Version | Date | Comment |
---|---|---|
1.0 | 2013-10-21 | Initial Release |
1.1 | 2014-02-07 | Typographical changes and clarifications to front-matter |
2.0 | 2014-12-31 | Separation of MDM Agent SFRs Updated cryptography, protocol, X.509 requirements. Updated management functions to match MDFPPv2.0. Included SSH as a remote administration protocol. Removed IPsec as protocol to communicate to MDM Agent. Added X509 enrollment objective requirement. Added Optional Mobile Application Store requirements. |
3.0 | 2016-11-21 | Updates to align with Technical Decisions Added requirements to support BYOD use case Removed IPsec and SSH requirements, which are now contained in EPs |
4.0 | 2018-09-24 |
Updates to align with Technical Decisions Removed platform dependency Removed TLS SFRs and utilize the TLS Functional Package Allowed for a distributed TOE |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
API Application Programming Interface (API) | A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform. |
Administrator | The person who is responsible for management activities, including setting the policy that is applied by the enterprise on the mobile device. |
Critical Security Parameter (CSP) | Security-related information whose disclosure or modification can compromise the security of a cryptographic module and/or authentication system. |
Data | Program or application or data files that are stored or transmitted by a server or MD. |
Data Encryption Key (DEK) | A key used to encrypt data-at-rest. |
Developer Modes | States in which additional services are available to a user in order to provide enhanced system access for debugging of software. |
Enrolled State | The state in which a mobile device is managed by a policy from an MDM. |
Enrollment over Secure Transport (EST) | Cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. |
Enterprise Applications | Applications that are provided and managed by the enterprise as opposed to a public application store. |
Enterprise Data | Any data residing in enterprise servers or temporarily stored on mobile devices to which the mobile device user is allowed access according to the security policy defined by the enterprise and implemented by the administrator. |
Key Encryption Key (KEK) | A key that is used to encrypt other keys, such as (DEKs) or storage repositories that contain keys. |
Locked State | Mobile device state where the device is powered on but most functionality is unavailable for use without authentication. |
Mobile Device (MD) | A device which is composed of a hardware platform and its system software. The device typically provides wireless connectivity and may include software for functions like secure messaging, email, web, VPN connection, and VoIP (Voice over IP), for access to the protected enterprise network, enterprise data and applications, and for communicating to other MDs. |
Mobile Device Management (MDM) | Products that allow enterprises to apply security policies to MDs. This system consists of two primary components: the MDM Server and the MDM Agent. |
Mobile Device User | The person who uses and is held responsible for an MD. |
Operating System (OS) | Software which runs at the highest privilege level and can directly control hardware resources. Modern mobile devices typically have at least two primary operating systems: one which runs on the cellular baseband processor and one which runs on the application processor. The platform of the application processor handles most user interaction and provides the execution environment for apps. The platform of the cellular baseband processor handles communications with the cellular network and may control other peripherals. The term OS, without context, may be assumed to refer to the platform of the application processor. |
Powered-Off State | Mobile device shutdown state. |
Protected Data | All non-TSF data on the mobile device, including user or enterprise data. Protected data is encrypted while the mobile device is in the powered-off state. This includes keys in software-based storage. May overlap with sensitive data. |
Root Encryption Key (REK) | A key tied to a particular device that is used to encrypt all other keys for that device. |
Sensitive Data | Data that is encrypted by the mobile device. May include all user or enterprise data or may be data for specific applications such as emails, messaging, documents, calendar items, or contacts. May be protected while the mobile device is in the locked state. Must include at minimum some keys in software-based key storage. |
Trust Anchor Database | A list of trusted root Certificate Authority certificates. |
Unenrolled State | Mobile device state when it is not managed by an MDM. |
Unlocked State | Mobile device state where it is powered on and its functionality is available for use. |
Requirement | Description | Distributed TOE SFR Allocation |
FAU_ALT_EXT.1 | Server Alerts | One |
FAU_CRP_EXT.1 | Support for Compliance Reporting of Mobile Device Configuration | One |
FAU_GEN.1/AUDITGEN | Audit Data Generation | All |
