@@ -1614,137 +1614,137 @@ Risk factors may increase the likelihood of an incident, increase the impact of
The overall risk related to each use case should be considered, and is calculated by combining risk factors affecting both likelihood and impact of an incident.
### C.2.2 Number of User Accounts
### C.2.2 RF-NUSR: Number of User Accounts
**[RF-NUSR]:**The number of user accounts of end-users expected on the system, excluding administrator accounts.
The number of user accounts of end-users expected on the system, excluding administrator accounts.
* NUSR-0: foreseeable use does not include user accounts for end-users
* NUSR-1: foreseeable use is only one user account for an end-user
* NUSR-2: foreseeable use of the operating system is multiple user accounts for end-users
### C.2.3 User Account Concurrency
### C.2.3 RF-CUSR: User Account Concurrency
**[RF-CUSR]:**The number of user accounts expected to use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.
The number of user accounts expected to use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.
* CUSR-0: foreseeable use is one authenticated end-user using the device at a time, including authentication by physical access
* CUSR-1: foreseeable use of the operating system is small number of authenticated users simultaneously active on the operating system who are trusted not to actively attempt to compromise the system
* CUSR-2: foreseeable use of the operating system is multiple authenticated untrusted users simultaneously active on the operating system
### C.2.4 Potential for Collection of Personally Identifiable Information
### C.2.4 RF-PPII: Potential for Collection of Personally Identifiable Information
**[RF-PPII]:**Potential for collection of personally identifiable information about an individual person.
Potential for collection of personally identifiable information about an individual person.
* PPII-0: foreseeable use includes no or incidental collection of PII
* PPII-1: foreseeable use includes collection of moderate amounts of PII
* PPII-2: foreseeable use includes collection of extensive amounts of PII by default
### C.2.5 Sensitivity of Data Stored
### C.2.5 RF-SNDS: Sensitivity of Data Stored
**[RF-SNDS]:**Sensitivity of data stored, as measured by impact of loss of its integrity, confidentiality, or availability.
Sensitivity of data stored, as measured by impact of loss of its integrity, confidentiality, or availability.
* SNDS-0: foreseeable use includes no or incidental storage of sensitive data
* SNDS-1: foreseeable use includes storing moderate amounts of sensitive data
* SNDS-2: foreseeable use includes storing extensive amounts of sensitive data by default
### C.2.6 Sensitivity of Data Transmitted
### C.2.6 RF-SNDT: Sensitivity of Data Transmitted
**[RF-SNDT]:**Sensitivity of data transmitted, as measured by impact of loss of its integrity, confidentiality, or availability.
Sensitivity of data transmitted, as measured by impact of loss of its integrity, confidentiality, or availability.
* SNDT-0: foreseeable use includes no or incidental transmission of sensitive data
* SNDT-1: foreseeable use includes transmission of moderate amounts of sensitive data
* SNDT-2: foreseeable use includes transmission of extensive amounts of sensitive data by default
### C.2.7 Sensitivity of Functions
### C.2.7 RF-SENF: Sensitivity of Functions
**[RF-SENF]:**Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.
Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.
* SENF-0: foreseeable use includes no or incidental provision of sensitive functions
* SENF-1: foreseeable use may provide arbitrary sensitive functions
* SENF-2: foreseeable use provides sensitive functions by default
### C.2.8 Physical Access by Threat Actors to the Device
### C.2.8 RF-PHYS: Physical Access by Threat Actors to the Device
**[RF-PHYS]:**Exposure of the device to physical access by users.
Exposure of the device to physical access by users.
* PHYS-0: foreseeable use is only in environments with authorized users
* PHYS-1: foreseeable use includes incidental exposure to untrusted users
* PHYS-2: foreseeable use is primarily by untrusted users, e.g. the general public
### C.2.9 Processing of Untrusted External Inputs
### C.2.9 RF-UEIN: Processing of Untrusted External Inputs
**[RF-UEIN]:**Exposure to untrusted external inputs that are processed by the platform.
Exposure to untrusted external inputs that are processed by the platform.
* UEIN-0: only used in environments without processing of untrusted external inputs
* UEIN-1: may incidentally process untrusted external inputs
* UEIN-2: used primarily to process untrusted external inputs
### C.2.10 Probability of Loss of the Device
### C.2.10 RF-LOSS: Probability of Loss of the Device
**[RF-LOSS]:**Likelihood of loss or theft of the device, allowing threat actors unlimited physical access to the device.
Likelihood of loss or theft of the device, allowing threat actors unlimited physical access to the device.
* LOSS-0: foreseeable use is in a device with no or incidental loss likelihood
* LOSS-1: foreseeable use is in a device with moderate loss likelihood
* LOSS-2: foreseeable use is in a device with a high loss likelihood, such as devices which are common targets of theft such as mobile phones
### C.2.11 Hardware Modifiability by End Users
### C.2.11 RF-HWMD: Hardware Modifiability by End Users
**[RF-HWMD]:**Likelihood that the hardware of the platform will be changed from its secure-by-default state.
Likelihood that the hardware of the platform will be changed from its secure-by-default state.
