Date: | 02/11/2002 |
Subject: | Objective for ADO_DEL |
CC Part #1 Reference: | |
CC Part #2 Reference: | |
CC Part #3 Reference: | CC Part 3, Section 9.1 (ADO_DEL) |
CEM Reference: | CEM, Section 6.5.1 (ADO_DEL.1) |
The CC objective statement in ADO_DEL refers only to protection of the integrity of the TOE, and yet the components use the more general term security. For some TOEs confidentiality and availability may be an issue for delivery, and it may be argued that there is no current assurance component to specify this.
The objective for ADO_DEL is to maintain the security (e.g. confidentiality, integrity, availability) of the TOE during distribution. The technical measures introduced in ADO_DEL.2 and ADO_DEL.3 are required to address integrity issues only.
In CC Part 3, the following changes are made:
The objectives statement for ADO_DEL (CC Part 3 paragraph 289) is replaced with:
The requirements for delivery call for system control and distribution facilities and procedures that detail the measures necessary to provide assurance that the security of the TOE is maintained during distribution of the TOE. For a valid distribution of the TOE, the procedures used for the distribution of the TOE address the threats identified in the PP/ST relating to the security of the TOE during delivery.
The words "detect and prevent modifications to" in CC Part 3 Paragraph 290 are replaced with "maintain security of".
The following is included as an application note after CC Part 3 paragraph 290:
These procedures could consider issues such as:
Although the procedures consider protection of the TOE in all aspects (integrity, confidentiality, availability), the technical measures introduced in ADO_DEL.2 and ADO_DEL.3 are required to address integrity issues only.
In the CEM, the following changes are made:
The objectives statement for ADO_DEL.1 (CEM para 664 and 960) is replaced with:
The objective of this sub-activity is to determine whether the delivery documentation describes all procedures used to maintain security of the TOE when distributing the TOE to the user's site.
The objectives statement for ADO_DEL.2 (CEM para 1334) is replaced with:
The objective of this sub-activity is to determine whether the delivery documentation describes all procedures used to maintain security and detect modification or substitution of the TOE when distributing the TOE to the user's site.
The term "integrity" is replaced with "security of the TOE" in CEM paragraphs 668, 964 and 1338.
CEM Paragraphs 669, 965 and 1339 are replaced with:
The emphasis in the delivery documentation is likely to be on measures related to integrity, as technical measures are required to be applied to maintain integrity during the TOE delivery. However, confidentiality and availability of the delivery will be of concern in the delivery of some TOEs; procedures relating to these aspects of the secure delivery should also be discussed in the procedures.
Rationale
ADO_DEL should not be constrained to maintaining only the integrity of the TOE during distribution. The components are specified such that the developer should describe the procedures that are necessary to maintain security when distributing the TOE, in accordance with the threats specified in the PP/ST. This is consistent with the content and presentation elements ADO_DEL.*.1, which state "...all procedures that are necessary to maintain security when distributing versions...".