Audience | Purpose |
---|---|
IT Product Vendors | Use these guidelines to structure the creation of product-specific configuration guidance produced as part of a Common Criteria evaluation. The creation of administrative guidance is required by NIAP-approved Protection Profiles. The items specified in this document, as well as any best practices, should be provided as part of the administrative guidance. For each configuration item, the guidance must include the steps necessary to configure the setting of the product. |
Test Labs | Use these guidelines to configure and test systems undergoing evaluation against a NIAP-approved Protection Profile. Using this guidance during evaluation provides assurance that the guidance is correct and implementable. |
Network Owners and Assessors | Use these guidelines to assess the configuration of operational systems when product-specific guidance does not exist. |
In order to implement security controls from the NIST Risk Management Framework, each component of the information system must possess the necessary security functionality and also be properly configured to leverage that functionality.
NIAP Protection Profiles express requirements for security functionality for individual IT products within the overall information system. This includes management functions which indicate where an enterprise or end user is expected to be able to operationally configure the product. However, the Protection Profile does not indicate specific values for each configuration setting. This Annex specifies those specific requirements for operational configuration of a product type. It also provides a mapping to each NIST control which the operational setting helps the overall system implement. This complements the control mapping provided with each Protection Profile, which is focused on security functionality. Together, these documents support the creation of system security plans, as well as the Select, Implement, Assess, and Monitor steps of the Risk Management Framework (RMF).
The table below describes configuration requirements for operating systems.
Each configuration requirement is associated with a security functionality requirement (SFR) from the associated Protection Profile or Module. Each configuration requirement is also associated with a NIST 800-53 security control and CNSSI 1253 configuration value where applicable. See Wireless EP/Module for wireless-specific configuration requirements.
Configuration Action | NIST Control | CNSSI 1253 Value or DoD-specific Value | NIAP PP Reference |
---|---|---|---|
IA-5 (1)(a) | 12 characters | FMT_MOF_EXT.1 | |
IA-5 (1)(a) | at least one | FMT_MOF_EXT.1 | |
IA-5 (1)(a) | at least one | FMT_MOF_EXT.1 | |
IA-5 (1)(a) | at least one | FMT_MOF_EXT.1 | |
IA-5 (1)(a) | at least one | FMT_MOF_EXT.1 | |
AC-11a. | FMT_MOF_EXT.1 | ||
AC-11a. | 30 minutes | FMT_MOF_EXT.1 | |
FIA_AFL.1 | |||
AC-7a. | 315 minutes | FMT_MOF_EXT.1 | |
SC-7 (12) | FMT_MOF_EXT.1 | ||
From Which to Receive Config Settings | CM-3(3) | FMT_MOF_EXT.1 | |
AU-4(1) | FAU_GEN.1.1.c | ||
AC-8a. | see text below | FMT_MOF_EXT.1 | |
AU-2a. | Authentication events: (1) Logons (Success/Failure) (2) Logoffs (Success) | FAU_GEN.1.1.c | |
AU-2a. | File and Objects events: (1) Create (Success/Failure) (2) Access (Success/Failure) (3) Delete (Success/Failure) (4) Modify (Success/Failure) (5) Permission Modification (Success/Failure) (6) Ownership Modification (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | User and Group Management events: (1) User add, delete, modify, disable, enable (Success/Failure) (2) Group/Role add, delete, modify (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | Privilege/Role escalation (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | Audit and log data access (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | FAU_GEN.1.1.c | ||
AU-2a. | Application (e.g., Firefox, Internet Explorer, MS Office Suite, etc.) initialization (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | System reboot, restart and shutdown (Success/Failure) | FAU_GEN.1.1.c | |
AU-2a. | FAU_GEN.1.1.c | ||
SI-2 | FMT_MOF_EXT.1 |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[CNSSI-1253] | Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, 27 March 2014. |