The Network Device Protection Profile (NDPP) has been published and can be found in the U.S. Government Approved Protection Profiles listing or posted on the Common Criteria Portal. The PP describes security requirements for a Network Device (defined to be an infrastructure device that can be connected to a network), and is intended to provide a minimal, baseline set of requirements that mitigate well defined and described threats.

Click here for the latest Protection Profile status.

The NIAP Director is pleased to announce the release of the following Approved Protection Profiles:

USB Flash Drive
This is the NIAP approved Protection Profile for USB flash drives. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a USB flash drive and any associated software used to manage the drive and access the data on it.

Full Disk Encryption
This is the NIAP approved Protection Profile for Full Disk Encryption products. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a full disk encryption product used for mitigating the risk of a lost or stolen hard disk.

Wireless LAN Access System
This is the NIAP approved Protection Profile for the Wireless LAN Access System. The Target of Evaluation (TOE) defined in this protection Profile (PP) is used for Wireless Local Area Network (WLAN) Access Systems for the protection of sensitive but unclassified data on a wireless network.

Wireless LAN Client
This is the NIAP approved Protection Profile for the Wireless LAN Client. This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) Wireless Local Area Network (WLAN) Clients for the protection of sensitive but unclassified data on a wireless network.

Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall This Extended Package (EP) describes security requirements for a Stateful Traffic Filter Firewall (defined to be a device that filters layers 3 and 4 (IP and TCP/UDP) network traffic optimized through the use of stateful packet inspection) is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this EP is not complete in itself, but rather extends the Security Requirements for Network Devices protection profile (NDPP).

Protection Profile for IPsec Virtual Private Network (VPN) Clients:  This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) IPsec Virtual Private Network (VPN) Clients to provide secure tunnels to authenticated remote endpoints or gateways. This PP details the policies, assumptions, threats, security objectives, security functional requirements, and security assurance requirements for the VPN and its supporting environment.

updated 18 January 2012

The NIAP evolution continues to progress, with several important updates anticipated in the near term. These updates will provide specific details about various aspects of the transition. The overall goal of the changes in NIAP is Achievable, Repeatable, and Testable evaluation results.

Look for upcoming information regarding the NIAP evolution, including:

• Elimination of the NIAP “In Evaluation” list – provides dates and rationale for elimination of the current In Evaluation list;
• Updated NIAP Policy 12 “Acceptance Requirements of a Product for CCEVS Validations” – updates the current policy and includes requirements for evaluation against NIAP approved Protection Profiles;
• PP Transition announcement – defines the transition to NIAP-approved PPs and product end of life/maintenance information;
• National Security System (NSS) Acquisition announcement – proposed criteria for products to be listed on NIAP’s Product Compliant List (PCL) and for acquisition of COTS products to be used on NSS or to protect NSS information;
• Product End of Life/Maintenance announcement – provides milestones for implementation of the NIAP End of Life/Maintenance process, including information about how previously evaluated products must comply; and
• New NIAP Cryptographic Policy - defines the relationship between the cryptographic requirements of a Target of Evaluation (TOE) in evaluation and the verification of those requirements through activities performed by the NIST Cryptographic Algorithm Validation Program (CAVP)/ Cryptographic Module Validation Program (CMVP).

After further consideration and discussion with several vendors, NIAP has determined that the transition window for switch/router compliance to the Network Device Protection Profile (NDPP) will be extended. NIAP CCEVS will accept evaluations in accordance with Scheme Policy 12 for switches and routers when it has been confirmed that the vendor will achieve NDPP compliance within a mutually agreed upon timeframe. Decisions to accept ST evaluations for switches and routers will be made on a case-by-case basis. Note that the current NDPP transition window for firewalls is still in effect - all firewall evaluations must be in compliance with the NDPP.

NIAP has been reviewing our current list of Protection Profiles to determine which PPs should be sunsetted. We want to be sure evaluations go against correct and updated requirements (using our draft PPs when appropriate) as well as ensure evaluations are not against PPs that contradict our new policies and newly published PPs. There are eight PPs listed that fall into four categories:

1. No Longer Viable: Sunset Date: 1 September 2011
   1. U.S. Government Protection Profile for USDA Instrument Grading System for Basic Robustness Environments – this PP was never used and does not fall within our list of critical technologies for the CNSS community.
   2. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03 (SKPP) – NSA/IAD’s efforts to support existing SKPP evaluations have revealed a number of difficulties in the areas of assurance maintenance, scalability, cost and complexity when applied to complex commodity platforms. Please go to the link below for a detailed explanation of the reason for sunsetting the SKPP as well as two papers related to this decision: http://www.niap-ccevs.org/pp/pp_skpp_hr_v1.03/
2. Created a New Protection Profile: Sunset Date: 1 September 2011
   1. U.S. Government Approved Protection Profile - Role Based Access Control Protection Profile Version 1.0 – this PP has been replaced by the new OSPP published on 30 August 2010.
3. Evaluate Against Draft PPs: Sunset Date: 1 September 2011
   There are two current PPs listed that no longer represent accurate requirements for the specific technology but for which a new PP is not yet available. For these two, NIAP will sunset these PPs and work with vendors to evaluate against the draft PPs. These draft PPs are expected to be published in final form in September 2011. Please contact NIAP to get a copy of the appropriate draft PP.
   1. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Client for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Access System for Basic Robustness Environments, Version 1.1
4. Combination of PP for an ST: Sunset Date: 1 September 2011
   The following three PPs no longer represent accurate requirements for the specific technology and a draft PP is not under development that has direct mapping to the technologies. For these products, NIAP will work with the vendor and the lab to use the crypto requirements listed in the Network Device Protection Profile as well as other applicable requirements from other PPs to develop an approved ST.
   1. U.S. Government Protection Profile Web Server for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Authorization Server for Basic Robustness Environments, Version 1.1
   3. U.S. Government Family of Protection Profiles for Public Key Enabled Applications for Basic Robustness Environments, Version 2.8

As always, should you have questions regarding the sunsetted PPs listed above or have specific questions about a product for which is ready for a Common Criteria evaluation, please contact NIAP or call 410-854-4458.

Technical Communities have been added to the list of links under the CCEVS Big Picture. Please view the list of communities for information and Protection Profile status.

Chris Salter, a Technical Strategist for the NIAP, wrote this paper, “Common Criteria Reforms”, to describe the new direction for NIAP and the Common Criteria Community. The reforms discussed within the paper are intended to convince enterprises to request IT products be Common Criteria evaluated. He outlines the criteria for success and the steps necessary to convince governments and enterprises to require these CC evaluations. He goes on to state that these reforms cannot be achieved by one nation or one vendor alone – it takes a community. And it also takes time!