The followings are my examples for Access Control SFRs using the “Plain English” approach.
The original FDP_ACC.1 in CCv3 is:
FDP_ACC.1 Access control
Hierarchical to: No other components.
Dependencies: FDP_ISA.1 Security attribute initialisation
FDP_ACC.1.1 The TSF shall [selection: allow, disallow] an operation (blocking or unblocking)of a subject(Network Transmission or Receiving Process bound to a user) on an object(Inbound or Outbound Network Traffic) [selection: if, if and only if] [assignment: rules for operations, based on security attributes of the subjects and objects].
Example SFRs for Access Control -
1.1.1.1FDP_ACC.1 (1) Access control
FDP_ACC.1.1 The TSF shall allowan operationblocking or unblocking of a subjectNetwork Transmission or Receiving Process bound to a user on an objectInbound or Outbound Network Traffic[selection:if only if] [assignment:The TSF shall always enforces network information flow rules, based on the security attributes of the subjects and objects.]
Dependencies: FDP_ISA.1(1&2) Security attribute initialization
The original Security Attribute Initialization SFR in CCv3 is:
FDP_ISA.1 Security attribute initialisation
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Access control
FDP_ISA.1.1 The TSF shall [selection:use the following rules [assignment: rules] to assign an initial value , assign the value [assignment: value]] to the security attribute [assignment: security attribute] whenever a [assignment: object or subject] is created.
Here is my proposal to the corresponding SAI SFR for FDP_ACC.1(1) above:
1.1.1.2FDP_ISA.1(1) Security attribute initialization
FDP_ISA.1.1 The TSF shall [selection: use the following rules [assignment: Use the current configuration setting of the security attributes for a Network Transmission or Receiving Process bound to a user at any time] to assign the value [assignment: current configured value]] to the security attribute [assignment:any in the following list – port, protocol, source and destination IP or MAC address, other security attributes] whenever a [assignment: Network Transmission or Receiving Process bound to a user] is created.
1.1.1.3FDP_ACC.1 (2) Access control
FDP_ACC.1.1 The TSF shall allow an operation Configuration of a subject a Network Interface Configuration Process bound to a user on an object in the following list: port, protocol, service, IP address, MAC address, other security attributes of the subject, [selection: if only if] [assignment: The user bound to the Network Interface Configuration Process shall beauthenticated and authorized, based on the security attributes of the subjects and objects.]
Dependencies: FDP_ISA.1(2) Security attribute initialization
Here is the corresponding ISA SFR to FDP_ACC.1 (2)
1.1.1.4FDP_ISA.1(2) Security attribute initialisation
FDP_ISA.1.1 The TSF shall [selection:use the following rules [assignment: Disable all unused ports, protocols, services at startup] to assign an initial value[assignment: value]to the security attribute [assignment: any of the following security attributes – unused port, protocol, service] whenever a[assignment:network interface configuration initialization process] is created.
1.1.1.5FDP_ACC.1 (3) Access control
FDP_ACC.1.1 The TSF shall allow an operation in the following sets for the corresponding subjects and objects listed later in the same order:
1) print, copy, scan, fax, configuration, update, view, modify, delete, store, retrieve, other operations
2)configuration, update, view, modify, delete, store, retrieve, other operations
3)installation, configuration, update, modify, other operations
of a subject a process bound to a user
on an object in the following list corresponding to operation sets listed above in the same order:
1)User Document Data,
2)User Function Data, Management Data
3)Firmware
[selection: if andonly if] [assignment:The user bound to the subject is properly authenticated and authorized, based on the security attributes of the subjects and objects.]
Dependencies: FDP_ISA.1(3) Security attribute initialization
PP Application Notes:
The security attributes of the object could include: the PIN code or passwordand/or otherinformation used for authorization of the operation on the object.
