Version: 1.02015-08-14National Information Assurance PartnershipVersion: 1.02015-08-14National Information Assurance Partnership| Version | Date | Comment |
|---|---|---|
| 1.0 | 2015-08-14 | Release - first version released |
| QQQ_QQQ.1.1 |
Application Note
|
| ADV_FSP.1.1D | The developer shall provide a functional specification. |
| ADV_FSP.1.2D | The developer shall provide a tracing from the functional specification to the
SFRs.
Application NoteAs indicated in the introduction to this section, the
functional specification is comprised of the information contained in the AGD_OPE and
AGD_PRE documentation. The developer may reference a website accessible to application
developers and the evaluator. The assurance activities in the functional requirements
point to evidence that should exist in the documentation and TSS
section; since these are directly associated with the SFRs, the tracing in element
ADV_FSP.1.2D is implicitly already done and no additional documentation is
necessary.
|
| ADV_FSP.1.1C | The functional specification shall describe the purpose and method of use for
each SFR-enforcing and SFR-supporting TSFI. |
| ADV_FSP.1.2C | The functional specification shall identify all parameters associated with each
SFR-enforcing and SFR-supporting TSFI. |
| ADV_FSP.1.3C | The functional specification shall provide rationale for the implicit
categorization of interfaces as SFR-non-interfering. |
| ADV_FSP.1.4C |
The tracing shall demonstrate that the SFRs trace to
TSFIs
in the functional specification.
|
| ADV_FSP.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| ADV_FSP.1.2E | The evaluator shall determine that the functional specification is an accurate
and complete instantiation of the SFRs. |
| AGD_OPE.1.1D | The developer shall provide operational user guidance.
Application NoteThe operational user guidance does not have to be contained in a
single document. Guidance to users, administrators and application developers can be
spread among documents or web pages.
Rather than repeat information here, the developer should
review the assurance activities for this component to ascertain the specifics of the
guidance that the evaluator will be checking for. This will provide the necessary
information for the preparation of acceptable guidance.
|
| AGD_OPE.1.1C | The operational user guidance shall describe, for each user role, the
user-accessible functions and privileges that should be controlled in a secure
processing environment, including appropriate warnings.
Application NoteUser and administrator are to be considered in the definition
of user role.
|
| AGD_OPE.1.2C | The operational user guidance shall describe, for each user role, how to use the
available interfaces provided by the in a secure manner. |
| AGD_OPE.1.3C | The operational user guidance shall describe, for each user role, the available
functions and interfaces, in particular all security parameters under the control of
the user, indicating secure values as appropriate.
Application Note
This portion of the operational user guidance should be presented
in the form of a checklist that can be quickly executed by IT personnel (or end-users,
when necessary) and suitable for use in compliance activities.
When possible, this guidance is to be expressed in the eXtensible Configuration
Checklist Description Format (XCCDF) to
support security automation.
Minimally, it should be presented in a structured
format which includes a title for each configuration item,
instructions for achieving the secure configuration, and any relevant rationale.
|
| AGD_OPE.1.4C | The operational user guidance shall, for each user role, clearly present each
type of security-relevant event relative to the user-accessible functions that need to
be performed, including changing the security characteristics of entities under the
control of the TSF. |
| AGD_OPE.1.5C | The operational user guidance shall identify all possible modes of operation of
the (including operation following failure or operational
error), their consequences, and implications for maintaining secure operation. |
| AGD_OPE.1.6C | The operational user guidance shall, for each user role, describe the security
measures to be followed in order to fulfill the security objectives for the
operational environment as described in the ST. |
| AGD_OPE.1.7C | The operational user guidance shall be clear and reasonable. |
| AGD_OPE.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| AGD_PRE.1.1D | The developer shall provide the , including its preparative
procedures.
Application NoteAs with the operational guidance, the developer should look to
the assurance activities to determine the required content with respect to preparative
procedures.
|
| AGD_PRE.1.1C | The preparative procedures shall describe all the steps necessary for secure
acceptance of the delivered in accordance with the developer's
delivery procedures. |
| AGD_PRE.1.2C | The preparative procedures shall describe all the steps necessary for secure
installation of the and for the secure preparation of the
operational environment in accordance with the security objectives for the operational
environment as described in the ST. |
| AGD_PRE.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| AGD_PRE.1.2E | The evaluator shall apply the preparative procedures to confirm that the can be prepared securely for operation. |
| ALC_CMC.1.1D | The developer shall provide the and a reference for the
. |
| ALC_CMC.1.1C | The shall be labeled with a unique reference.
Application NoteUnique reference information includes:
|
| ALC_CMC.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| ALC_CMS.1.1D |
The developer shall provide a configuration list for the .
|
| ALC_CMS.1.1C | The configuration list shall include the following: the
itself; and the evaluation evidence required by the SARs. |
| ALC_CMS.1.2C | The configuration list shall uniquely identify the configuration items. |
| ALC_CMS.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| ALC_TSU_EXT.1.1D | The developer shall provide a description in the TSS of how timely security
updates are made to the . |
| ALC_TSU_EXT.1.2D | The developer shall provide a description in the TSS of how users are notified
when updates change security properties or the configuration of the product. |
| ALC_TSU_EXT.1.1C | The description shall include the process for creating and deploying security
updates for the software. |
| ALC_TSU_EXT.1.2C | The description shall include the mechanisms publicly available for reporting
security issues pertaining to the . |
| ALC_TSU_EXT.1.1E | The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence. |
| ATE_IND.1.1D | The developer shall provide the for testing. |
| ATE_IND.1.1C | The shall be suitable for testing. |
| ATE_IND.1.1E | The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence. |
| ATE_IND.1.2E | The evaluator shall test a subset of the TSF to confirm that
the TSF operates as specified.
Application NoteThe evaluator will test the OS on the most current fully
patched version of the platform.
|
| AVA_VAN.1.1D | The developer shall provide the for testing. |
| AVA_VAN.1.1C | The shall be suitable for testing. |
| AVA_VAN.1.1E | The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence. |
| AVA_VAN.1.2E | The evaluator shall perform a search of public domain sources to identify
potential vulnerabilities in the .
Application NotePublic domain sources include the Common Vulnerabilities
and Exposures (CVE) dictionary for publicly-known vulnerabilities. Public domain
sources also include sites which provide free checking of files for viruses.
|
| AVA_VAN.1.3E | The evaluator shall conduct penetration testing, based on the identified
potential vulnerabilities, to determine that the is resistant to
attacks performed by an attacker possessing Basic attack potential. |