FAU_GEN.1/MAS_SERVER | Audit Data Generation | Feature Dependent |
FAU_NET_EXT.1 | Network Reachability Review | One |
FAU_SAR.1 | Audit Review | Feature Dependent |
FAU_SEL.1 | Security Audit Event Selection | One |
FAU_STG_EXT.1 | External Trail Storage | All |
FAU_STG_EXT.2 | Audit Event Storage | Feature Dependent |
FCO_CPC_EXT.1 | Communication Partner Control | All |
FCS_CKM.1 | Cryptographic Key Generation | Feature Dependent |
FCS_CKM.2 | Cryptographic Key Establishment | All |
FCS_CKM_EXT.4 | Cryptographic Key Destruction | All |
FCS_COP.1.1/CONF_ALG | Cryptographic Operation (Confidentiality Algorithms) | All |
FCS_COP.1.1/HASH_ALG | Cryptographic Operation (Hashing Algorithms) | All |
FCS_COP.1.1/SIGN_ALG | Cryptographic Operation (Signature Algorithms) | All |
FCS_COP.1.1/KEY_HASH | Cryptographic Operation (Keyed-Hash Message Authentication) | All |
FCS_HTTPS_EXT.1 | HTTPS Protocol | Feature Dependent |
FCS_IV_EXT.1 | Initialization Vector Generation | Feature Dependent |
FCS_RBG_EXT.1 | Random Bit Generation | All |
FCS_STG_EXT.1 | Cryptographic Key Storage | All |
FCS_STG_EXT.2 | Encrypted Cryptographic Key Storage | Feature Dependent |
FIA_ENR_EXT.1 | Enrollment of Mobile Device into Management | One |
FIA_UAU.1 | Timing of Authentication | One |
FIA_UAU_EXT.4/REUSE | User Authentication | One |
FIA_UAU_EXT.4/REUSE_ENROLL | User Authentication | One |
FIA_X509_EXT.1/CERTVAL_MAN | X.509 Certification Validation | Feature Dependent |
FIA_X509_EXT.1/CERTVAL_SEL | X.509 Certification Validation | Feature Dependent |
FIA_X509_EXT.2 | X.509 Certificate Authentication | Feature Dependent |
FIA_X509_EXT.3 | X.509 Enrollment | Feature Dependent |
FIA_X509_EXT.4 | Alternate X.509 Enrollment | Feature Dependent |
FIA_X509_EXT.5 | X.509 Unique Certificate | One |
FMT_MOF.1/FUNCBE | Management of functions behaviour | Feature Dependent |
FMT_MOF.1/MANAGEMENT_ENROLL | Management of functions behaviour (Enrollment) | Feature Dependent |
FMT_MOF.1/MANAGEMENT_MAS | Management of Functions in (MAS Server Downloads) | Feature Dependent |
FMT_POL_EXT.1 | Trusted Policy Update | One |
FMT_SAE_EXT.1 | Security Attribute Expiration | One |
FMT_SMF.1/SERVER_CONF_AGENT" | Specification of Management Functions (Server configuration of Agent) | One |
FMT_SMF.1/SERVER_CONF_SERVER | Specification of Management Functions (Server configuration of Server) | Feature Dependent |
FMT_SMF.1/MAS | Specification of Management Functions (MAS Server) | Feature Dependent |
FMT_SMR.1/SECMAN_ROLES | Security Management Roles | One |
FMT_SMR.1/SECMAN_ROLES_MAS | Security Management Roles | Feature Dependent |
FPT_API_EXT.1 | Use of Supported Services and API's | All |
FPT_ITT.1/INTER_XFER | Internal TOE TSF Data Transfer | Feature Dependent |
FPT_ITT.1/INTER_XFER_AGENT | Internal TOE TSF Data Transfer (To MDM Agent) | Feature Dependent |
FPT_LIB_EXT.1 | Use of Third Party Libraries | All |
FPT_TST_EXT.1 | Functionality Testing | All (except for MDM Agent components) |
FPT_TUD_EXT.1 | Trusted Update | All |
FTA_TAB.1 | Default TOE Access Banners | One |
FTP_ITC.1/INTER_XFER_IT | Inter-TSF Trusted Channel (Authorized IT Entities) | One |
FTP_ITC.1/INTER_TSF_XFER_AGENT | Inter-TSF Trusted Channel (MDM Agent) | One |
FTP_ITC_EXT.1 | Trusted Channel | One |
FTP_TRP.1/TRUSTPATH_REM_ADMIN | Trusted Path for Remote Administration | Feature Dependent |
FTP_TRP.1/TRUSTPATH_ENROLL | Trusted Path for Enrollment | Feature Dependent |
FTP_TRP.1/TRUSTPATH_JOIN | Trusted Path for Joining | Feature Dependent |
Threat, Assumption, or OSP | Security Objectives | Rationale |
T.MALICIOUS_APPS | O.APPLY_POLICY | The threat T.MALICIOUS_APPS is countered by O.APPLY_POLICY as this provides the capability to limit the ability to install applications on the MD. |
O.INTEGRITY | The threat T.MALICIOUS_APPS is countered by O.INTEGRITY as this provides the capability to perform self-tests to ensure the integrity of critical functionality, software/firmware and data has been maintained. | |
T.NETWORK_ATTACK | O.DATA_PROTECTION_TRANSIT | The threat T.NETWORK_ATTACK is countered by O.DATA_PROTECTION_TRANSIT as this provides authentication of the endpoints of a trusted communication path. |
T.NETWORK_EAVESDROP | O.DATA_PROTECTION_TRANSIT | The threat T.NETWORK_EAVESDROP is countered by O.DATA_PROTECTION_TRANSIT as this provides the capability to communicate using one (or more) standard protocols as a means to maintain the confidentiality of data that are transmitted outside and within the TOE. |
O.QUALITY | The threat T.NETWORK_EAVESDROP is countered by O.QUALITY as this provides the capability to invoke platform resources to ensure quality of implementation. | |
T.PHYSICAL_ACCESS | O.APPLY_POLICY | The threat T.PHYSICAL_ACCESS is countered by O.APPLY_POLICY as this provides the capability to configure and apply security policies to ensure the Mobile Device can protect user and enterprise data that it may store or process. |
A.COMPONENTS_RUNNING | OE.COMPONENTS_RUNNING | The operational environment objective OE.COMPONENTS_RUNNING is realized through A.COMPONENTS_RUNNING. |
