| Identifier | Admin_Security_Data |
| Descriptive Name | Changes to security data by authorized personnel |
| Description | Provide mechanisms to assure that changes to security related data are executed only by authorized personnel. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Security_Attr_Mgt - Manage security attributes
Security_Data_Mgt - Manage security-critical data
Security_Func_Mgt - Manage behavior of security functions  |
| Identifier | Audit_Gen_User |
| Descriptive Name | Individual accountability |
| Description | The system shall provide individual accountability for auditable actions. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Audit_Gen_User - Individual accountability |
| Identifier | Audit_Generation |
| Descriptive Name | Audit data generation with identity |
| Description | The system shall provide the capability to ensure that all audit records include enough information to determine the date and time of action, the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Audit_Generation - Audit records with identity |
| Identifier | Audit_Protect |
| Descriptive Name | Protected audit data storage |
| Description | The system shall protect the contents of the audit trails against unauthorized access, modification, or deletion. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Audit_Protect - Protect stored audit records |
| Identifier | Authority_Notify |
| Descriptive Name | Notification of threats and vulnerabilities |
| Description | Notification of threats and vulnerabilities shall be addressed. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - Administrators must be kept informed of relevant threats and vulnerabilities and how to securely operate the TOE in the presence of identified and emerging threats and vulnerabilities.
User_Guidance - User guidance documentation
X-Ray Application - Users must be kept informed of relevant threats and vulnerabilities, how to report new threats and vulnerabilities, and how to apply relevant security mechanisms. |
| Identifier | Change_Control_Users |
| Descriptive Name | Notification of data content changes |
| Description | Notify user of the time and date of the last modification of data. |
| Selection Guidance | This is a generic policy that needs to be instantiated to say which data needs notification. |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Change_Control_Users - User notification of data content changes |
| Identifier | Config_Mgt_Plan |
| Descriptive Name | Implement operational configuration management |
| Description | A configuration management plan shall be implemented by the system. The system shall implement configuration management to assure storage integrity, identification of system connectivity (software, hardware, and firmware), and identification of system components (software, hardware, and firmware).
The system shall implement strong integrity mechanisms (integrity locks, encryption). |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Config_Management - Implement operational configuration management |
| Identifier | Documented_Recovery |
| Descriptive Name | Documented recovery |
| Description | The system shall provide procedures and features to assure that system recovery is done in a trusted and secure manner. Any circumstances that could result in an untrusted recovery shall be documented. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Trusted_Recovery_Doc - Documentation of untrusted data recovery |
| Identifier | External_Labels |
| Descriptive Name | Labeling data |
| Description | The system shall provide security parameters associated with information exchanged between systems. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
External_Labels - Label or mark information for external systems |
| Identifier | I&A_User |
| Descriptive Name | User identification and authentication |
| Description | The system shall provide Identification and authentication (I&A) procedures which uniquely identify and authenticate users. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
I&A_Domain - Identify and authenticate a user to support accountability |
| Identifier | Integrity_Data/SW |
| Descriptive Name | Strong integrity mechanisms |
| Description | The system shall implement strong integrity mechanisms (integrity locks, encryption). |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Integrity_Data/SW - Integrity protection for user data and software |
| Identifier | Integrity_Practice |
| Descriptive Name | Operational integrity system function testing |
| Description | Provide system functional tests to periodically test the integrity of the hardware and code running system functions. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Integrity_Practice - Operational integrity system function testing |
| Identifier | Lifecycle_Security |
| Descriptive Name | Security throughout lifecycle |
| Description | Security shall be addressed throughout the system's lifecycle. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Lifecycle_Security - Lifecycle security |
| Identifier | Malicious_Code |
| Descriptive Name | Malicious code prevention |
| Description | Procedures and mechanisms to prevent the introduction of malicious code into the system shall be provided. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Malicious_Code - Procedures for preventing malicious code |
| Identifier | Need_To_Know |
| Descriptive Name | Privileged user access |
| Description | The system shall function so that each user has access to all of the information and functions that the user requires to perform duties, but no more. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
User_Defined_AC - User-defined access control
Objective Application - Choose either variant of this objective (i.e., Subset or Complete). The Complete variant is recommended for a stronger
implementation of the need-to-know principle.
X-Ray Application - FDP_ACC.1, FDP_ACC.2:
SFP: Need-to-Know.
Objects: those requiring need-to-know protection.
Subjects: those that may access the protected objects.
Operations: that that may extract information from the protected objects.
FDP_ACF.1:
SFP: Need-to-Know.
Attributes:
Object ownership: individuals or groups with designated need to know, optionally, operations that may be used to observe object content.
Rules governing access: state that (1) only those with designated need to know may observe, (2) only owners may alter attributes (possibly with suitable administrative override), and (3) only designated users (e.g., owners) may control object content.
