Supporting Document
Mandatory Technical Document

NIAP

PP-Module for Server Virtualization Systemss
Version: 1.1
2021-06-14
National Information Assurance Partnership

Foreword

This is a Supporting Document (SD), intended to complement the Common Criteria version 3 and the associated Common Evaluation Methodology for Information Technology Security Evaluation.

SDs may be “Guidance Documents”, that highlight specific approaches and application of the standard to areas where no mutual recognition of its application is required, and as such, are not of normative nature, or “Mandatory Technical Documents”, whose application is mandatory for evaluations whose scope is covered by that of the SD. The usage of the latter class is not only mandatory, but certificates issued as a result of their application are recognized under the CCRA.

Technical Editor:
National Information Assurance Partnership (NIAP)

Document history:

VersionDateComment
1.02016-11-17Initial Publication as an Extended Package
1.12020-06-14Publication as a PP-Module

General Purpose:
The purpose of this SD is to define evaluation methods for the functional behavior of Server Virtualization Systems products.

Acknowledgments:
This SD was developed with support from NIAP Server Virtualization Systemss Technical Community members, with representatives from industry, government agencies, Common Criteria Test Laboratories, and members of academia.

Table of Contents

1Introduction1.1Technology Area and Scope of Supporting Document1.2Structure of the Document1.3Terms1.3.1Common Criteria Terms1.3.2Technical Terms2Evaluation Activities for SFRs2.1 Protection Profile for Server Virtualization Systemss2.1.1Modified SFRs 2.2TOE SFR Evaluation Activities2.2.1Security Management (FMT)2.3Evaluation Activities for Optional SFRs2.4Evaluation Activities for Selection-Based SFRs2.5Evaluation Activities for Objective SFRs2.6Evaluation Activities for Implementation-based SFRs3Evaluation Activities for SARs4Required Supplementary InformationAppendix A - References

1 Introduction

1.1 Technology Area and Scope of Supporting Document

The scope of the PP-Module for Server Virtualization Systemss is to describe the security functionality of Server Virtualization Systemss products in terms of [CC] and to define functional and assurance requirements for them. The PP-Module is intended for use with the following Base-PP:


This SD is mandatory for evaluations of TOEs that claim conformance to a PP-Configuration that includes the PP-Module for : As such it defines Evaluation Activities for the functionality described in the PP-Module as well as any impacts to the Evaluation Activities to the Base-PP(s) it modifies.

Although Evaluation Activities are defined mainly for the evaluators to follow, in general they also help developers to prepare for evaluation by identifying specific requirements for their TOE. The specific requirements in Evaluation Activities may in some cases clarify the meaning of Security Functional Requirements (SFR), and may identify particular requirements for the content of Security Targets (ST) (especially the TOE Summary Specification), user guidance documentation, and possibly supplementary information (e.g. for entropy analysis or cryptographic key management architecture).

1.2 Structure of the Document

Evaluation Activities can be defined for both SFRs and Security Assurance Requirements (SAR), which are themselves defined in separate sections of the SD.

If any Evaluation Activity cannot be successfully completed in an evaluation, then the overall verdict for the evaluation is a 'fail'. In rare cases there may be acceptable reasons why an Evaluation Activity may be modified or deemed not applicable for a particular TOE, but this must be approved by the Certification Body for the evaluation.

In general, if all Evaluation Activities (for both SFRs and SARs) are successfully completed in an evaluation then it would be expected that the overall verdict for the evaluation is a ‘pass’. To reach a ‘fail’ verdict when the Evaluation Activities have been successfully completed would require a specific justification from the evaluator as to why the Evaluation Activities were not sufficient for that TOE.

Similarly, at the more granular level of assurance components, if the Evaluation Activities for an assurance component and all of its related SFR Evaluation Activities are successfully completed in an evaluation then it would be expected that the verdict for the assurance component is a ‘pass’. To reach a ‘fail’ verdict for the assurance component when these Evaluation Activities have been successfully completed would require a specific justification from the evaluator as to why the Evaluation Activities were not sufficient for that TOE.

2 Evaluation Activities for SFRs

The EAs presented in this section capture the actions the evaluator performs to address technology specific aspects covering specific SARs (e.g. ASE_TSS.1, ADV_FSP.1, AGD_OPE.1, and ATE_IND.1) – this is in addition to the CEM workunits that are performed in Section 3 Evaluation Activities for SARs.