A.CONNECTIVITY | OE.WIRELESS_NETWORK | The operational environment objective OE.WIRELESS_NETWORK is realized through A.CONNECTIVITY. |
A.MDM_SERVER_PLATFORM | OE.TIMESTAMP | The operational environment objective OE.TIMESTAMP is realized through A.MDM_SERVER_PLATFORM. |
A.PROPER_ADMIN | OE.PROPER_ADMIN | The operational environment objective OE.PROPER_ADMIN is realized through A.PROPER_ADMIN. |
A.PROPER_USER | OE.PROPER_USER | The operational environment objective OE.PROPER_USER is realized through A.PROPER_USER. |
P.ACCOUNTABILITY | O.ACCOUNTABILITY | The organizational security policy O.ACCOUNTABILITY is realized through P.ACCOUNTABILITY. |
P.ADMIN | OE.PROPER_ADMIN | The organizational security policy P.ADMIN is realized through OE.PROPER_ADMIN. |
P.DEVICE_ENROLL | OE.IT_ENTERPRISE | The organizational security policy P.DEVICE_ENROLL is realized through OE.IT_ENTERPRISE. |
P.NOTIFY | OE.PROPER_USER | The organizational security policy P.NOTIFY is realized through OE.PROPER_USER. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_ALT_EXT.1 | ||
Type of alert | Identity of Mobile Device that sent alert. | |
FAU_GEN.1/AUDITGEN | ||
No events specified | N/A | |
FAU_NET_EXT.1 | ||
No events specified | N/A | |
FAU_STG_EXT.1 | ||
No events specified | N/A | |
FCS_CKM.1 | ||
[selection: Failure of key generation activity for authentication keys, None] | No additional information | |
FCS_CKM.2 | ||
No events specified | N/A | |
FCS_CKM_EXT.4 | ||
No events specified | N/A | |
FCS_COP.1/CONF_ALG | ||
No events specified | N/A | |
FCS_COP.1/HASH_ALG | ||
No events specified | N/A | |
FCS_COP.1/SIGN_ALG | ||
No events specified | N/A | |
FCS_COP.1/KEY_HASH | ||
No events specified | N/A | |
FCS_RBG_EXT.1 | ||
Failure of the randomization process | No additional information | |
FCS_STG_EXT.1 | ||
No events specified | N/A | |
FIA_ENR_EXT.1 | ||
Failure of MD user authentication | Presented username | |
FIA_UAU.1 | ||
No events specified | N/A | |
FIA_X509_EXT.1/CERTVAL_MAN | ||
Failure to validate X.509 certificate | Reason for failure | |
FIA_X509_EXT.2 | ||
Failure to establish connection to determine revocation status. | No additional information | |
FIA_X509_EXT.5 | ||
No events specified | N/A | |
FMT_MOF.1/FUNCBE | ||
Issuance of command to perform function | Command sent and identity of MDM Agent recipient(s) | |
Change of policy settings | Policy changed and value or full policy | |
FMT_MOF.1/MANAGEMENT_ENROLL | ||
Enrollment by a user | Identity of user | |
FMT_POL_EXT.1 | ||
No events specified | N/A | |
FMT_SMF.1/SERVER_CONF_AGENT | ||
No events specified | N/A | |
FMT_SMF.1/SERVER_CONF_SERVER | ||
Success or failure of function | No additional information | |
FMT_SMR.1/SECMAN_ROLES | ||
No events specified | N/A | |
FPT_API_EXT.1 | ||
No events specified | N/A | |
FPT_LIB_EXT.1 | ||
No events specified | N/A | |
FPT_TST_EXT.1 | ||
Initiation of self-test | No additional information | |
Failure of self-test | Algorithm that caused failure | |
Detected integrity violation | The TSF code file that caused the integrity violation | |
FPT_TUD_EXT.1 | ||
Success or failure of signature verification | No additional information | |
FTP_ITC_EXT.1 | ||
No events specified | N/A | |
FTP_ITC.1/INTER_XFER_IT | ||
Initiation and termination of the trusted channel |
| |
FTP_TRP.1/TRUSTPATH_REM_ADMIN | ||
Initiation and termination of the trusted channel |
| |
FTP_TRP.1/TRUSTPATH_ENROLL | ||
Initiation and termination of the trusted channel | Trusted channel protocol |
Requirement | Auditable Events | Additional Audit Record Contents |
FCS_TLSC_EXT.1 | Failure to establish a TLS session. | Reason for failure. |
FCS_TLSC_EXT.1 | Failure to verify presented identifier. | Presented identifier and reference identifier. |
FCS_TLSS_EXT.1 | Failure to establish a TLS session. | Reason for failure. |
FCS_DTLSC_EXT.1 | Failure of the certificate validity check. | Issuer Name and Subject Name of certificate. |
FCS_DTLSS_EXT.1 | Failure of the certificate validity check. | Issuer Name and Subject Name of certificate. |
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.ACCOUNTABILITY | FAU_ALT_EXT.1 | The PP includes FAU_ALT_EXT.1 to define the ability of the TSF to generate alerts when certain actions occur. |
FAU_GEN.1/AUDITGEN | The PP includes FAU_GEN.1/AUDITGEN to require the TSF to generate audit records of security-relevant events, including management actions. | |
FAU_GEN.1/MAS_SERVER (sel-based) | The PP includes FAU_GEN.1/MAS_SERVER to require the TSF to generate records of MAS Server functionality if the TSF supports this capability. | |
FAU_NET_EXT.1 | The PP includes FAU_NET_EXT.1 to require the TSF to record the connectivity status of enrolled agents. | |
FAU_SAR.1 (optional) | The PP includes FAU_SAR.1 to optionally require the TSF to provide a method to review stored audit data. | |
FAU_SEL.1 (optional) | The PP includes FAU_SEL.1 to optionally require the TSF to define the actions that are accounted for. | |