Here is my proposal to the corresponding SAI SFR for FDP_ACC.1(3) above:
1.1.1.6FDP_ISA.1(3) Security attribute initialization
FDP_ISA.1.1 The TSF shall [selection: use the following rules [assignment:usea role-based access control ] to assign the value [assignment: value]] to the security attribute [assignment: any security attribute in the following list – Security Role, other security attributes] whenever a [assignment: process bound to a human user, PC/workstation, or server] is created.
1.1.1.7FDP_ACC.1 (4) Access control
FDP_ACC.1.1The TSF shall allowan operationEncryptionof a subject a Process that transmits or receives Management Data on an object User Credential[selection:if andonly if] [assignment:User credential shall be protected for confidentiality while being transmitted over a communication path, based on the security attributes of the subjects and objects.]
Dependencies: FDP_ISA.1(4 & 5) Security attribute initialization
Here is my proposal to the corresponding SAI SFR for FDP_ACC.1(4) above:
1.1.1.8FDP_ISA.1(4) Security attribute initialisation
FDP_ISA.1.1 The TSF shall [selection: use the following rules [assignment: use the current configuration settings of the security attributes of a process that transmits or receives Management Data] to assign the value[assignment: current configured value] to the security attribute [assignment:any of the security attributes – protocol, encryption key, encryption algorithm of the protocol] whenever a [assignment: Process that transmits or receives Management Data] is created.
1.1.1.9FDP_ISA.1(5) Security attribute initialisation
FDP_ISA.1.1 The TSF shall[selection: use the following rules [assignment: use an input value by an authorized user at initial configuration according to operational environment’s network security policy] to assign an initial value [assignment:an input value by an authorized user] to the security attribute [assignment: any of the following security attributes – protocol, encryption key, encryption algorithm of the protocol] whenever a [assignment:Network Interface Configuration Initialization Process] is created.
1.1.1.10FIA_AFL.1 Authentication failure handling
FIA_AFL.1.1 The TSF shall detect when [assignment: positive integer] unsuccessful authentication attempts occur related to [selection: the same user, the same subject, [assignment: other common property of the unsuccessful authentication attempts]].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [assignment: list of actions].
Dependencies: FIA_UAU.1 User authentication by TSF
1.1.1.11FIA_UAU.1 User authentication by TSF
FIA_UAU.1.1 The TSF shall authenticate a local registered user before the user can bind to [assignment:a process that operates on User Document Data, User Function Data, Management Data, Firmware].
Dependencies: FIA_UID.2 User identification
FIA_URE.2 User registration with storage of authentication data
1.1.1.12FIA_UAU.2 User authentication by third party
FIA_UAU.2.1 The TSF shall verify that a network registered user has been authenticated by [assignment: a network domain authentication service] before the user can bind to [assignment: a process that operates on User Document Data, User Function Data, Management Data, Firmware].
Dependencies: FIA_UID.2 User identification
1.1.1.13FIA_UID.2 User identification
FIA_UID.2.1The TSF shall identify a user before the user can bind to [assignment:a process that operates on User Document Data, User Function Data, Management Data, Firmware]
Dependencies: FIA_USB.1 User-subject binding
1.1.1.14FIA_USB.1 (2) User-subject binding
FIA_USB.1.1 Upon binding a user to[assignment: a process that operates on User Document Data, User Function Data, Management Data, Firmware][selection: the security attributes of the subject shall remain unchanged, the TSF shall change the values of security attributes of that subject as follows:[assignment: the values of security attributes of that subjectshall be changed accordingly to the values determined from the user security properties]].
Dependencies: No dependencies.
1.1.1.15FIA_URE.2 User registration with storage of authentication data
FIA_URE.1.1 The TSF shall be able to register new users.
FIA_URE.1.2 The TSF shall obtain values for [assignment: user security properties] from the registering user as follows: [assignment: rules for deriving security properties for the registering user].
FIA_URE.2.3 The TSF shall store these user security properties in [assignment: object].
