expected to enforce mission-critical security policies. Requirements for coherent configuration data are indicated in the environmental objectives (OE.TRUSTED_FLOWS). The judgment as to whether a given instantiation of configuration data is well formed with respect to a particular application-level security policy is beyond the scope of this protection profile, but must be determined before secure deployment of an SKPP-based product.

National Security Systems are systems that contain classified information or involve intelligence activities, involve cryptologic activities related to national security, involve command and control of military forces, involve equipment that is an integral part of a weapon or weapon system, or involve equipment that is critical to the direct fulfillment of military or intelligence missions.

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

This U.S. Government Approved Protection Profile does not have any related Technical Decisions

Please forward any questions or comments to