Objective Rationale - The SFP gives object owners the ability to restrict direct access to those with a designated need to know. However, those with a need-to-know (and processes acting on their behalf) must be trusted to themselves enforce need-to-know constraints. |
| Identifier | Non-Repudiation |
| Descriptive Name | Non-repudiation capabilities |
| Description | The system shall provide non-repudiation capabilities. |
| Selection Guidance | An example of a non-repudiation mechanism is an implementation of digital signatures. |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
NonRepudiate_Recd - Non-repudiation for received information
NonRepudiate_Sent - Non-repudiation for sent information |
| Identifier | Privileged_Doc |
| Descriptive Name | Privileged user documentation |
| Description | Documentation shall include guides or manuals for the system's privileged users. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Admin_Guidance - Administrator guidance documentation |
| Identifier | Screen_Lock |
| Descriptive Name | User screen locking |
| Description | The system shall provide a screen lock mechanism. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Screen_Lock - User screen locking |
| Identifier | Storage_Integrity |
| Descriptive Name | Assurance of effective storage integrity |
| Description | The system shall provide assurance that storage integrity is effective. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Storage_Integrity - Storage integrity |
| Identifier | Sys_Access_Banners |
| Descriptive Name | System access banners |
| Description | The system shall notify users prior to gaining access that the user's actions may be monitored and recorded, that using the system consents to such monitoring, and that unauthorized use may result in criminal or civil penalties. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Sys_Access_Banners - System access banners |
| Identifier | Sys_Assur_HW/SW/FW |
| Descriptive Name | Validation of security function integrity |
| Description | Features and procedures to validate the integrity and the expected operation of the security-relevant software, hardware, and firmware shall be provided by the system. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Sys_Assur_HW/SW/FW - Validation of security function |
| Identifier | Sys_Backup_Procs |
| Descriptive Name | System backup procedures |
| Description | Provide the capability to restore the system to a secure state after discontinuities of system operations. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Sys_Backup_Procs - System backup procedures |
| Identifier | Sys_Backup_Restore |
| Descriptive Name | Restoration with minimal loss |
| Description | The system shall provide backup procedures to allow restoration of the system with minimal loss of service or data. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Sys_Backup_Restore - Frequent backups to prevent minimal loss |
| Identifier | Sys_Backup_Storage |
| Descriptive Name | Effective backup restoration |
| Description | The system shall provide procedures to ensure both the existence of sufficient backup storage capability and effective restoration (incremental and complete) of the backup data. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Sys_Backup_Storage - Sufficient backup storage and effective restoration |
| Identifier | Sys_Backup_Verify |
| Descriptive Name | Backup protection and restoration |
| Description | The system shall provide appropriate physical and technical protection of the backup and restoration hardware, firmware, and software. |
| Selection Guidance | |
| Safeguard Application | The objective O.Sys_Backup_Verify does not provide complete coverage of this policy. Additional objectives need to be defined. Currently detection of failure is accounted for but not prevention of failure. |
| Editorial | |
Supporting Policy Objectives
Sys_Backup_Verify - Detect modifications of backup hardware, firmware, software |
| Identifier | System_Protection |
| Descriptive Name | Protection from security function modification |
| Description | Provide features or procedures for protection of the system from improper changes. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Config_Management - Implement operational configuration management
Sys_Assur_HW/SW/FW - Validation of security function
Sys_Self_Protection - Protection of system security function |
| Identifier | System_Recovery |
| Descriptive Name | Trusted system recovery |
| Description | Provide procedures and features to assure that system recovery is done in a trusted and secure manner. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Trusted_Recovery_Doc - Documentation of untrusted data recovery |
| Identifier | Tamper_ID |
| Descriptive Name | Physical tampering detection and notification |
| Description | The system shall detect physical tampering and notify the appropriate authority. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Tamper_ID - Tamper detection |
| Identifier | User_Auth_Enhanced |
| Descriptive Name | Enhanced user identification and authentication |
| Description | The system shall require the use of enhanced authentication for privileged users who either reside outside of the system's perimeter or whose communications traverse data lines outside of the system's perimeter. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
User_Auth_Enhanced - Enhanced user authentication |
| Identifier | User_Data_Dial-in |
| Descriptive Name | Encryption of transmitted user data |
| Description | The system shall provide data transmission using an encryption mechanism appropriate for the sensitivity of the data. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
User_Data_Dial-in - Protection of user-session data |
| Identifier | User_Data_Storage |
| Descriptive Name | Protection of stored user data |
| Description | The system shall provide appropriate storage, continuous personnel access control storage, or encrypted storage of data based on the sensitivity of the data. |
| Selection Guidance | |
| Safeguard Application | O.User_Data_Integrity covers part of this policy, but an additional objective dealing with confidentiality may be needed. |
| Editorial | |
Supporting Policy Objectives
Info_Flow_Control - System enforced information flow
User_Data_Integrity - Integrity protection of stored user data
User_Defined_AC - User-defined access control |
| Identifier | User_Data_Transfer |
| Descriptive Name | Protection of transmitted user data |
| Description | The system shall provide a protected distribution system for data transmitted. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
Identify_Unusual_Act - Identify unusual user activity
User_Data_Transfer - Protection of transmitted user data |
| Identifier | User_Defined_AC |
| Descriptive Name | Discretionary access control |
| Description | The system shall provide a Discretionary Access Control (DAC) function (i.e., a user can grant access authorization to other users for data they control). |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | "Data" is a compromise between "information" and "object". The issue is that DAC does not necessarily control access to information. |
Supporting Policy Objectives
User_Defined_AC - User-defined access control |
| Identifier | User_Documentation |
| Descriptive Name | General user documentation |
| Description | Documentation shall include a user's guide for the general user. |
| Selection Guidance | |
| Safeguard Application | |
| Editorial | |
Supporting Policy Objectives
User_Guidance - User guidance documentation |