Version | Date | Comment |
---|---|---|
2.0 | 2025-07-18 | Initial draft (version numbering chosen for alignment with the ESM family of modules) |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Direct Rationale | A type of Protection Profile, PP-Module, or Security Target in which the security problem definition (SPD) elements are mapped directly to the SFRs and possibly to the security objectives for the operational environment. There are no security objectives for the TOE. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Endpoint | A computing device that runs a general purpose OS, mobile device OS, or network device OS. Endpoints can include desktops, servers, and mobile devices. |
Endpoint Detection and Response (EDR) | A system that analyzes collected EDR Host Agent data for detecting, investigating, and remediating unauthorized activities on endpoints. |
Enrolled State | The state in which an endpoint with a running Host Agent is managed by an EM. Also, referred to as Onboarding. |
Enrollment | The process of transitioning an endpoint from an unenrolled to an enrolled state. |
Enterprise Security Management (EM) | A type of application hosted on a server or cloud service that provides support for security management, information flows, reporting, policy, and data analytics in complex enterprise environments. |
Host Agent | A logical piece of software that executes on endpoints to collect data about the endpoint and executes commands sent to the endpoint from an EM server or service. An example command sent to an endpoint could be to enforce a policy from an EM, to collect some files, or to run an OS command. |
Operating System (OS) | Software that manages physical and logical resources and provides services for applications. |
Unenrolled State | The state in which an endpoint, with or without a Host Agent, is not managed by an EM. Also, referred to as Offboarding. |
If this feature is implemented by the TOE, the following requirements must be claimed in the ST:
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
This document does not define any additional OSPs.Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_ALT_EXT.1 | ||
Type of alert | Identity of system or agent that sent alert | |
FAU_CRP_EXT.2 | ||
No events specified | N/A | |
FAU_GEN.1 | ||
No events specified | N/A | |
FAU_NET_EXT.1 | ||
No events specified | N/A | |
FAU_STG.1 | ||
No events specified | N/A | |
FIA_UAU.1 | ||
No events specified | N/A | |
FMT_MOF.1 | ||
Issuance of command to perform function | Command sent and identity external recipients | |
Change of policy settings | Policy changed and value or full policy | |
FMT_SMF.1/External | ||
No events specified | N/A | |
FMT_SMF.1/Internal | ||
Success or failure of function | No additional information | |
FMT_SMR.1 | ||
No events specified | N/A | |
FTP_ITC.1 | ||
Initiation and termination of the trusted channel |
| |
FTP_TRP.1 | ||
Initiation and termination of the trusted channel |
|
Requirement | Auditable Events | Additional Audit Data Contents |
FCS_TLSC_EXT.1 | Failure to establish a TLS session. | Reason for failure. |
FCS_TLSC_EXT.1 | Failure to verify presented identifier. | Presented identifier and reference identifier. |
FCS_TLSS_EXT.1 | Failure to establish a TLS session. | Reason for failure. |
FCS_DTLSC_EXT.1 | Failure of the certificate validity check. | Issuer Name and Subject Name of certificate. |
FCS_DTLSS_EXT.1 | Failure of the certificate validity check. | Issuer Name and Subject Name of certificate. |
Per FAU_GEN.1.1, audit data may be generated by the TOE, the platform, or both. If audit data is generated by the TOE, the TSF must have the ability to securely transmit this data to a remote entity. It may additionally store this data within the TOE boundary, in which case "the TOE itself" is selected and FAU_STG.2 must be included in the ST. Regardless of whether the TSF stores the audit data it generates within the TOE boundary, the TOE must always be able to securely transmit the audit data it generates to a remote entity. If audit data is generated by the platform, any secure local storage or secure remote transmission of this data is the responsibility of the platform.
Although the audit server is outside of the TOE, the TSF should still be able to support
mutual authentication. There are no requirements levied on the audit server, but the TOE should be
able to support TLS client certificate authentication. This way if the non-TOE audit server does
support verifying client certs, the TSF is able to make use of that.
