@@ -598,37 +598,37 @@ FIXME reference guidance on risk assessment when it exists.
#### 4.5.1.x Number of User Accounts
**[RF-NUSR]:** The number of user accounts that end-users may authenticate to, excluding administrator accounts.
**[RF-NUSR]:** The number of user accounts of end-users expected on the system, excluding administrator accounts.
* NUSR-0: the operating system does not allow end-users to authenticate
* NUSR-1: the operating system allows only one end-user to authenticate; to switch users, the user must reset the device or otherwise fully delete the current user's data before creating a new user
f* NUSR-2: foreseeable use of the operating system is primarily that of a single end-user authenticating, but supports multiple end-users authenticating
* NUSR-3: foreseeable use of the operating system is multiple end-users authenticating
* NUSR-0: foreseeable use does not include user accounts for end-users
* NUSR-1: foreseeable use is only one user account for an end-user
f* NUSR-2: foreseeable use is primarily a single user account for an end-user authenticating, but supports multiple user accounts for end-users
* NUSR-3: foreseeable use of the operating system is multiple user accounts for end-users
FIXME add the separate concept of users apart from accounts
#### 4.5.1.x User Account Concurrency
**[RF-CUSR]:** The number of user accounts that may use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.
**[RF-CUSR]:** The number of user accounts expected to use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.
* CUSR-0: the operating system does not allow end-users to authenticate
* CUSR-1: the operating system only allows one end-user to authenticate concurrently; to switch users, the authenticated user must logout
* CUSR-2: forseeable use of the operating system is with one end-user authenticated concurrently, but multiple end-user accounts may be simultaneously active on the operating system
* CUSR-3: foreseeable use of the operating system is multiple authenticated users simultaneously active on the operating system
* CUSR-0: foreseeable use does not include end-users authenticating to the system
* CUSR-1: foreseeable use is one authenticated end-user using the device at a time
* CUSR-3: foreseeable use of the operating system is multiple authenticated users simultaneously active on the operating system who are trusted not to actively attempt to compromise the system
* CUSR-3: foreseeable use of the operating system is multiple authenticated untrusted users simultaneously active on the operating system
#### 4.5.1.x Data Storage
**[RF-DATA]:** What kind of data is stored by the operating system.
* DATA-0: the operating system is effectively unable to store per-user data in its foreseeable use
* DATA-1: the operating system is designed only to store limited data types
* DATA-2: the operating system is designed to store arbitrary data
* DATA-0: foreseeable use does not include storing user data
* DATA-1: foreseeable use is only to store limited user data types
* DATA-2: foreseeable use is to store arbitrary user data
#### 4.5.1.x Sensitivity of Data
**[RF-SENS]:** Sensitivity of data collected, as measured by impact of loss of its integrity, confidentiality, or availability.
* SENS-0: the operating system is effectively unable to collect sensitive data
* SENS-0: foreseeable use does not include collection of sensitive data
* SENS-1: foreseeable use limits collection of sensitive data
* SENS-2: foreseeable use may collect arbitrary amounts of sensitive data
* SENS-3: foreseeable use collects extensive amounts of sensitive data by default
@@ -637,18 +637,18 @@ FIXME add the separate concept of users apart from accounts
**[RF-SENS]:** Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.
* SENS-0: the operating system is effectively unable to provide sensitive functions
* SENS-0: foreseeable use does not provide sensitive functions
* SENS-1: foreseeable use limits provision of sensitive functions
* SENS-2: foreseeable use may provide arbitrary functions
* SENS-2: foreseeable use may provide arbitrary sensitive functions
* SENS-3: foreseeable use provides sensitive functions by default
#### 4.5.1.x Physical Access by Threat Actors to the Device
**[RF-PHYS]:** Exposure of the device to physical access by users.
* PHYS-0: only used in environments with authorized users
* PHYS-1: may be incidentally exposed to untrusted users
* PHYS-2: used primarily by untrusted users, e.g. the general public
* PHYS-0: foreseeable use is only in environments with authorized users
* PHYS-1: foreseeable use includes incidental exposure to untrusted users
* PHYS-2: foreseeable use is primarily by untrusted users, e.g. the general public
#### 4.5.1.x Logical Access by Threat Actors Via Local Software
@@ -671,17 +671,17 @@ FIXME add the separate concept of users apart from accounts
**[RF-LOSS]:** Likelihood of loss or theft of the device, allowing threat actors unlimited physical access to the device.