Regarding design descriptions (designated by the subsections labeled TSS, as well as any required supplementary material that may be treated as proprietary), the evaluator must ensure there is specific information that satisfies the EA. For findings regarding the TSS section, the evaluator’s verdicts will be associated with the CEM workunit ASE_TSS.1-1. Evaluator verdicts associated with the supplementary evidence will also be associated with ASE_TSS.1-1, since the requirement to provide such evidence is specified in ASE in the PP.

For ensuring the guidance documentation provides sufficient information for the administrators/users as it pertains to SFRs, the evaluator’s verdicts will be associated with CEM workunits ADV_FSP.1-7, AGD_OPE.1-4, and AGD_OPE.1-5.

Finally, the subsection labeled Tests is where the authors have determined that testing of the product in the context of the associated SFR is necessary. While the evaluator is expected to develop tests, there may be instances where it is more practical for the developer to construct tests, or where the developer may have existing tests. Therefore, it is acceptable for the evaluator to witness developer-generated tests in lieu of executing the tests. In this case, the evaluator must ensure the developer’s tests are executing both in the manner declared by the developer and as mandated by the EA. The CEM workunits that are associated with the EAs specified in this section are: ATE_IND.1-3, ATE_IND.1-4, ATE_IND.1-5, ATE_IND.1-6, and ATE_IND.1-7.

2.1 Protection Profile for Server Virtualization Systemss

The EAs defined in this section are only applicable in cases where the TOE claims conformance to a PP-Configuration that includes the Server Virtualization Systemss PP.

2.1.1 Modified SFRs

The PP-Module does not modify any requirements when the Server Virtualization Systemss PP is the base.

2.2 TOE SFR Evaluation Activities

2.2.1 Security Management (FMT)

FMT_MOF_EXT.1 Management of Security Functions Behavior

FMT_MOF_EXT.1
TSS
The evaluator shall examine the TSS and Operational Guidance to ensure that it describes which security management functions require Administrator privilege and the actions associated with each management function. The evaluator shall verify that for each management function and role specified in the FMT_MOF_EXT.1.1 Server Virtualization Management Functions Table (Table 3), the defined role is able to perform all mandatory functions as well as all optional or selection-based functions claimed in the ST.

Guidance
The evaluator shall examine the Operational Guidance to ensure that it describes how the Administrator or User are able to perform each management function that the ST claims the TOE supports.

The evaluator shall verify for each claimed management function that the Operational Guidance is sufficiently detailed to allow the function to be performed.

Tests
The evaluator shall test each management function for each role listed in the FMT_MOF_EXT.1.1 Server Virtualization Management Functions Table (Table 3) in the ST to demonstrate that the function can be performed by the roles that are authorized to do so and the result of the function is demonstrated. The evaluator shall also verify for each claimed management function that if the TOE claims not to provide a particular role with access to the function, then it is not possible to access the TOE as that role and perform that function.

2.3 Evaluation Activities for Optional SFRs

The PP-Module does not define any optional requirements.

2.4 Evaluation Activities for Selection-Based SFRs

The PP-Module does not define any selection-based requirements.

2.5 Evaluation Activities for Objective SFRs

The PP-Module does not define any objective requirements.

2.6 Evaluation Activities for Implementation-based SFRs

The PP-Module does not define any implementation-based requirements.

3 Evaluation Activities for SARs

The PP-Module does not define any SARs beyond those defined within the base Server Virtualization Systemss PP to which it must claim conformance. It is important to note that a TOE that is evaluated against the PP-Module is inherently evaluated against this Base-PP as well. The Server Virtualization Systemss PP includes a number of Evaluation Activities associated with both SFRs and SARs. Additionally, the PP-Module includes a number of SFR-based Evaluation Activities that similarly refine the SARs of the Base-PPs. The evaluation laboratory will evaluate the TOE against the Base-PP and supplement that evaluation with the necessary SFRs that are taken from the PP-Module.

4 Required Supplementary Information

This Supporting Document has no required supplementary information beyond the ST, operational guidance, and testing.

Appendix A - References

IdentifierTitle
[VirtPP]Protection Profile for Virtualization, Version: 1.1, 2021-06-14