FPT_SEP.2 SFP domain separation
The most important function provided by a TSF is the enforcement of its SFPs. In order to simplify the design and increase the likelihood that those significant SFPs exhibit the characteristics of a reference monitor (RM), in particular, being tamperproof, they must be in a domain distinct from the remainder of the TSF.
Evaluator application notes
It is possible that a reference monitor in a layered design may provide functions beyond those of the SFPs. This arises out of the practical nature of layered software design. The goal should be to minimise the non-SFP related functions.
Note that it is acceptable for the reference monitors for all included SFPs to be in a single distinct reference monitor domain, as well as having multiple reference monitor domains (each enforcing one or more SFPs). If multiple reference monitor domains for SFPs are present, it is acceptable for them to be either peers or in a hierarchical relationship.
For FPT_SEP.2.1, the phrase "unisolated portion of the TSF" refers to that portion of the TSF consisting of those functions in the TSF not covered by FPT_SEP.2.3.
Operations
Assignment:
For FPT_SEP.2.3, the PP/ST author should specify the access control and/or information flow control SFPs in the TSP that should have a separate domain.