The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) is pleased to invite interested parties to be part of formalizing our first NIAP Technical Community for Network Devices.

If you are interested in joining this community and helping in the development of technical requirements, please read the Call for Participants and follow the guidance provided.

From the chairman of the French Scheme:

"I am pleased to inform you that the ICCC 2012 organisation committee has issued the first Newsletter for ICCC 2012. You can retrieve it from the ICCC 2012 website at http://www.iccc2012paris.com/en/downloads."

The following announcement comes from the French Scheme as they plan the 2012 ICCC:

"It is a great pleasure for me to inform you that the ICCC 2012 website has been updated: www.iccc2012paris.com

This new version, quite complete, provides all the practical information on the conference and opens the usual associated processes, in particular:

 -Information regarding When and Where are provided
 -Registration process is open for Attendees
 -Call for Papers is open for Candidate Speakers
 -Sponsoring process is open for Candidate Sponsors

On behalf of the Organization Committee, I wish you a nice visit on the ICCC 2012 website and wish to get many feedbacks from you (to me or to the ICCC 2012 webmaster info@iccc2012paris.com) to make the ICCC 2012 a collective successful event."

We hope to see many of you in Paris for the next ICCC!

Carol

The NIAP Brochure provides information related to NIAP and Reforming the Use the of Common Criteria.  Printing the Brochure double sided will allow the user to tri-fold the brochure for quick reference.

NIAP has coordinated the production of a white paper (Technical Communities: A Collaborative Approach for Protection Profile Development) outlining our initial efforts focused on the organizational aspects of building a vibrant and collaborative set of Technical Communities to develop, maintain and manage Protection Profiles (PPs) in support of NIAP’s goals.

The Network Device Protection Profile (NDPP) has been published and can be found in the U.S. Government Approved Protection Profiles listing or posted on the Common Criteria Portal. The PP describes security requirements for a Network Device (defined to be an infrastructure device that can be connected to a network), and is intended to provide a minimal, baseline set of requirements that mitigate well defined and described threats.

Click here for the latest Protection Profile status.

The NIAP Director is pleased to announce the release of the following Approved Protection Profiles:

USB Flash Drive
This is the NIAP approved Protection Profile for USB flash drives. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a USB flash drive and any associated software used to manage the drive and access the data on it.

Full Disk Encryption
This is the NIAP approved Protection Profile for Full Disk Encryption products. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a full disk encryption product used for mitigating the risk of a lost or stolen hard disk.

Wireless LAN Access System
This is the NIAP approved Protection Profile for the Wireless LAN Access System. The Target of Evaluation (TOE) defined in this protection Profile (PP) is used for Wireless Local Area Network (WLAN) Access Systems for the protection of sensitive but unclassified data on a wireless network.

Wireless LAN Client
This is the NIAP approved Protection Profile for the Wireless LAN Client. This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) Wireless Local Area Network (WLAN) Clients for the protection of sensitive but unclassified data on a wireless network.

Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall This Extended Package (EP) describes security requirements for a Stateful Traffic Filter Firewall (defined to be a device that filters layers 3 and 4 (IP and TCP/UDP) network traffic optimized through the use of stateful packet inspection) is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this EP is not complete in itself, but rather extends the Security Requirements for Network Devices protection profile (NDPP).

Protection Profile for IPsec Virtual Private Network (VPN) Clients:  This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) IPsec Virtual Private Network (VPN) Clients to provide secure tunnels to authenticated remote endpoints or gateways. This PP details the policies, assumptions, threats, security objectives, security functional requirements, and security assurance requirements for the VPN and its supporting environment.

Enterprise Security Management- Access Control: This Protection Profile (PP) focuses on access control decision and enforcement. A product/product component that conforms to this Protection Profile consumes a centrally-defined access control policy and enforces it. In doing so, it provides preventative security to the enterprise in a consistent manner.

updated 23 February 2012

The NIAP evolution continues to progress, with several important updates anticipated in the near term. These updates will provide specific details about various aspects of the transition. The overall goal of the changes in NIAP is Achievable, Repeatable, and Testable evaluation results.