FAU_STG_EXT.1 | The PP includes FAU_STG_EXT.1 for the TSF to securely transmit its audit data to an external entity. | |
FAU_STG_EXT.2 (sel-based) | The PP includes FAU_STG_EXT.2 to require the TSF to protect stored audit records from unauthorized modification if these records are stored locally. | |
FAU_CRP_EXT.1 (objective) | The PP includes FAU_CRP_EXT.1 to optionally require the TSF to collect information about the configuration of enrolled devices. | |
O.APPLY_POLICY | FIA_ENR_EXT.1 | The PP includes FIA_ENR_EXT.1 for the TSF to perform the initial enrollment of devices into management, including applying restrictions on what devices can be enrolled. |
FMT_MOF.1/FUNCBE | The PP includes FMT_MOF.1/FUNCBE to define the supported TSF management functions, including those used to enable, disable, and apply policies to enrolled devices. | |
FMT_MOF.1/MANAGEMENT_ENROLL | The PP includes FMT_MOF.1/MANAGEMENT_ENROLL for the TSF to restrict the enrollment process to authorized administrators and mobile device users. | |
FMT_MOF.1/MANAGEMENT_MAS | The PP includes FMT_MOF.1/MANAGEMENT_MAS to enforce restrictions on access to the MAS Server from enrolled devices based on applied policies. | |
FMT_SAE_EXT.1 (objective) | The PP includes FMT_SAE_EXT.1 for the TSF to enforce restriction on agent enrollment by limiting the length of time that enrollment authentication data is valid. | |
FMT_SMF.1/SERVER_CONF_AGENT (sel-based) | The PP includes FMT_SMF.1/SERVER_CONF_AGENT to specify that the TSF is capable of sending configuration information and enterprise security policies to an MDM Agent. | |
FMT_SMR.1/SERVER_CONF_SERVER (sel-based) | The PP includes FMT_SMR.1/SERVER_CONF_SERVER to define roles on the MAS Server, if this capability is supported, that are used to determine the extent to which enrolled devices can access data on the MAS Server. | |
FMT_SMF.1/MAS (sel-based) | The PP includes FMT_SMF.1/MAS to specify that the TSF is capable of configuring the MAS Server to enforce restrictions on enrolled devices attempting to access it. | |
FIA_UAU_EXT.4/1 (objective) | The PP includes FIA_UAU_EXT.4/1 to optionally require the TSF to limit enrollment through the prevention of reuse of enrollment authentication data. | |
FIA_UAU_EXT.4/2 (objective) | The PP includes FIA_UAU_EXT.4/2 to provide access controls to prevent the reuse of enrollment data related to device enrollment. The TSF shall prevent two devices to be enrolled using the same unique identifier. | |
FMT_SAE_EXT.1 (objective) | The PP includes FMT_SAE_EXT.1 for the TSF to enforce restriction on agent enrollment by limiting the length of time that enrollment authentication data is valid. | |
O.DATA_PROTECTION_TRANSIT | FAU_CRP_EXT.1 (objective) | The PP includes FAU_CRP_EXT.1 to require certain data to be collected from remote agents using a secure channel. |
FAU_STG_EXT.1 | The PP includes FAU_STG_EXT.1 which requires the TSF to use a trusted channel for the external transmission of audit data. | |
FCO_CPC_EXT.1 (objective) | The PP includes FCO_CPC_EXT.1 to define secure connectivity between different TOE components, including security of data in transit. | |
FCS_CKM_EXT.4 | The PP includes FCS_CKM_EXT.4 to ensure that the TSF destroys plaintext keying material and critical security parameters when no longer needed in support of securing data in transit. | |
FCS_CKM.1 | The PP includes FCS_CKM.1 to define whether the TSF or the platform generates asymmetric keys that are used in support of securing data in transit. | |
FCS_CKM.2 | The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment in support of securing data in transit. | |
FCS_COP.1/CONF_ALG | The PP includes FCS_COP.1/CONF_ALG to define the symmetric AES encryption algorithms used in support of securing data in transit. | |
FCS_COP.1/HASH_ALG | The PP includes FCS_COP.1/HASH_ALG to define the hash algorithms used in support of securing data in transit. | |
FCS_COP.1/SIGN_ALG | The PP includes FCS_COP.1/SIGN_ALG to define the digital signature algorithms used in support of securing data in transit. | |
FCS_COP.1/KEY_HASH | The PP includes FCS_COP.1/KEY)HASH to define the HMAC algorithms used in support of securing data in transit. | |
FCS_HTTPS_EXT.1 (sel-based) | The PP includes FCS_HTTPS_EXT.1 to define the TOE’s support for the HTTPS trusted communications protocol. | |
FCS_IV_EXT.1 (sel-based) | The PP includes FCS_IV_EXT.1 to define the initialization vector generation to ensure secure implementation of cryptography used to secure data in transit. | |
FCS_RBG_EXT.1 | The PP includes FCS_RBG_EXT.1 to define whether random bit generation services are implemented by the TSF or the platform. The TOE may rely on the use of a random bit generator to create keys that are subsequently used in support of securing data in transit. | |
FCS_STG_EXT.1 | The PP includes FCS_STG_EXT.1 to define whether the TSF or the Operational Environment protects key data that may be used in support of securing data in transit. | |
