:C_mall_doc, 7.0 Template: CSE Arendetyp: 6 Diarienummer: 13FMV5884-50:1 FMV & Dokument ID FMVID-297-822 eo VW CSEC Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Issue: 1.0, 2014-jun-27 Authorisation: Dag Stroman, Head of CSEC , CSEC Report Distribution: Arkiv Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Table of Contents 1 2 3 4 10 11 12 13FMV5884-50:1 FMVID-297-822 4.1 4.2 4.3 7A Executive Summary Identification Security Policy Assumptions and Clarification of Scope Usage Assumptions Environmental Assumptions Clarification of Scope Architectural Information Documentation IT Product Testing Test Configuration Evaluated Configuration Results of the Evaluation Evaluator Comments and Recommendations Glossary Bibliography © OHOo & A © 2014-06-27 2(19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 1 Executive Summary The Target of Evaluation (TOE) is Stonesoft Firewall/VPN & IPS Security Engine 5.5 with the following elements: e Stonesoft Firewall/VPN & IPS Security Engine, version 5.5.4.9869.cc.2 e INSIDE Secure QuickSec IPsec Toolkit, version 5.2 The TOE is a network protection software component running on an appliance. It may be operated either as a Layer 3 Firewall with VPN or as a transparent Layer 2 Intrus- ion Prevention System (IPS). Operated as Firewall/VPN it provides a Multi-Layer Inspection technology that com- bines both stateful and application-level inspection technology to control connectivity and information flow between internal and external networks. It also provides a means to keep the internal hosts’ IP-address private from external users. As part of a cluster, the Stonesoft Firewall/VPN & IPS Security Engine provides high availability of these firewall security services for the users and servers protected by the cluster of firewalls when a node in the cluster or a network connection to a node fails. Operated as IPS, it provides Multi-Layer Inspection technology combined with evas- ion-proof threat protection and flexibility in network deployment. No claims to Protection Profile conformance were made. There are ten assumptions made in the ST regarding the secure usage and environment of TOE. The TOE relies on these being met to counter the six threats, and to fulfil the three organisational security policies (OSP) in the ST. The assumptions, the threats and the organisational security policies are described in chapter 4 Assumptions and Clarification of Scope. The evaluation has been performed by atsec information security AB in Danderyd, Sweden, and was completed on 2414-06-19. The evaluation was conducted in accord- ance with the requirements of Common Criteria, version 3.1 R4, and the Common Methodology for IT Security Evaluation, version 3.1 R4. The evaluation was per- formed at the evaluation assurance level EAL4, augmented by ALC_FLR.1 Basic Flaw Remediation. The certifier audited the activities of the evaluator by reviewing all evaluation reports and by overseeing the evaluators performing site visit and testing. The certifier deter- mined that the evaluation results showed that the product satisfied all functional and assurance requirements stated in the Security Target [ST]. The evaluator concluded that the common criteria requirements for evaluation assurance level EAL4 augmented by ALC_FLR.1 have been met. The technical information included in this report has been compiled from the Security Target [ST] and from the final evaluation report produced by atsec information securi- ty AB. The certification results only apply to the version of the product indicated in the cer- tificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other organ- isation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 3 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 2 Identification Certification Identification Certification ID CSEC2013003 Name and version of the Stonesoft Firewall/VPN & IPS Security Engine 5.5 certified IT product McA fee NGFW and McAfee NGFW-IPS 5.5 Security Target Identification N Security Target, document version 2.0, 2014-05-27 EAL EAL4 augmented by ALC_FLR.1, CC part 3 con- formant. Sponsor McAfee, Inc. (An Intel Company) Developer McAfee, Inc. (An Intel Company) ITSEF atsec information security AB Common Criteria version Common Criteria version 3.1R4 [CCp1], [CCp2], [CCp3] CEM version Common Methodology for Information Technology Security Evaluation, version 3.1R4, [CEM], National and international - interpretations Scheme version QMS 1.16.1 QMS 1.16 2014-02-13 QMS 1.15 2013-10-23 The changes have had no impact on the certification. Certification completion date 2014-06-27 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 4 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 3 Security Policy The security features within the scope of the ST when operated in the Firewall/VPN role are: e Information Flow Control on the traffic that passes through the TOE. The TOE mediates the flow of all information that passes through its internal and external network connections to enforce the firewall security policy using: — Access rules based on the IP source address, destination address, transport lay- er protocol, application layer protocol, source port, destination port, and the in- terface on which the packet arrives; connection tracking; user authentication results; and the validity time. — Protocol Agents providing additional rules based on application-level infor- mation and mechanisms to redirect