For distributed TOEs, each component must be able to export any audit data it generates across a protected channel. This may involve individual components independently transmitting audit data to the same environmental audit server via FTP_ITC.1, or it may involve one component of a distributed TOE aggregating audit data generated by other components prior to external transmission. In this case, the internal communication of audit data is protected via the mechanisms specifed in FTP_ITT.1. The intent of this requirement in the context of a distributed TOE is that all audit data generated by all components of the TSF be transmitted to an environmental entity entirely through trusted channels, regardless of whether it is transmitted directly from the TSF to the operational environment or whether it is first transmitted to another part of the TOE.
The following rationale provides justification for each SFR for the TOE,
showing that the SFRs are suitable to address the specified threats:
Threat | Addressed by | Rationale |
---|
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.NETWORK_ATTACK | |
T.NETWORK_EAVESDROP | |
T.LOCAL_ATTACK | |
T.LIMITED_PHYSICAL_ACCESS |
This PP-Module does not define any objectives for the TOE's Operational Environment.
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
This PP-Module does not modify any requirements when the App PP is the base. | |
Additional SFRs | |
This PP-Module does not add any requirements when the App PP is the base. | |
Mandatory SFRs | |
FAU_ALT_EXT.1 | |
FAU_CRP_EXT.2 | |
FAU_GEN.1 | |
FAU_NET_EXT.1 | |
FAU_STG.1 | |
FIA_UAU.1 | |
FMT_MOF.1 | |
FMT_SMF.1/External | |
FMT_SMF.1/Internal | |
FMT_SMR.1 | |
FTP_ITC.1 | |
FTP_TRP.1 | |
Optional SFRs | |
This PP-Module does not define any Optional requirements. | |
Objective SFRs | |
This PP-Module does not define any Objective requirements. | |
Implementation-dependent SFRs | |
FCO_CPC_EXT.1 | |
FPT_ITT.1 | |
Selection-based SFRs | |
FAU_SAR.1 | |
FAU_STG.2 | |
FTP_TRP.1/Join |
This PP-Module does not define any Strictly Optional SFRs or SARs.
This PP-Module does not define any Objective SFRs.
Functional Class | Functional Components |
---|---|
Communications (FCO) | FCO_CPC_EXT Component Registration Channel Definition |
Security Audit (FAU) | FAU_ALT_EXT Server Alerts FAU_CRP_EXT Support for Compliance Reporting Configuration FAU_NET_EXT Network Reachability Review |
FCO_CPC_EXT.1, Component Registration Channel Definition, defines requirements for the registration process for distributed TOEs.
There are no management activities foreseen.
The following actions should be auditable if FAU_GEN security audit data generation is included in the PP or ST.
Hierarchical to: | No other components. |
Dependencies to: |
FPT_ITT.1 TSF Data Transfer FTP_TRP.1 Trusted Path |
FAU_ALT_EXT.1, Server Alerts, defines requirements for alerting the administrator to events.
The following actions could be considered for the management functions in FMT.
The following actions should be auditable if FAU_GEN security audit data generation is include in the PP or ST.
Hierarchical to: | No other components. |
Dependencies to: | No dependencies. |
FAU_CRP_EXT.2, Generation of Compliance Reports, defines requirements for the contents and presentation of compliance reports.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FTP_ITC.1 Inter-TSF Trusted Channel |
FAU_NET_EXT.1, Network Reachability Review, defines requirements for authorized administrators to read network connectivity status.
The following actions could be considered for the management functions in FMT.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | No dependencies. |
Acronym | Meaning |
---|---|
API | Application Programming Interface |
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
EA | Evaluation Activity |
ECDSA | Elliptic Curve Digital Signature Algorithm |
EDR | Endpoint Detection and Response |
EM | Enterprise Security Management |
EP | Extended Package |
FIPS | Federal Information Processing Standards |
FP | Functional Package |
IP | Internet Protocol |
ISO | International Organization for Standardization |
IT | Information Technology |
NIAP | National Information Assurance Partnership |
NIST | National Institute of Standards and Technology |
OE | Operational Environment |
OS | Operating System |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
RSA | Rivest, Shamir, Adleman (digital signature algorithm) |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
ST | Security Target |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[CEM] | Common Methodology for Information Technology Security Evaluation -
|
[AppPP] | Protection Profile for Application Software, Version 2.0, June 16, 2025 |