RE: SFRs - Requirement Specification or Implementation Descripti on?

Subject: RE: SFRs - Requirement Specification or Implementation Descripti on?

From: Kris Rogers <krogers@cygnacom.com>

Date: Wed, 29 Nov 2006 14:44:17 -0500

Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C713EE.B3426028"

Title: Message

Tony,

My experience is similar to yours.

If the TOE generates an audit event when it starts up and audit is always enabled, this is acceptable for satisfying FAU_GEN.1.

Kris

Kristina C. Rogers

Chief Evaluator

Security Evaluation Laboratory

CygnaCom Solutions

749 Santa Rosita

Solana Beach, CA 92075

858-509-0180

krogers@cygnacom.com

** PROPRIETARY & CONFIDENTIAL ** This email and any attachments are confidential and/or proprietary and intended solely for the named recipients. If you received this e-mail in error, please notify me by replying and delete the message without copying or disclosing it. Thank you

-----Original Message-----
From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Apted, Tony J. [RA]
Sent: Wednesday, November 29, 2006 10:55 AM
To: Multiple recipients of list
Subject: SFRs - Requirement Specification or Implementation Description?

What is the purpose of Security Functional Requirements (SFRs) in a Security Target? Are they intended to specify what security functionality is to be provided by the TOE, or to specify the security functionality the TOE implements?

This question is raised as the result of a recent validator comment. The ST claims FAU_GEN.1 and the TSS explains that the TOE satisfies the aspect of the requirement to audit startup and shutdown of the audit function because auditing is always enabled - when the TOE starts up, an audit record of TOE startup is generated, which indicates the startup of the audit function (and, similarly, the TOE generates an audit record that it is shutting down, indicating shutdown of the audit function). To my knowledge, and in my own experience, this reasoning has always been acceptable for justifying that a TOE satisfies this aspect of FAU_GEN.1. The validator, however, insists that the ST must explicitly state its audit requirement because it clearly does not audit startup and shutdown of the audit function (because the TOE does not provide a capability to turn the audit function on and off).

I am interested in other people's views about this.

Anthony J. Apted

Lead Evaluator/Senior System Security Engineer

SAIC CCTL

Ph: (410) 953-6837

Fx: (410) 953-7001