FCS_STG_EXT.2 (sel-based) | The PP includes FCS_STG_EXT.2 to define the method the TSF uses to protect stored key data that may be used in support of securing data in transit. | |
FIA_ENR_EXT.1 | The PP includes FIA_ENR_EXT.1 which requires the TSF to use a trusted channel for the agent enrollment process. | |
FIA_X509_EXT.1/CERTVAL_MAN | The PP includes FIA_X509_EXT.1/CERTVAL_MAN to define validation rules for X.509 certificates that may be used in support of securing data in transit. | |
FIA_X509_EXT.1/CERTVAL_SEL (sel-based) | The PP includes FIA_X509_EXT.1/CERTVAL_SEL to define validation rules for X.509 certificates that may be used in support of securing data in transit in the specific case where the TOE is distributed across multiple remote nodes. | |
FIA_X509_EXT.2 | The PP includes FIA_X509_EXT.2 to define the TOE functions that support the use of X.509 certificates. This includes protection of data in transit. | |
FIA_X509_EXT.3 (objective) | The PP includes FIA_X509_EXT.3 to define X.509 enrollment activities using PKCS#10 to allow the TOE to obtain a signed certificate for use when establishing trusted communications. | |
FIA_X509_EXT.4 (objective) | The PP includes FIA_X509_EXT.3 to define X.509 enrollment activities using EST to allow the TOE to obtain a signed certificate for use when establishing trusted communications. | |
FIA_X509_EXT.5 | The PP includes FIA_X509_EXT.5 to require the TSF to enforce uniqueness for client certificates that are used in support of securing data in transit. | |
FPT_ITT.1/INTER_XFER (sel-based) | The PP includes FPT_ITT.1/INTER_XFER to define how data is secured in transit between TOE components if the MDM server itself is distributed. | |
FPT_ITT.1/INTER_XFER_AGENT (sel-based) | The PP includes FPT_ITT.1/INTER_XFER_AGENT to define how data is secured in transit between the MDM server and MDM agent if both are part of the TOE. | |
FTP_ITC_EXT.1 | The PP includes FTP_ITC_EXT.1 to define the trusted channels used by the TOE where security of data in transit is enforced. | |
FTP_ITC.1/INTER_XFER_IT | The PP includes FTP_ITC.1/INTER_XFER_IT to define a trusted communication channel between itself and trusted external servers. | |
FTP_ITC.1/INTER_TSF_XFER_AGENT | The PP includes FTP_ITC.1/INTER_TSF_XFER_AGENT to define a trusted communication channel between itself and an MDM agent if the MDM agent is not part of the TOE. | |
FTP_TRP.1/TRUSTPATH_REM_ADMIN | The PP includes FTP_TRP.1/TRUSTPATH_REM_ADMIN to define requirements for securing data in transit for administrative communications. | |
FTP_TRP.1/TRUSTPATH_ENROLL | The PP includes FTP_TRP.1/TRUSTPATH_ENROLL to define requirements for securing data in transit for agent enrollment. | |
FTP_TRP.1/TRUSTPATH_JOIN | The PP includes FTP_TRP.1/TRUSTPATH_JOIN to define requirements for securing data in transit between TOE components when establishing initial connectivity if the MDM server itself is distributed and a separate registration channel is used. | |
O.INTEGRITY | FCS_COP.1/HASH_ALG | The PP includes FCS_COP.1/HASH_ALG to require the TSF to include a mechanism to cryptographically assert and verity the integrity of data using a hash algorithm. |
FCS_COP.1/SIG_ALG | The PP includes FCS_COP.1(3) to require the TSF to include a mechanism to cryptographically assert and verify the integrity of data using a digital signature. | |
FIA_X509_EXT.2 | The PP includes FIA_X509_EXT.2 to define the TOE functions that support the use of X.509 certificates. This includes code signing for system software updates, integrity verification, and policy signing. | |
FMT_POL_EXT.1 | The PP includes FMT_POL_EXT.1 to ensure the integrity of the policies and policy updates to the MDM Agent are digitally signed to protect their integrity. | |
FCO_CPC_EXT.1 | The PP includes FCO_CPC_EXT.1 to define secure connectivity between different TOE components, including security of data in transit. | |
FPT_TST_EXT.1 | The PP includes FPT_TST_EXT.1 to require The TSF to run a suite of self tests to ensure the correct operation of the TSF and the integrity of stored TSF executable code. | |
FPT_TUD_EXT.1 | The PP includes FPT_TUD_EXT.1 to define requirements for trusted update of TSF executable code, including that the integrity of this update data can be verified. | |
O.MANAGEMENT | FAU_CRP_EXT.1 (objective) | The PP includes FAU_CRP_EXT.1 to require certain data to be collected from remote agents using a secure channel. |
FAU_SAR.1 (optional) | The PP includes FAU_SAR.1 to optionally require the TSF to implement management functionality to review audit data that is restricted to authorized users. | |
FAU_SEL.1 (optional) | The PP includes FAU_SEL.1 to optionally require the TSF to implement management functionality for configuring the events that are audited. | |
FIA_ENR_EXT.1 | The PP includes FIA_ENR_EXT.1 which requires the TSF to use a trusted channel for the agent enrollment process. | |
FIA_UAU.1 | The PP includes FIA_UAU.1 to require the TSF to enforce access control on its management interface by requiring user authentication. | |