connections. The evaluation is limited to protocol agents for FTP, HTTP, and SMTP. All other protocol agents are not part of the evaluated configuration. e Network Address Translation (NAT) between external IT entities that pass traffic through the TOE, ensuring that the IP addresses of hosts on internal networks are kept private from external users, e Virtual Private Network: IPsec compliant VPN (tunnel mode only) using IKE for key establishment with certificate based authentication. SSL-based VPN connec- tions are not included in the evaluated configuration. e High Availability: In case of a total node failure, failure in one component or loss of connectivity to a network connected to a node, the firewall engine in a cluster is capable of failing over all sessions to other nodes. This provides continuous en- forcement of the firewall security policy, including information flow control. The security features within the scope of the ST when operated in the IPS role are: e Deep packet inspection for the following protocols: Ethernet, IPv4, TCP, UDP, DNS, and HTTP e Context-aware inspection, in which the inspection is protocol specific Fingerprint- ing Both the Firewall/VPN and the IPS provides the following major security features: e Audit generation: The TOE provides a means to generate audit records of security- relevant events relating to the IP traffic through the firewall and firewall security policy changes. The TOE also provides a means for the administrator to define the criteria used for the selection of the IP traffic events to be audited. It also provides a mechanism for preventing audit data loss. © Security manageability and protection of security functions: Administrators access the TOE using certificate based authentication and protected communication be- tween the Stonesoft Management Center (not part of the TOE) and TOE. The Stonesoft Management Center provides the interface for managing the security policy and authentication attributes, the TSF data, and security functions of the TOE, The TOE also ensures the trusted security functions are always invoked and cannot be bypassed. 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 5 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The Security Target [ST] makes three assumption on the usage ofthe TOE: A.ADMIN A.ADMINTRUST It is assumed that the administrator only can access the TOE via the trusted Management Server on a trusted and separate man- agement network and that the administrator has been identified and authenticated to the Stonesoft Management Center. It is assumed that administrators are trained, qualified, non- hostile and follow all guidance. A.AUDITMAN It is assumed that audit trails are regularly analyzed and archived. 4.2 Environmental Assumptions Seven assumptions are made in the Security Target [ST] on the environment: A.AUDITSUPP It is assumed that the environment provides protected perma- nent storage of the audit trails generated by the TOE. A.MEDIATSUPP It is assumed that data cannot flow between the internal and external networks unless it passes through the TOE. In the clus- ter case (Firewall/VPN role only), traffic only needs to pass through one of the cluster nodes, which is just another instance of the TOE. A.ENVIRON It is assumed that the underlying hardware ofthe TOE node and the TOE's associated Management Servers and management and cluster networks are dedicated to the TOE usage, function according to their specifications, and are physically secure, only allowing administrators physical access. A.TIME It is assumed that the IT environment will provide a reliable time source to the TOE and the TOE environment. A.USERAUTH It is assumed that the IT environment will provide a user direc- {Firewall/VPN} tory and a user authentication mechanism for the TOE to use when the firewall security policy requires users to authenticate before information can flow between the internal and external networks. A.VPN {Fi- Peer external IT entities in trusted VPN channels must be able rewall/VPN} to protect the integrity and confidentiality of data transmitted to A.PLACEMENT {IPS} the TOE via encryption and provide authentication for such data. Upon receipt of data from the TOE, the peer external IT entity must be able to decrypt the data and verify that the re- ceived data accurately represents the data that was originally transmitted. The IPS must be placed in such a way to ensure adequate cov- erage of network segments where critical assets are located. 4.3 Clarification of Scope The following Stonesoft Firewall/VPN & IPS Security Engine appliance models are included within the evaluation scope: e Stonesoft MIL-320 (Firewall/VPN only) © —Stonesoft 5206 13FMV5884-50:1 FMVID-297-822 1.0 2014-06-27 6 (19) 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Stonesoft 3206 Stonesoft 3202 Stonesoft 1402 Stonesoft 1065 Stonesoft 1035 Hardware and software components that are considered part of the TOE environment: TOE operating platform: — Intel Pentium 4 or higher (or equivalent) recommended, — 2 GB RAM or more recommended, Standard Linux Kernel 3.5.7 with Stonesoft specific modifications, Debian GNU/Linux 6.0 (squeeze) based distribution, — Network Interface Cards (see [ST]Annex D). Stonesoft Management Center, version 5.5: — the Management Server, — the Log Server, — the Management Client, OpenSSL 1.0.1 and 0.9.8, OpenSSH 5.5, OpenLDAP client and server, version 2.4, Architecture and System support: — at least 2 network interfaces, — | management network interface, — 1 cluster network interface (applicable only for Firewall/VPN), — asecond TOE to form a cluster (applicable only for Firewall/VPN), and — athird TOE used as a Security Gateway for VPN functionality (applicable only for Firewall/VPN). 