* LOSS-0: foreseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms
* LOSS-1: foreseeable use of the operating system is in a device with only incidental loss likelihood
* LOSS-2: foreseeable use of the operating system is in a device with moderate loss likelihood
* LOSS-3: foreseeable use of the operating system is in a device with a high loss likelihood, such as devices which are common targets of theft such as mobile phones
* LOSS-1: foreseeable use is in a device with only incidental loss likelihood
* LOSS-2: foreseeable use is in a device with moderate loss likelihood
* LOSS-3: foreseeable use is in a device with a high loss likelihood, such as devices which are common targets of theft such as mobile phones
#### 4.5.1.x Hardware Modifiability by End Users
**[RF-HWMD]:** Likelihood that the hardware of the platform will be changed from its secure-by-default state.
* HWMD-0: foreseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users
* HWMD-1: foreseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff
* HWMD-2: foreseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer
* HWMD-0: foreseeable use limited to devices with hardware that is not modifiable by end-users
* HWMD-1: foreseeable use includes hardware modifications by skilled administrators
* HWMD-2: foreseeable use includes hardware modification by unskilled users
#### 4.5.1.x Software Modifiability by End Users
@@ -719,27 +719,27 @@ FIXME add the separate concept of users apart from accounts
#### 4.5.1.x Configurability
**[RF-CONF]:** Degree of security-relevant configuration change possible on the operating system.
**[RF-CONF]:** Degree of security-relevant configuration change of the operating system necessary for use.
* CONF-0: foreseeable use of the operating system prevents or is incapable of storing configuration changes
* CONF-1: foreseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff
* CONF-0: foreseeable use does not require storing operating system configuration changes
* CONF-1: foreseeable use involves operating system configuration changes only by skilled administrators
* CONF-2: foreseeable use of the operating system includes configuration changes by end-users
#### 4.5.1.x Administration
**[RF-ADMN]:** Availability and skill of administrators.
* ADMN-0: no administration is necessary
* ADMN-1: foreseeable use of the operating system includes skilled administration available on call
* ADMN-2: foreseeable use of the operating system includes unskilled administration
* ADMN-0: foreseeable use does not require administration
* ADMN-1: foreseeable use always has skilled administrators available on call
* ADMN-2: foreseeable use may involve unskilled administrators
#### 4.5.1.x Length of support period
**[RF-SUPP]:** How long the product is expected to be in use.
* SUPP-0: the length of foreseeable use is less than the time necessary to remediate a vulnerability
* SUPP-1: the length of foreseeable use is long enough to require remediating at least one vulnerability
* SUPP-2: the length of foreseeable use is long enough to require remediating multiple vulnerabilities
* SUPP-0: foreseeable use is for a length of time less than the time necessary to remediate a vulnerability
* SUPP-1: foreseeable use is for a length of time long enough to require remediating at least one vulnerability
* SUPP-2: foreseeable use is for a length of time long enough to require remediating multiple vulnerabilities
### 4.5.2 Mapping of Use Cases to Risk Factors
@@ -775,8 +775,6 @@ FIXME needs updates
**Discussion**
Potential additional risk factors:
Separate question for the application delivery mechanism:
1. App is not preinstalled, but by default gets installed during initial configuration by the user if the user always picks the preselected option -> IMHO part of the device, forcing installation later should not be an allowed trick to make the scope smaller.
2. Third party app is installed through the official app store/repository, but vetted less (or not at all) by the OS vendor. Do we want to require a vetting level indicator if the same source has multiple tiers of vetting?