FIA_UAU_EXT.4/REUSE (objective) | The PP includes FIA_UAU_EXT.4/REUSE to optionally require the TSF to limit enrollment through the prevention of reuse of enrollment authentication data. | |
FIA_UAU_EXT.4/2 (objective) | The PP includes FIA_UAU_EXT.4(2) to provide access controls to prevent the reuse of enrollment data related to device enrollment. The TSF shall prevent two devices to be enrolled using the same unique identifier. | |
FMT_MOF.1/FUNCBE | The PP includes FMT_MOF.1/FUNCBE for the TSF to restrict the functions to enable, disable, modify, and monitor functions and policies to authorized administrators. | |
FMT_MOF.1/MANAGEMENT_ENROLL | The PP includes FMT_MOF.1/MANAGEMENT_ENROLL to restrict the enrollment process to authorized administrators and mobile device users. | |
FMT_MOF.1/MANAGEMENT_MAS | The PP includes FMT_MOF.1/MANAGEMENT_MAS to enforce restrictions on access to the MAS Server from enrolled devices based on applied policies. | |
FMT_POL_EXT.1 | The PP includes FMT_POL_EXT.1 to ensure the integrity of the policies and policy updates to the MDM Agent are digitally signed to protect their integrity. | |
FMT_SMF.1/SERVER_CONF_AGENT | The PP includes FMT_SMF.1/SERVER_CONF_AGENT to define the security-relevant management functions that the MDM server is capable of communicating to the MDM Agent. | |
FMT_SMF.1/SERVER_CONF_SERVER | The PP includes FMT_SMF.1/SERVER_CONF_SERVER to define the security-relevant management functions that the MDM server has for its own configuration. | |
FMT_SMF.1/MAS | The PP includes FMT_SMF.1/MAS to define the MAS Server management functionality if this capability is supported. | |
FMT_SMR.1/SECMAN_ROLES | The PP includes FMT_SMR.1/SECMAN_ROLES to define the security management roles that are used as the basis for access control enforcement. | |
FMT_SMR.1/SECMAN_ROLES_MAS (sel-based) | The PP includes FMT_SMR.1/SECMAN_ROLES_MAS to define the management roles that apply to the MAS Server if this capability is supported. | |
FTA_TAB.1 (optional) | The PP includes FTA_TAB.1 to display an Administrator-specified advisory notice and consent warning message regarding use of the TOE. | |
O.QUALITY | FPT_API_EXT.1 | The PP includes FPT_API_EXT.1 to enforce quality of implementation by ensuring that the MDM software uses only documented platform APIs to supports its security functionality. |
FPT_LIB_EXT.1 | The PP includes FPT_LIB_EXT.1 to enforce quality of implementation by ensuring that the MDM software does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability. |
Assurance Class | Assurance Components |
Security Target (ASE) |
ST introduction (ASE_INT.1) Conformance claims (ASE_CCL.1) Security objectives for the operational environment (ASE_OBJ.1) Extended components definition (ASE_ECD.1) Stated security requirements (ASE_REQ.1) TOE summary specification (ASE_TSS.1) |
Development (ADV) | Basic functional specification (ADV_FSP.1) |
Guidance documents (AGD) | Operational user guidance (AGD_OPE.1) Preparative procedures (AGD_PRE.1) |
Life cycle support (ALC) | Labeling of the TOE (ALC_CMC.1) TOE CM coverage (ALC_CMS.1) |
Tests (ATE) | Independent testing - sample (ATE_IND.1) |
Vulnerability assessment (AVA) | Vulnerability survey (AVA_VAN.1) |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_SAR.1 | ||
No events specified | N/A | |
FAU_SEL.1 | ||
All modifications to the audit configuration that occur while the audit collection functions are operating. | No additional information | |
FTA_TAB.1 | ||
Change in banner setting | No additional information |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_CRP_EXT.1 | ||
No events specified | N/A | |
FCO_CPC_EXT.1 | ||
Enabling or disabling communications between a pair of components. | Identities of the endpoints pairs enabled or disabled. | |
FIA_UAU_EXT.4/REUSE | ||
Attempt to reuse enrollment data | Enrollment data | |
FIA_UAU_EXT.4/REUSE_ENROLL | ||
Attempt to reuse enrollment data. | Enrollment data | |
FIA_X509_EXT.3 | ||
Generation of Certificate Request Message | Content of Certificate Request Message | |
Success or failure of verification | Issuer and Subject name of added certificate or reason for failure | |
FIA_X509_EXT.4 | ||
Generation of Certificate Enrollment Request |
| |
Success or failure of enrollment | Issuer and Subject name of added certificate or reason for failure | |
Update of EST Trust Anchor Database | Subject name of added Root CA | |
FMT_SAE_EXT.1 | ||
Enrollment attempted after expiration of authentication data | Identity of user | |
FTP_TRP.1/TRUSTPATH_JOIN | ||
Initiation and termination of the trusted channel | Trusted channel protocol |
This PP does not define any Implementation-dependent requirements.
As indicated in the introduction to this PP, the baseline requirements (those that must be performed by the TOE or its underlying platform) are contained in the body of this PP. There are additional requirements based on selections in the body of the PP: if certain selections are made, then additional requirements below must be included.