Dependencies: FDP_ACC.1 Access control
1.1.1.16FIA_TOB.1 TSF-initiated termination of binding
FIA_TOB.1.1 The TSF shall terminate a binding toa process that operates on User Document Data, User Function Data, Management Data, Firmwareafter [selection: completion of [assignment: operation], [assignment: time interval of user inactivity], [assignment: other condition]].
FIA_TOB.1.2 The TSF shall [selection: leave the security attributes of the subject unchanged, terminate the subject, set the security attributes of the subject to [assignment: rules for setting the security attributes of the subject]].
Dependencies: FIA_USB.1 User-subject binding
1.1.1Communication (FCO)
1.1.1.17FCO_CID.1 Confidentiality of imported data
FCO_CID.1.1 The TSF shall assist in protecting the confidentiality of User Document Data, User function Data, Management Data, Firmware provided to [assignment:a process that receives imported data] by a user bound to that subject.
Dependencies:No dependencies
1.1.1.18FCO_CED.1 Confidentiality of exported data
FCO_CED.1.1 The TSF shall protect the confidentiality of User Document Data, User Function Data, Management Dataprovided by [assignment:subject a process that transmits exported data] to a user bound to that subject.
Dependencies:No dependencies
1.1.1.19FCO_IED.1 Integrity of exported data without recovery
FCO_IED.1.1 When [assignment: subject] transmits [assignment: list of dataUser Document Data, User Function Data, Management Data and/or security attributes] to a user bound to that subject, the TSF shall providethat user the means to detect [selection: modification, deletion, insertion, replay, [assignment: other integrity]] anomalies.
Dependencies:No dependencies
1.1.1.20FCO_IID.1 Integrity of imported data without recovery
FCO_IID.1.1 The TSF shall monitor the integrity of [assignment: list of data User Document Data, User Function Data, Management Data, Firmwareand/or security attributes] provided to [assignment: subject] by a user bound tothat subject for [selection: modification, deletion, insertion, replay]anomalies.
FCO_IID.1.2 On detection of an anomaly the TSF shall discard the data and/orsecurity attributes.
Dependencies:No dependencies
1.1.1.21Security audit (FAU)
1.1.1.21.1 FAU_GEN.2 Audit data generation with time
FAU_GEN.2.1The TSF shall store an audit record in [assignment: object] of the following events:
[selection: start-up of the audit functions, shut-down of the audit functions, [assignment:
1)All operation events that subject to access controls,
2)All Subjects / objects creation events for operations that subject to access controls
3)All Registration events of users
4)All local and network authentication events of users
5)Data export events
6)Data import events
7)Self-tests execution events
8)rules for which other events will be audited]].
FAU_GEN.2.2 The TSF shall record within each audit record the following information:
a) Date and time of the event, type of event, values of [assignment: identity and/or credentials of the user bound to the subject, number of attempts until success or failure, othersecurity attributes ofthe subject,references of exported data, references of imported data, detected anomaly of data import and export events], the [selection: success, failure, [assignment: other outcome(s)]] of the event;
and
b) [assignment: other information].
Dependencies:FMI_TIM.1 Time stamps
FDP_ACC.1 Access control
FPT_RSA.1 Maximum quotas for subjects and objects
1.1.1.22FMI_TIM.1 Time stamps
FMI_TIM.1.1The TSF shall maintain the current time in [assignment: object] to an accuracy of [assignment: accuracy metric].
Dependencies: FDP_ACC.1 Access control
1.1.1.23FPT_RSA.1 Maximum quotas for subjects and objects
FPT_RSA.1.1 The TSF shall enforce maximum quotas for [selection: processing resources, storage resources, communication resources, [assignment: other resources]] that [assignment: list of subjects and/or objects] can use [selection: simultaneously, over a specified period of time].
FPT_RSA.1.2 The TSF shall [assignment: detect and log the event and take other action(s)if possible] when a maximum quotum is [selection: almost surpassed, surpassed].
Dependencies: No dependencies.