Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Therefore, <strong>the</strong> specific TCSEC requirements necessary <strong>to</strong> meet a Certain<br />
division/class rating must be identified, without stating that <strong>the</strong> B2<br />
product is desired. The desire for <strong>the</strong> decreased risk normally inherent in<br />
an EPL product, however, can and should be reflected as a strong evaluation<br />
weighting fac<strong>to</strong>r for source selection.<br />
3.8.3 MULTIPLE-ENTITY SYSTEMS<br />
A system may be composed <strong>of</strong> two or more entities, each <strong>of</strong> which uses different<br />
division/class security requirements. Some examples <strong>of</strong> <strong>the</strong> rationale for doing<br />
this are provided in NCSC-TG-021,"<strong>Trusted</strong> Database Management<br />
Interpretation" and also in Appendix A <strong>of</strong> NCSC-TG-00s, "<strong>Trusted</strong> Network<br />
Interpretation." The reason could also be that, as a system evolves, a<br />
higher level <strong>of</strong> security may be mandated for a new part (entity) <strong>of</strong> <strong>the</strong> system<br />
(called "Y") than was mandated for <strong>the</strong> existing entity (called "X").<br />
Rebuilding <strong>the</strong> entire system is <strong>of</strong>ten not practical. The alternative is <strong>to</strong><br />
consider X and Y as distinct connected entities.<br />
3.8.3.1 ENTITY PROTECTION<br />
Distinct connected entities X and Y must be isolated from one ano<strong>the</strong>r in a<br />
security sense. They each must meet <strong>the</strong>ir distinct security requirements.<br />
Communications by each <strong>to</strong> <strong>the</strong> o<strong>the</strong>r must be shown <strong>to</strong> meet an interface<br />
policy given for each. The interface policy must reflect <strong>the</strong> outgoing/incoming<br />
security policies, mutual trust, cascading effect, and least privilege<br />
considerations. If additional security requirements above those from <strong>the</strong> TCSEC<br />
have been imposed (e.g., a two-person rule), <strong>the</strong>se requirements must be<br />
considered in <strong>the</strong> interface policy.<br />
3.8.3.2 ENTITIES WITH THE SAME DIVISION/CLASS<br />
Even two connected B3 systems may have <strong>to</strong> be treated as distinct entities. One<br />
B3 system may have resulted from an uncleared minimum user clearance with<br />
maximum Secret data sensitivity and <strong>the</strong> o<strong>the</strong>r B3 system may have resulted from<br />
a Confidential minimum user clearance and maximum Top Secret data<br />
sensitivity (see Enclosure 4 <strong>of</strong> DoD Directive 5200.28). Cascading risk would<br />
probably require <strong>the</strong> combined system <strong>to</strong> be evaluated using Class A1 criteria.<br />
3.8.4 RECOMMENDATIONS<br />
As stated before, this set <strong>of</strong> four acquisition documents does not deal with<br />
this complicated situation <strong>of</strong> acquiring multiple security entity systems<br />
because DoD policy has not been finalized. This document series only deals<br />
with single system-entities. Successfully evaluated products will be said <strong>to</strong><br />
"possess" a division/class (e.g., Class B3). System entities will be said <strong>to</strong><br />
require some minimum division/class level (e.g., Class B3) requirements.<br />
System entities having successfully passed certification evaluation against<br />
a minimum division/class set <strong>of</strong> requirements will be identified, but those<br />
entities cannot be called, for example, Class B3 entities or systems. Instead,<br />
use "B3" for Class B3-evaluated products and "systems (or system entities)<br />
certified against Class B3 requirements" for <strong>the</strong> cases treated in this<br />
document set.<br />
3.8.5 WHAT TO DO IN THE MEANTIME<br />
<strong>Page</strong> 50