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_GEN.1/MAS_SERVER | ||
No events specified | N/A | |
FAU_STG_EXT.2 | ||
No events specified | N/A | |
FCS_HTTPS_EXT.1 | ||
Failure of the certificate validity check |
| |
FCS_IV_EXT.1 | ||
No events specified | N/A | |
FCS_STG_EXT.2 | ||
No events specified | N/A | |
FIA_X509_EXT.1/CERTVAL_SEL | ||
Failure to validate X.509 certificate | Reason for failure | |
FMT_MOF.1/MANAGEMENT_MAS | ||
No events specified | N/A | |
FMT_SMF.1/MAS | ||
No events specified | N/A | |
FMT_SMR.1/SECMAN_ROLES_MAS | ||
No events specified | N/A | |
FPT_ITT.1/INTER_XFER | ||
Initiation and termination of the trusted channel |
| |
FPT_ITT.1/INTER_XFER_AGENT | ||
Initiation and termination of the trusted channel |
| |
FTP_ITC.1/INTER_TSF_XFER_AGENT | ||
Initiation and termination of the trusted channel |
|
Cipher Mode | Reference | IV Requirement |
Electronic Codebook (ECB) | SP800-38A | No IV |
Counter (CTR) | SP800-38A | "Initial Counter" shall be non-repeating. No counter value shall be repeated across multiple messages with the same secret key. |
Cipher Block Chaining (CBC) | SP800-38A | IVs shall be unpredictable. Repeating IVs leak information about whether the first one or more blocks are shared between two messages, so IVs should be non-repeating in such situations. |
Output Feedback (OFB) | SP800-38A | IVs shall be non-repeating and shall not be generated by invoking the cipher on another IV. |
Cipher Feedback (CFB) | SP800-38A | IVs should be non-repeating as repeating IVs leak information about the first plaintext block and about common shared prefixes in messages. |
XEX (XOR Encrypt XOR) Tweakable Block Cipher with Ciphertext Stealing (XTS) |
SP800-38E | No IV. Tweak values shall be non-negative integers, assigned consecutively, and starting at an arbitrary non-negative integer. |
Cipher-based Message Authentication Code (CMAC) | SP800-38B | No IV |
Key Wrap and Key Wrap with Padding | SP800-38F | No IV |
Counter with CBC-Message Authentication Code (CCM) | SP800-38C | No IV. Nonces shall be non-repeating. |
Galois Counter Mode (GCM) | SP800-38D | IV shall be non-repeating. The number of invocations of GCM shall not exceed 2^32 for a given secret key unless an implementation only uses 96-bit IVs (default length). |
Factor | Same/Different | Guidance |
PP-Specified Funtionality | Same | If the differences between Models affect only non-PP-specified functionality, then the Models are equivalent. |
Different | If PP-specified security functionality is affected by the differences between Models, then the Models are not equivalent and must be tested separately. It is necessary only to test the functionality affected by the software differences. If only differences are tested, then the differences must be enumerated, and for each difference the Vendor must provide an explanation of why each difference does or does not affect PP-specified functionality. If the Product Models are separately tested fully, then there is no need to document the differences. |
Factor | Same/Different | Guidance |
Product Models | Different | Versions of different Product Models are not equivalent unless the Models are equivalent as defined in subsection 3. |
PP-Specified Funtionality | Same | If the differences affect only non-PP-specified functionality, then the Versions are equivalent. |
Different | If PP-specified security functionality is affected by the differences, then the Versions are not considered equivalent and must be tested separately. It is necessary only to test the functionality affected by the changes. If only the differences are tested, then for each difference the Vendor must provide an explanation of why the difference does or does not affect PP-specified functionality. If the Product Versions are separately tested fully, then there is no need to document the differences. |
Factor | Same/Different/None | Guidance |
Platform Architectures | Different | Platforms that present different processor architectures and instruction sets to the MDM are not equivalent. |
PP-Specified Funtionality | Same | For platforms with the same processor architecture, the platforms are equivalent with respect to the MDM if execution of all PP-specified security functionality follows the same code path on both platforms. |
Factor | Same/Different/None | Guidance |
Platform Architectures | Different | Platforms that run on different processor architectures and instruction sets are not equivalent. |
Platform Vendors | Different | Platforms from different vendors are not equivalent. |
Platform Versions | Different | Platforms from the same vendor with different major version numbers are not equivalent. |
Platform Interfaces | Different | Platforms from the same vendor and major version are not equivalent if there are differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the MDM. |
Platform Interfaces | Same | Platforms from the same vendor and major version are equivalent if there are no differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified security functionality to the MDM, or if the Platform does not provide such functionality to the MDM. |
Factor | Same/Different/None | Guidance |
Platform Type/Vendor | Different | Software-based execution environments that are substantially different or come from different vendors are not equivalent. For example, a java virtual machine is not the same as a container. A Docker container is not the same as a CoreOS container. |
Platform Versions | Different | Execution environments that are otherwise equivalent are not equivalent if they have different major version numbers. |
PP-Specified Security Functionality | Same | All other things being equal, execution environments are equivalent if there is no significant difference in the interfaces through which the environments provide PP-specified security functionality to MDMs. |
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP provides evidence that these controls are present and have been evaluated.
