RE: SFRs - Requirement Specification or Implementation Description?

Subject: RE: SFRs - Requirement Specification or Implementation Description?

From: "Squires, Alicia" <Alicia.Squires@savvis.net>

Date: Thu, 30 Nov 2006 14:17:01 -0600

Content-class: urn:content-classes:message

Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C714BC.7F5C5D8F"

In-Reply-To: <CD6BB6072E0DF243B7862BAC93CA291A03E45445@0581-its-exmp01.us.saic.com>

Thread-Index: AccT6RD3IITFmY6WTA6bMQTMKEvFjgAv1lkQ

Thread-Topic: SFRs - Requirement Specification or Implementation Description?

"The validator, however, insists that the ST must explicitly state its audit requirement because it clearly does not audit startup and shutdown of the audit function (because the TOE does not provide a capability to turn the audit function on and off)."

I've had an issue with some evaluations not being able to meet FAU_SEL.1 because they could not turn specific audit functionality on and off, but I've never heard of this being a requirement for FAU_GEN.1.

The assertion that a requirement to generate audit events also requires the ability NOT to generate them is contradictory.

Alicia Squires
Senior Evaluator, Arca Common Criteria Testing Lab
SAVVIS, Inc.

Phone (703) 856 0332
email alicia.squires@savvis.net

From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Apted, Tony J. [RA]
Sent: Wednesday, November 29, 2006 1:55 PM
To: Multiple recipients of list
Subject: SFRs - Requirement Specification or Implementation Description?

What is the purpose of Security Functional Requirements (SFRs) in a Security Target? Are they intended to specify what security functionality is to be provided by the TOE, or to specify the security functionality the TOE implements?

This question is raised as the result of a recent validator comment. The ST claims FAU_GEN.1 and the TSS explains that the TOE satisfies the aspect of the requirement to audit startup and shutdown of the audit function because auditing is always enabled – when the TOE starts up, an audit record of TOE startup is generated, which indicates the startup of the audit function (and, similarly, the TOE generates an audit record that it is shutting down, indicating shutdown of the audit function). To my knowledge, and in my own experience, this reasoning has always been acceptable for justifying that a TOE satisfies this aspect of FAU_GEN.1. The validator, however, insists that the ST must explicitly state its audit requirement because it clearly does not audit startup and shutdown of the audit function (because the TOE does not provide a capability to turn the audit function on and off).

I am interested in other people’s views about this.

Anthony J. Apted

Lead Evaluator/Senior System Security Engineer

SAIC CCTL

Ph: (410) 953-6837

Fx: (410) 953-7001