Controlled Access Protection Profile

The Controlled Access Protection Profile, also known as CAPP, is a Common Criteria security profile that specifies a set of functional and assurance requirements for information technology products. Software and systems that conform to CAPP standards provide access controls that are capable of enforcing access limitations on individual users and data objects. CAPP-conformant products also provide an audit capability which records the security-relevant events which occur within the system.

CAPP is intended for the protection of software and systems where users are assumed to be non-hostile and well-managed, requiring protection primarily against threats of inadvertent or casual attempts to breach the security protections. It is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers. It does not fully address the threats posed by malicious system development or administrative personnel, who generally have a higher level of access. The CAPP was derived from the requirements of the C2 class of the U.S. Department of Defense Trusted Computer System Evaluation Criteria and the material upon which those requirements are based.