Family behaviour
The requirements of this family address the "always invoked" aspect of a traditional reference monitor. The goal of this family is to ensure, with respect to a given SFP, that all actions requiring policy enforcement are validated by the TSF against the SFP. If the portion of the TSF that enforces the SFP also meets the requirements of appropriate components from FPT_SEP (Domain separation) and ADV_INT (TSF internals), then that portion of the TSF provides a "reference monitor" for that SFP.
A TSF that implements a SFP provides effective protection against unauthorised operation if and only if all enforceable actions (e.g. accesses to objects) requested by untrusted subjects with respect to any or all of that SFP are validated by the TSF before succeeding. If an action that could be enforceable by the TSF, is incorrectly enforced or incorrectly bypassed, the overall enforcement of the SFP could be compromised. Subjects could then bypass the SFP in a variety of unauthorised ways (e.g. circumvent access checks for some subjects or objects, bypass checks for objects whose protection was assumed by applications, retain access rights beyond their intended lifetime, bypass auditing of audited actions, or bypass authentication). Note that some subjects, the so called "trusted subjects" with respect to a specific SFP, might be trusted to enforce the SFP by themselves, and bypass the mediation of the SFP.
Component levelling
This family consists of only one component, FPT_RVM.1 Non-bypassability of the TSP, which requires non-bypassability for all SFPs in the TSP.
Management: FPT_RVM.1
There are no management activities foreseen.
Audit: FPT_RVM.1
There are no actions identified that should be auditable if FAU_GEN Security audit data generation is included in the PP/ST.