Objectives
The aim of the TOE component categorisation report is to complement the AM Plan by providing a categorisation of the components of a TOE (e.g. TSF subsystems) according to their relevance to security. This categorisation acts as a focus for the developer's security impact analysis, and also for the subsequent re-evaluation of the TOE.
Component levelling
This family contains only one component.
Application notes
The term "least abstract TSF representation" in AMA_CAT.1.1 refers to the least abstract representation of the TSF that was provided for the level of assurance that is being maintained. For example, if the TOE is to be maintained at an assurance level of EAL3, then the least abstract TSF representation is the high-level design, and the following TOE components must be categorised:
a) all external TSF interfaces identifiable in the functional specification;
b) all TSF subsystems identifiable in the high-level design.
While AMA_CAT requires at least two categories to be defined, it may be appropriate (dependent on the type of TOE) to further subdivide the TSP-enforcing category in order to help focus the developer's security impact analysis. For example, TSP-enforcing components could be categorised as either security critical or security supporting where:
a) security critical TOE components are those which are directly responsible for the enforcement of at least one IT security function defined in the security target;
b) security supporting TOE components are those which are not directly responsible for the enforcement of any IT security function (and hence are not security critical), but which are nonetheless relied upon to uphold the IT security functions; this category may in turn include two distinct types of TOE component:
- those that provide services to security critical TOE components, and hence are relied upon to function correctly;
- those that do not provide any such service, but which nonetheless have to be trusted not to behave in a malicious manner (i.e. introducing a vulnerability).
AMA_CAT.1.3C requires an identification of any development tools that, if modified, will have an impact on the assurance that the TOE satisfies its security target (e.g. the compiler used to create the object code).