1.0 2014-06-27 7 (19) 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Architectural Information The Target of Evaluation (TOE) is Stonesoft Firewall/VPN & IPS Security Engine, version 5.5.4.9869.cc.2. In the evaluated configuration the TOE is provided and running as part of a Stonesoft appliance with hardware and underlying operating system consisting of e astandard Intel Pentium 4 or higher based hardware platform with 2 GB or more RAM with four or more network interfaces, and e aDebian GNU/Linux 6.0 based operating system including a Linux kernel 3.5.7 with Stonesoft specific modifications. The Stonesoft Firewall/VPN & IPS Security Engine may be used either as a Fire- wall/VPN or as an IPS. The Stonesoft Firewall/VPN & IPS Appliance product in IPS role is intended to be used for network traffic deep inspection and threat protection. The intended IPS de- ployment scenarios are (but not limited to) network perimeter, network core and inter- nal network segments. The Stonesoft Firewall/VPN & IPS Appliance is assumed to be installed and operated within a physically protected environment, administered by trusted and trained admin- istrators over a trusted and separate management network. Multiple installations of the Stonesoft Firewall/VPN & IPS Security Engine may be used in combination to obtain the functionality of both the Firewall/VPN or the IPS role. The Stonesoft Firewall/VPN & IPS Security Engine runs on a hardened Linux operat- ing system that is shipped with the product. The software runs on a single or multi- processor Intel platform, which is also part of the Stonesoft Firewall/VPN & IPS Ap- pliance product. 1.0 2014-06-27 8 (19) 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Documentation The following user guidence are part of the TOE: Common Criteria Certification User’s Guide, version SGCC_20140417 Stonesoft Firewall/VPN Installation Guide, version SGFIG_20130624 Stonesoft Firewall/VPN Reference Guide, version SGFRG_20131126 Stonesoft IPS and Layer 2 Installation Guide, version SGIIG 20130618 Stonesoft IPS and Layer 2 Reference Guide, version SGIRG_20130624 Stonesoft Administrator’s Guide, version SGAG_20131202 1.0 2014-06-27 9 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 7 IT Product Testing 7.1 Test Configuration Firewall/VPN evaluation testing environment includes two Stonesoft Firewall/VPN- role clusters with two nodes in each cluster. Additional hosts include SMC (Stonesoft Management Center) for controlling and configuring the security engine nodes and re- ceiving log data, ATF (Automated Testing Framework) control host for executing au- tomated tests and six hosts and two routers for miscellaneous functions depending on executed test. Additionally, evaluation test environment includes three Firewall/VPN single nodes each having two client/server host machines which run on ESX virtual machines. IPS role test environment has six single security engines. Each are cabled so that re- cording replay machine can replay traffic capture recordings through them using one inline pair. Three hosts are on different sides (one left and two right) so that traffic be- tween sides go through security engine inline pair and by changing used addresses (and VLAN) traffic can go through selected security engine. TAA Developer Testing Testing Effort The developer uses an automated test framework (ATF) for most of the test cases. It allows the execution of single or batches of test cases. The ATF controls local test networks that consists of various test clients (PCs), as well as all supported TOE hardware platforms. The test cases are written in XML and instruct the ATF on e how to configure the involved clients e howto configure the TOEs that are to be tested ‘e which commands to perform on which device e how to investigate for the expected results Each test case consists of several test steps, which have unique identifiers. Each test step contains one specific task to perform, e.g., to configure an IP address on a specif- ie device, or to perform a PING command from one device to another. Approach The testing approach of the developer was to demonstrate that all test cases ran suc- cessfully and that all ST claims, interfaces, and subsystems were verified by the tests. 101 test cases (including several test steps) were used for this task. The ATF can be instructed on which TOE hardware platform to use for a specific test. All platforms run the same software binary; the developer tests therefore run a subset of the tests on each platform to cover all functionalities of the binary. The test cases also include testing of the clustering functionality (where applicable). Configuration The ATF environment contains two test networks, one for the Firewall/VPN role and one for IPS. Both contain all applicable hardware platforms. In summary, all support- ed TOE hardware platforms are included in the tests: e Stonesoft MIL-320 (Firewall/VPN only) e Stonesoft 1402 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 10 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 ° Stonesoft 1035 © Stonesoft 1065 © Stonesoft 3202 e Stonesoft 3206 © Stonesoft 5206 This allows for automated testing of all hardware and role (Firewall/VPN and IPS) combinations, without the need for manual rewiring. Each of the two test networks contains several sub-networks to perform various network tests such as NAT, VPN or clustering. Results The developer has provided the results of all test cases that were performed, as well as the associated low level log files from the ATF framework. All tests were successfull. 