* HWMD-0: foreseeable use limited to devices with hardware that is not modifiable by end-users
* HWMD-1: foreseeable use includes hardware modifications by skilled administrators
* HWMD-2: foreseeable use includes hardware modification by unskilled users
### C.2.12 Software Modifiability by End Users
### C.2.12 RF-SWMD: Software Modifiability by End Users
**[RF-SWMD]:**Likelihood that the software on the platform (including firmware) will be changed from its secure-by-default state.
Likelihood that the software on the platform (including firmware) will be changed from its secure-by-default state.
* SWMD-0: foreseeable use only allows the installation of trusted and verified software, such as updates
* SWMD-1: foreseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software
* SWMD-2: foreseeable use actively encourages and facilitates the installation of frequently malicious software
### C.2.13 Untrusted Peripheral Devices
### C.2.13 RF-DVCS: Untrusted Peripheral Devices
**[RF-DVCS]:**Likelihood of unstrusted peripheral devices being attached to the platform via a connection that is a plausible attack vector, such as by USB or PCI bus.
Likelihood of unstrusted peripheral devices being attached to the platform via a connection that is a plausible attack vector, such as by USB or PCI bus.
* DVCS-0: foreseeable use has no accessible peripheral ports
* DVCS-1: foreseeable use includes only trusted and safe peripheral devices
* DVCS-2: foreseeable use allows for arbitrary peripheral device attachment
### C.2.14 Access to a Public Network
### C.2.14 RF-TNET: Access to a Public Network
**[RF-TNET]:**Likelihood that the device will initiate connections to public networks.
Likelihood that the device will initiate connections to public networks.
* TNET-0: foreseeable use has no mechanism to reasonably connect to a public network
* TNET-1: foreseeable use allows internet access for only highly restricted functions, such as retrieving security updates
* TNET-2: foreseeable use allows for arbitrary access to a public network, such as by browsing the web
### C.2.15 Accessed From Untrusted Networks Including a Public Network
### C.2.15 RF-FNET: Accessed From Untrusted Networks Including a Public Network
**[RF-FNET]:**Likelihood that the device will be exposed to incoming traffic from public networks.
Likelihood that the device will be exposed to incoming traffic from public networks.
* FNET-0: foreseeable use is limited to trusted and private networks
* FNET-1: foreseeable use includes untrusted local networks but not the open internet
* FNET-2: foreseeable use includes being connected directly to the open internet
### C.2.16 Configurability
### C.2.16 RF-CONF: Configurability
**[RF-CONF]:**Degree of security-relevant configuration change of the operating system necessary for use.
Degree of security-relevant configuration change of the operating system necessary for use.
* CONF-0: foreseeable use does not require storing operating system configuration changes
* CONF-1: foreseeable use involves operating system configuration changes only by skilled administrators
* CONF-2: foreseeable use of the operating system includes configuration changes by end-users
### C.2.17 Administration
### C.2.17 RF-ADMN: Administration
**[RF-ADMN]:**Availability and skill of administrators.
Availability and skill of administrators.
* ADMN-0: foreseeable use does not require administration
* ADMN-1: foreseeable use always has skilled administrators available on call
* ADMN-2: foreseeable use may involve unskilled administrators
### C.2.18 Support and Foreseeable Updates
### C.2.18 RF-SUPP: Support and Foreseeable Updates
**[RF-SUPP]:**How long the product is expected to be in use, and whether the product is expected to be updated throughout its life cycle.
How long the product is expected to be in use, and whether the product is expected to be updated throughout its life cycle.
* SUPP-0: foreseeable use does not require that the operating system be updated at any point in its lifecycle
* SUPP-1: foreseeable use includes the installation of updates by end-users with access to the operating system
@@ -1754,21 +1754,21 @@ The overall risk related to each use case should be considered, and is calculate
Assumptions can be updated to be less stringent as more use cases and mitigations are added to the standard.
### C.3.1 Proper platform
### C.3.1 AS-PP: Proper platform
**[AS-PP]:**The platform the product runs on is trustworthy. The OS may choose to detect and/or correct hardware errors.
The platform the product runs on is trustworthy. The OS may choose to detect and/or correct hardware errors.
### C.3.2 Proper administrator
### C.3.2 AS-PA: Proper administrator
**[AS-PA]:**The product administrator is not intentionally hostile and is engaging in good faith efforts to administer the system properly.
The product administrator is not intentionally hostile and is engaging in good faith efforts to administer the system properly.
### C.3.3 Attacker has limited physical access to product
### C.3.3 AS-LP: Attacker has limited physical access to product
**[AS-LP]:**An attacker will have only temporary physical access to the product.
An attacker will have only temporary physical access to the product.
### C.3.4 Attacker has limited resources
### C.3.4 AS-LR: Attacker has limited resources
**[AS-LR]:**An attacker has the resources available to a small group of skilled individuals, without the backing of large corporations, nation-states, or immense wealth.
An attacker has the resources available to a small group of skilled individuals, without the backing of large corporations, nation-states, or immense wealth.
