What is the change request for the cPP? Please describe.
Issues #293 and #319 were written to introduce new extended SFRs FPT_WIPE_EXT Data Wiping and FDP_UDU_EXT User/Doc Unavailability to replace the current SFRs FDP_RIP.1/Purge and FDP_RIP.1/Overwrite, respectively, in the HCD cPP.
However, since both FPT_WIPE_EXT.1 and FDP_UDU_EXT.1 are Extended Components, they need Extended Component Definitions to go in Appendix D in the HCD cPP which were not provided in Issue #293 for FPT_WIPE_EXT and Issue #319 for FDP_UDU_EXT. The purpose of this issue is to provide the required Extended Component Definitions for the two SFRs as follows:
For FDP_UDU_EXT.1
FDP_UDU_EXT Extended: USER.DOC Unavailability
Family Behaviour
This family is to overwrite User Document Data from Nonvolatile Storage Devices
Component Levelling
Example TBD. Component Levelling
+------------------------------------------+
| | +---+
| FDP_UDU_EXT USER.DOC Unavailability +---->| 1 |
| | +---+
+------------------------------------------+
FDP_UDU_EXT.1 Extended: USER.DOC Unavailability, requires the TSF to make User Document Data stored on wear-leveling and non-wear-leveling storage devices unavailable via either overwrite or destruction of cryptographic keys to ensure that this data does not remain on the device in the TOE after a Document Processing job has been completed or cancelled.
Management
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in
the PP/ST:
• There are no auditable events foreseen.
FDP_UDU_EXT.1 Extended: USED.DOC UnavailabilityHierarchical to:
No other components.
Dependencies:
No dependencies.
FDP_UDU_EXT.1 The TSF shall ensure that any previous information content stored on a [selection: wear-leveled storage device, non-wear-leveled storage device] of a resource is made unavailable [selection: by overwriting data, by destroying its cryptographic key] upon the deallocation of the resource from the following objects: D.USER.DOC.
Rationale
Extended: USED.DOC Unavailability specifies the overwrite of or destruction of cryptographic keys for User Document Data stored on either wear-leveling or non-wear-leveling storage devices after completion or cancellation of the job without user intervention, and the Common Criteria does not provide a suitable SFR for this requirement. This extended component protects User Document Data on Disk, and it is therefore placed in the FDP class with a single component.
For FPT_WIPE_EXT
FPT_WIPE_EXT Extended: Data Wiping
Family Behaviour
This family is to make customer-supplied User and TSF Data stored in Nonvolatile Storage Devices unavailable upon the request of an Administrator
Component Levelling
Example TBD. Component Levelling
+------------------------------------------+
| | +---+
| FPT_WIPE_EXT Data Wiping +---->| 1 |
| | +---+
+------------------------------------------+
FPT_WIPE_EXT.1 Extended: Data Wiping, requires the TSF to make User and TSF Data stored on Nonvolatile Storage Devices unavailable upon request of an Administrator using cryptographic erase and optionally additional other media-specific methods.
Management
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in
the PP/ST:
• There are no auditable events foreseen.
FPT_WIPE_EXT.1 Extended: Data Wiping
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FPT_WIPE_EXT.1.1 The TSF shall ensure that any previous customer-supplied information content of a resource in non-volatile storage is made unavailable upon the request of an Administrator to the following objects: [D.USER, D.TSF] using the following method(s): cryptographic erase and [selection:
• logically addresses the storage location of the data and performs a [selection: single, [assignment: ST author defined multi-pass]] overwrite consisting of [selection: zeroes, ones, pseudo-random pattern, any value that does not contain any CSPs],
• block erase,
• media specific eMMC method,
• media specific ATA erase method,
• media specific NVMe method,
• no other method
] that meets the following: [no standard].
Rationale
Extended: Data Wiping specifies the making of both User and TSF data unavailable upon Administrator request via cryptographic erase and other optional media-specific methods, and the Common Criteria does not provide a suitable SFR for this requirement. This extended component protects TOE from unauthorized disclosure of TSF data after decommissioning or redeployment, and it is therefore placed in the FPT class with a single component.