7.1.2 Evaluator Testing Effort Test effort The evaluator executed 56 developer test suites where each test suite is comprised of multiple subtests. The evaluator further performed evaluator tests to verify the requirements of FCS_CKM.4 {Firewall/VPN}. This was done in form of a source code review, to- gether with the developer and certifier. All relevant call trees in the code were inspect- ed. Test approach The independent evaluator testing followed the CEM guidance to test every security function, without striving for exhaustive testing. For their own test, the evaluators de- termined that a source code audit is the most suitable approach. The evaluators tested a sample of the supported hardware platforms, in single and cluster mode (sample). The test environment of the developer was used, including the proprietary Automated Testing Framework (ATF). The ATF allowed to perform most of the test automated, and produced detailed log files of the test results. The evaluators also performed various manual tests. The actual execution was done by developer personnel, under close supervision of the evaluators and the certifier. The evaluator also performed negative tests by manually modifying the ATF test cas- es. All such tests were found to behave as expected. All security functionality defined in the ST has been tested. Test configuration The evaluators executed a sample of the developer test suites. The testing environment consisted of two networks, one for the Firewall/VPN role and one for IPS. The Fire- wall/VPN network contained two Firewall/VPN clusters, with two nodes in each clus- ter, as well as single devices. The IPS network contained multiple IPS devices. Addi- tional hosts included SMC for controlling and configuring the Security Engine nodes and receiving log data, ATF control host for executing automated tests and multiple clients for miscellaneous functions depending on the executed test. 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 11(19) 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Test depth The evaluators tested all security functions for appropriate coverage; since the evalua- tors already determined that the developer testing was sufficiently exercising all rele- vant subsystems, the evaluators did not need to exhaustively test all interfaces and subsystems. Especially, the evaluators did cover management functions mainly by us- ing them. Their exposure to potentially malicious users is minimal (actually non- existent) when the system is operated in the evaluated configuration in an environment fulfilling the assumptions from the ST. Test results The subset of developer tests re-run by the evaluator performed successfully. All manual and automated evaluator tests were performed successfully - expected and ac- tual results were consistent. Evaluator Penetration Testing Testing effort The testing was performed on the external TOE network interfaces. The evaluator tested network traffic handling, filtering, routing and inspection. Security Management and logging was tested indirectly during testing, e.g., the evaluator edited firewall rules, configured interfaces and observed logging events. The cluster functionality was not tested during independent testing as only one firewall node was used. Testing approach The evaluator analysed the developer design and guidance documentation in order to identify the attack surface of the TOE. The evaluator came to the conclusion that the attack surface consists of the external network interface, i.e., data that are sent or re- ceived on these interfaces. The evaluator also used publicly documented vulnerabili- ties in CVE database and used general search engines. The analysis of potential attack surfaces was performed according to the ISO/OSI layer model, i.e., for Ethernet, IP, TCP etc. Testing configuration The TOE was installed on the 1035 and 1065 hardware models. The configuration was performed according to the provided documentation, starting with the acquisition of the software from the developer. The TOE was tested in the Firewall/VPN and IPS role (as applicable for the particular test). Testing depth The following areas were considered for vulnerability testing: e Ethernet parsing eo IPv4 and IPv6 parsing e IPv4 routing, with and without a VPN tunnel involved o ICMPv4 and ICMPv6 parsing e TCP parsing e UDP parsing e HTTP parsing and redirection e FTP parsing and redirection e@ SMTP parsing and redirection 1.0 2014-06-27 12 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 e ARP parsing e IPsec, IKEv1 and IKEv2 parsing o IPsec traffic handling ¢ Discarding of "Loose Source and Record Route" and "Strict Source and Record Route" IP options. © Protection of the administrative interface from external access e Browser-based user authentication In addtion, a TCP and UDP port scan of the external interface was performed to detect any further potential attack surfaces. Testing results The evaluator performed the penetration tests described above. None of the performed penetration tests revealed any exploitable vulnerability in the TOE. 