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. However, these requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components. This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated. Table 16: Implicitly Satisfied RequirementsRequirement | Rationale for Satisfaction |
FMT_MTD.1 – Management of TSF Data | FAU_SEL.1 has a dependency on FMT_MTD.1 because the configuration settings that determine what events are audited is considered to be TSF data. While FAU_SEL.1 determines the extent to which the TOE’s audit function is configured, it relies on FMT_MTD.1 to determine the administrative roles that are permitted to manipulate this data. The PP allows FAU_SEL.1 to be implemented either by the TSF or by the TOE platform because the TOE may rely on the audit functionality provided by the OS it runs on. If this is configured entirely through the platform, the administrator does not necessarily need to be authenticated by the TOE to do this. Therefore, requiring FMT_MTD.1 does not make sense in this situation. If this is configured through the TOE, it can be implied from a review of FMT_SMR.1(1) that the ‘MD user’ role cannot perform this function as they lack the authority to manage the TSF. It is therefore understood that this function can be performed by the ‘administrator’ role or potentially by one or more roles specified by the ST author if the selection to specify additional roles is chosen. An additional SFR that explicitly identifies the roles permitted to manage this function is redundant in this context. |
FPT_STM.1 – Reliable time stamps | The PP’s iterations of FAU_GEN.1 as well as its cryptographic functionality have a dependency on FPT_STM.1 because audit records require accurate timestamps as well as some cryptographic operations, such as determining if a presented X.509 certificate is expired. The TOE is installed on a general-purpose computer or specialized network device that is assumed to have the ability to provide certain functions to the TOE as specified in A.MDM_SERVER_PLATFORM. This assumption explicitly lists ‘reliable timestamps’ as a function that the TSF is expected to have available to it. |
Requirement | Action |
FMT_SMF.1/SERVER_CONF_AGENT Function 32 | Include in ST and assign GPS. |
FMT_SMF.1/SERVER_CONF_AGENT Function 34 | Include in ST. Assign personal hotspot connections (if feature exists). |
FMT_SMF.1/SERVER_CONF_AGENT Function 47 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 49 | Include in ST and select "a. USB mass storage mode". |
FMT_SMF.1/SERVER_CONF_AGENT Function 51 | Include in ST. Select both options. |
Requirement | Action |
FMT_SMF.1/SERVER_CONF_AGENT Function 15 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 16 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 31 | Include in ST and select "no other method". |
FMT_SMF.1/SERVER_CONF_AGENT Function 32 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 33 | Include in ST. Assign at least USB. |
FMT_SMF.1/SERVER_CONF_AGENT Function 34 | Include in ST. Assign all protocols where the TSF acts as a server. |
FMT_SMF.1/SERVER_CONF_AGENT Function 36 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 37 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 40 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 42 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 47 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 52 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function 54 | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function c | Include in ST. |
FMT_SMF.1/SERVER_CONF_AGENT Function d | Include in ST. |
FCS_CKM.1.1 | Select RSA with key size of 3072 or select ECC schemes. |
FCS_CKM.2.1 | Select "RSA schemes" or select "ECC schemes". |
FCS_COP.1.1/COMF_ALG | Select 256 bits |
FCS_COP.1.1/HASH_ALG | Select SHA-384 |
FCS_COP.1.1/SIGN_ALG | Select RSA with key size of 3072 or select ECC schemes. |
FIA_X509_EXT.2.2 | Select either "allow the administrator to choose…" or "not accept the certificate". |
FCS_TLSC_EXT.1.1 (from TLS Package) | If included in ST, select "TLS 1.2". |
FCS_TLSC_EXT.2.1 (from TLS Package) | If included in ST, select "secp384r1". |
Requirement | Action |
FMT_SMF.1/SERVER_CONF_AGENT Function 13 | Include in ST |
FMT_SMF.1/SERVER_CONF_AGENT Function 14 | Include in ST |
FMT_SMF.1/SERVER_CONF_AGENT Function 21 | Include in ST |
FMT_SMF.1/SERVER_CONF_AGENT Function 22 | Include in ST |
FMT_SMF.1/SERVER_CONF_AGENT Function 30 | Select "on a per-app basis" and/or "on a per-group of application processes basis" |
FMT_SMF.1/SERVER_CONF_AGENT Function 31 | If included in ST, select "on a per-app basis" and/or "on a per-group of application processes basis" |
FMT_SMF.1/SERVER_CONF_AGENT Function 48 | Include in ST |
FMT_SMF.1/SERVER_CONF_AGENT Function 52 | If included in ST, select "on a per-app basis" and/or "on a per-group of application processes basis" |
FMT_SMF.1/SERVER_CONF_SERVER Function f | Include in the ST |
Acronym | Meaning |
---|---|
API | API Application Programming Interface |
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
CSP | Critical Security Parameter |
DEK | Data Encryption Key |
EP | Extended Package |
EST | Enrollment over Secure Transport |
FP | Functional Package |
KEK | Key Encryption Key |
MD | Mobile Device |
MDM | Mobile Device Management |
OE | Operational Environment |
OS | Operating System |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
REK | Root Encryption Key |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
ST | Security Target |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[CEM] | Common Evaluation Methodology for Information Technology Security - Evaluation Methodology, CCMB-2012-09-004, Version 3.1, Revision 4, September 2012. |
[CSA] | Computer Security Act of 1987, H.R. 145, June 11, 1987. |
[MDF PP] | Protection Profile for Mobile Device Fundamentals, Version 3.0, June 2016 |
[MDM Agent PP] | Protection Profile for Mobile Device Management, Version 3.0, October 2016 |
[OMB] | Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, OMB M-06-19, July 12, 2006. |