Describe the solution you'd like
Include the above Extended Component Definitions for FDP_UDU_EXT and FPT_WIPE_EXT in Appendix D in the HCD cPP
What is the change request for the cPP? Please describe. Issues #293 and #319 were written to introduce new extended SFRs FPT_WIPE_EXT Data Wiping and FDP_UDU_EXT User/Doc Unavailability to replace the current SFRs FDP_RIP.1/Purge and FDP_RIP.1/Overwrite, respectively, in the HCD cPP.
However, since both FPT_WIPE_EXT.1 and FDP_UDU_EXT.1 are Extended Components, they need Extended Component Definitions to go in Appendix D in the HCD cPP which were not provided in Issue #293 for FPT_WIPE_EXT and Issue #319 for FDP_UDU_EXT. The purpose of this issue is to provide the required Extended Component Definitions for the two SFRs as follows:
For FDP_UDU_EXT.1 FDP_UDU_EXT Extended: USER.DOC Unavailability
Family Behaviour
This family is to overwrite User Document Data from Nonvolatile Storage Devices
Component Levelling Example TBD. Component Levelling +------------------------------------------+ | | +---+ | FDP_UDU_EXT USER.DOC Unavailability +---->| 1 | | | +---+ +------------------------------------------+ FDP_UDU_EXT.1 Extended: USER.DOC Unavailability, requires the TSF to make User Document Data stored on wear-leveling and non-wear-leveling storage devices unavailable via either overwrite or destruction of cryptographic keys to ensure that this data does not remain on the device in the TOE after a Document Processing job has been completed or cancelled.
Management The following actions could be considered for the management functions in FMT: • There are no management actions foreseen.
Audit The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST: • There are no auditable events foreseen. FDP_UDU_EXT.1 Extended: USED.DOC Unavailability Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_UDU_EXT.1 The TSF shall ensure that any previous information content stored on a [selection: wear-leveled storage device, non-wear-leveled storage device] of a resource is made unavailable [selection: by overwriting data, by destroying its cryptographic key] upon the deallocation of the resource from the following objects: D.USER.DOC.
Rationale Extended: USED.DOC Unavailability specifies the overwrite of or destruction of cryptographic keys for User Document Data stored on either wear-leveling or non-wear-leveling storage devices after completion or cancellation of the job without user intervention, and the Common Criteria does not provide a suitable SFR for this requirement. This extended component protects User Document Data on Disk, and it is therefore placed in the FDP class with a single component.
For FPT_WIPE_EXT FPT_WIPE_EXT Extended: Data Wiping
Family Behaviour This family is to make customer-supplied User and TSF Data stored in Nonvolatile Storage Devices unavailable upon the request of an Administrator
Component Levelling Example TBD. Component Levelling +------------------------------------------+ | | +---+ | FPT_WIPE_EXT Data Wiping +---->| 1 | | | +---+ +------------------------------------------+ FPT_WIPE_EXT.1 Extended: Data Wiping, requires the TSF to make User and TSF Data stored on Nonvolatile Storage Devices unavailable upon request of an Administrator using cryptographic erase and optionally additional other media-specific methods.
Management The following actions could be considered for the management functions in FMT: • There are no management actions foreseen.
Audit The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST: • There are no auditable events foreseen.
FPT_WIPE_EXT.1 Extended: Data Wiping
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_WIPE_EXT.1.1 The TSF shall ensure that any previous customer-supplied information content of a resource in non-volatile storage is made unavailable upon the request of an Administrator to the following objects: [D.USER, D.TSF] using the following method(s): cryptographic erase and [selection: • logically addresses the storage location of the data and performs a [selection: single, [assignment: ST author defined multi-pass]] overwrite consisting of [selection: zeroes, ones, pseudo-random pattern, any value that does not contain any CSPs], • block erase, • media specific eMMC method, • media specific ATA erase method, • media specific NVMe method, • no other method ] that meets the following: [no standard].
Rationale Extended: Data Wiping specifies the making of both User and TSF data unavailable upon Administrator request via cryptographic erase and other optional media-specific methods, and the Common Criteria does not provide a suitable SFR for this requirement. This extended component protects TOE from unauthorized disclosure of TSF data after decommissioning or redeployment, and it is therefore placed in the FPT class with a single component.
Describe the solution you'd like Include the above Extended Component Definitions for FDP_UDU_EXT and FPT_WIPE_EXT in Appendix D in the HCD cPP
Describe alternatives you've considered None
Additional context None