Look for upcoming information regarding the NIAP evolution, including:

• Elimination of the NIAP “In Evaluation” list – provides dates and rationale for elimination of the current In Evaluation list;
• Updated NIAP Policy 12 “Acceptance Requirements of a Product for CCEVS Validations” – updates the current policy and includes requirements for evaluation against NIAP approved Protection Profiles;
• PP Transition announcement – defines the transition to NIAP-approved PPs and product end of life/maintenance information;
• National Security System (NSS) Acquisition announcement – proposed criteria for products to be listed on NIAP’s Product Compliant List (PCL) and for acquisition of COTS products to be used on NSS or to protect NSS information;
• Product End of Life/Maintenance announcement – provides milestones for implementation of the NIAP End of Life/Maintenance process, including information about how previously evaluated products must comply; and
• New NIAP Cryptographic Policy - defines the relationship between the cryptographic requirements of a Target of Evaluation (TOE) in evaluation and the verification of those requirements through activities performed by the NIST Cryptographic Algorithm Validation Program (CAVP)/ Cryptographic Module Validation Program (CMVP).

After further consideration and discussion with several vendors, NIAP has determined that the transition window for switch/router compliance to the Network Device Protection Profile (NDPP) will be extended. NIAP CCEVS will accept evaluations in accordance with Scheme Policy 12 for switches and routers when it has been confirmed that the vendor will achieve NDPP compliance within a mutually agreed upon timeframe. Decisions to accept ST evaluations for switches and routers will be made on a case-by-case basis. Note that the current NDPP transition window for firewalls is still in effect - all firewall evaluations must be in compliance with the NDPP.

NIAP has been reviewing our current list of Protection Profiles to determine which PPs should be sunsetted. We want to be sure evaluations go against correct and updated requirements (using our draft PPs when appropriate) as well as ensure evaluations are not against PPs that contradict our new policies and newly published PPs. There are eight PPs listed that fall into four categories:

1. No Longer Viable: Sunset Date: 1 September 2011
   1. U.S. Government Protection Profile for USDA Instrument Grading System for Basic Robustness Environments – this PP was never used and does not fall within our list of critical technologies for the CNSS community.
   2. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03 (SKPP) – NSA/IAD’s efforts to support existing SKPP evaluations have revealed a number of difficulties in the areas of assurance maintenance, scalability, cost and complexity when applied to complex commodity platforms. Please go to the link below for a detailed explanation of the reason for sunsetting the SKPP as well as two papers related to this decision: http://www.niap-ccevs.org/pp/pp_skpp_hr_v1.03/
2. Created a New Protection Profile: Sunset Date: 1 September 2011
   1. U.S. Government Approved Protection Profile - Role Based Access Control Protection Profile Version 1.0 – this PP has been replaced by the new OSPP published on 30 August 2010.
3. Evaluate Against Draft PPs: Sunset Date: 1 September 2011
   There are two current PPs listed that no longer represent accurate requirements for the specific technology but for which a new PP is not yet available. For these two, NIAP will sunset these PPs and work with vendors to evaluate against the draft PPs. These draft PPs are expected to be published in final form in September 2011. Please contact NIAP to get a copy of the appropriate draft PP.
   1. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Client for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Access System for Basic Robustness Environments, Version 1.1
4. Combination of PP for an ST: Sunset Date: 1 September 2011
   The following three PPs no longer represent accurate requirements for the specific technology and a draft PP is not under development that has direct mapping to the technologies. For these products, NIAP will work with the vendor and the lab to use the crypto requirements listed in the Network Device Protection Profile as well as other applicable requirements from other PPs to develop an approved ST.
   1. U.S. Government Protection Profile Web Server for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Authorization Server for Basic Robustness Environments, Version 1.1
   3. U.S. Government Family of Protection Profiles for Public Key Enabled Applications for Basic Robustness Environments, Version 2.8

As always, should you have questions regarding the sunsetted PPs listed above or have specific questions about a product for which is ready for a Common Criteria evaluation, please contact NIAP or call 410-854-4458.