@@ -1072,6 +1072,32 @@ The product shall be accompanied by documentation informing the user that denial
* Verdict: Documentation exists and is appropriate to the typical user => PASS, otherwise FAIL
* Evidence: Documentation, analysis of documentation, documentation of intended purpose
### 5.2.20 TR-CDST: Confidentiality of data stored on the product
#### 5.2.20.1 Requirement
The product shall protect data stored on the product from unauthorized access.
#### 5.2.20.2 MI-CDST: Protect confidentiality of data stored on the product
**Editor's Note:** We have included only a high-level mitigation, and anticipate that more detailed and specific mitigations will be added later.
The product shall protect data stored on the product from unauthorized access.
* Reference: TR-CDST
* Objective: Confidentiality of data
* Preparation: List all types of data that may be stored on the product that should not be readable without authorization, what methods of ensuring confidentiality are appropriate for each type, all methods of accessing that data available to an attacker based on the risk assessment, and what the allowable authorization methods are for that access method
* Activities: For each type of data and each access mechanism, determine the method of ensuring confidentiality used, and attempt to read the data without authorization
* Verdict: If all methods of ensuring confidentiality match the type of the data stored, and all the attempts to read confidential data without authorization fail => PASS, otherwise => FAIL
* Evidence: Logs of determination of type of data and method of confidentiality and attempts to read confidential data without authorization
Guidance: Data may be protected by the environment, permissions, encryption, salting and hashing, offline storage, or hardware-backed secrets.