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 13 (19) 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Evaluated Configuration In the evaluated configuration, the Stonesoft Firewall/VPN & IPS Security Engine may be operated in one of two roles (modes of operation), each providing a different set of security functionality. The Stonesoft Firewall/VPN & IPS Security Engine may be used either as a Firewall/VPN or as an IPS. Multiple installations of the Stonesoft Firewall/VPN & IPS Security Engine may be used in combination to obtain the func- tionality of both the Firewall/VPN or the IPS role. Operated in the Firewall/VPN role it provides information flow control using multi- layer inspection (layer 3) including packet filtering, virtual private network connec- tions (VPN) authenticating and encrypting data traffic to remote nodes over untrusted networks. Operated in the IPS role it provides intrusion detection and prevention (IDS/IPS) using arange of different intrusion detection mechanisms including protocol decoding and normalization on all protocol layers. Connection state, protocol specific inspection modules and file contexts provide accurate signature matching context in the normal- ized data stream. Independent of the role, the Stonesoft Firewall/VPN & IPS Security Engine is central- ly managed and generates audit records for security critical events. A distributed management system comprising a Management Server, Log Server and Graphical User Interface (GUI) to support the management and operation of the fire- wall is supplied as a separate product. 1.0 2014-06-27 14 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 9 Results of the Evaluation The evaluators applied each work unit of the Common Methodology [CEM] within the scope of the evaluation, and concluded that the TOE meets the security objectives stated in the Security Target [ST] for an attack potential of Enhanced-Basic. The certifier reviewed the work of the evaluator to determine that the evaluation was conducted in accordance with the requirements of the Common Criteria [CC]. The evaluators overall verdict of the evaluation is: PASS The verdicts for the assurance classes and components are summarised in the follow- ing table: 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 15 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Assurance Class Name / Assurance Short name (including component Verdict Family Name identifier for assurance families) Security Target Evaluation ASE Pass ST Introduction ASE_INT.1 Pass Conformance claims ASE_CCL.1 Pass Security problem definition ASE_SPD.I Pass Security objectives ASE_OBJ.2 Pass Extended components definition ASE_ECD.I Pass Derived security requirements ASE_REQ.2 Pass TOE summary specification ASE_TSS.1 Pass Life-cycle support ALC Pass Production support, acceptance ALC_CMC.4 Pass procedures and automation Problem tracking CM coverage ALC_CMS.4 Pass Delivery procedures ALC DEL.I Pass Identification of security measures ALC_DVS.1 Pass Developer defined life-cycle model ALC_LCD.1 Pass Well-defined development tools ALC_TAT.1 Pass Flaw remediation ALC_FLR.1 Pass Development ADV Pass Security architecture description ADV_ARC.I Pass Complete functional specification ADV_FSP.4 Pass Implementation representation of ADV_IMP.1 Pass the TSF Basic modular design ADV_TDS.3 Pass Guidance documents AGD Pass Operational user guidance AGD_OPE.1 Pass Preparative procedures AGD_PRE.1 Pass Tests ATE Pass Analysis of coverage ATE _COV.2 Pass Testing: basic design ATE_DPT.I Pass Functional testing ATE_FUN.1 Pass Independent testing - sample ATE_IND.2 Pass Vulnerability assessment AVA Pass Focused vulnerability analysis AVA_VAN.3 Pass 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 16 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 10 Evaluator Comments and Recommendations The evaluators have no remaining comments, observations, or recommendations. 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 17 (19) Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 11 Glossary CEM Common Methodology for Information Technology Security, document describing the methodology used in Common Cri- teria evaluations ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme ST Security Target, document containing security requirements and specifications , used as the basis of a TOE evaluation TOE Target of Evaluation 13FMV5884-50:1 1.0 2014-06-27 FMVID-297-822 18 (19) 12 13FMV5884-50:1 FMVID-297-822 Swedish Certification Body for IT Security Certification Report- Stonesoft FW-VPN o IPS V5.5 Bibliography [ST] McAfee NGFW and McAfee NGFW-IPS 5.5 Security Target, doc- ument version 2.0, 2014-05-27 [CCp1] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, version 3.1, revision 4, Sep- tember 2012, CCMB-2012-09-001 [CCp2] Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, version 3.1, revision 4, Sep- tember 2012, CCMB-2012-09-002 [CCp3] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components, version 3.1, revision 4, September 2012, CCMB-2012-09-003 [CEM] Common Methodology for Information Technology Security Evalu- ation, Evaluation methodology, version 3.1, revision 4, September 2012, CCMB-2012-09-004 [SP-002] Evaluation and Certification, SP-002, Issue: 20.0, 2013-09-30, 13FMV7990-2:1, FMV/CSEC 1.0 2014-06-27 19 (19)