The Network Device Protection Profile (NDPP) has been published and can be found in the U.S. Government Approved Protection Profiles listing or posted on the Common Criteria Portal. The PP describes security requirements for a Network Device (defined to be an infrastructure device that can be connected to a network), and is intended to provide a minimal, baseline set of requirements that mitigate well defined and described threats.

Click here for the latest Protection Profile status.

The NIAP Director is pleased to announce the release of the following Approved Protection Profiles:

USB Flash Drive
This is the NIAP approved Protection Profile for USB flash drives. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a USB flash drive and any associated software used to manage the drive and access the data on it.

Full Disk Encryption
This is the NIAP approved Protection Profile for Full Disk Encryption products. The Target of Evaluation (TOE) defined in this Protection Profile (PP) is a full disk encryption product used for mitigating the risk of a lost or stolen hard disk.

Wireless LAN Access System
This is the NIAP approved Protection Profile for the Wireless LAN Access System. The Target of Evaluation (TOE) defined in this protection Profile (PP) is used for Wireless Local Area Network (WLAN) Access Systems for the protection of sensitive but unclassified data on a wireless network.

Wireless LAN Client
This is the NIAP approved Protection Profile for the Wireless LAN Client. This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) Wireless Local Area Network (WLAN) Clients for the protection of sensitive but unclassified data on a wireless network.

Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall This Extended Package (EP) describes security requirements for a Stateful Traffic Filter Firewall (defined to be a device that filters layers 3 and 4 (IP and TCP/UDP) network traffic optimized through the use of stateful packet inspection) is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this EP is not complete in itself, but rather extends the Security Requirements for Network Devices protection profile (NDPP).

Protection Profile for IPsec Virtual Private Network (VPN) Clients:  This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) IPsec Virtual Private Network (VPN) Clients to provide secure tunnels to authenticated remote endpoints or gateways. This PP details the policies, assumptions, threats, security objectives, security functional requirements, and security assurance requirements for the VPN and its supporting environment.

updated 18 January 2012

The NIAP evolution continues to progress, with several important updates anticipated in the near term. These updates will provide specific details about various aspects of the transition. The overall goal of the changes in NIAP is Achievable, Repeatable, and Testable evaluation results.

Look for upcoming information regarding the NIAP evolution, including:

• Elimination of the NIAP “In Evaluation” list – provides dates and rationale for elimination of the current In Evaluation list;
• Updated NIAP Policy 12 “Acceptance Requirements of a Product for CCEVS Validations” – updates the current policy and includes requirements for evaluation against NIAP approved Protection Profiles;
• PP Transition announcement – defines the transition to NIAP-approved PPs and product end of life/maintenance information;
• National Security System (NSS) Acquisition announcement – proposed criteria for products to be listed on NIAP’s Product Compliant List (PCL) and for acquisition of COTS products to be used on NSS or to protect NSS information;
• Product End of Life/Maintenance announcement – provides milestones for implementation of the NIAP End of Life/Maintenance process, including information about how previously evaluated products must comply; and
• New NIAP Cryptographic Policy - defines the relationship between the cryptographic requirements of a Target of Evaluation (TOE) in evaluation and the verification of those requirements through activities performed by the NIST Cryptographic Algorithm Validation Program (CAVP)/ Cryptographic Module Validation Program (CMVP).

After further consideration and discussion with several vendors, NIAP has determined that the transition window for switch/router compliance to the Network Device Protection Profile (NDPP) will be extended. NIAP CCEVS will accept evaluations in accordance with Scheme Policy 12 for switches and routers when it has been confirmed that the vendor will achieve NDPP compliance within a mutually agreed upon timeframe. Decisions to accept ST evaluations for switches and routers will be made on a case-by-case basis. Note that the current NDPP transition window for firewalls is still in effect - all firewall evaluations must be in compliance with the NDPP.

NIAP has been reviewing our current list of Protection Profiles to determine which PPs should be sunsetted. We want to be sure evaluations go against correct and updated requirements (using our draft PPs when appropriate) as well as ensure evaluations are not against PPs that contradict our new policies and newly published PPs. There are eight PPs listed that fall into four categories:

1. No Longer Viable: Sunset Date: 1 September 2011
   1. U.S. Government Protection Profile for USDA Instrument Grading System for Basic Robustness Environments – this PP was never used and does not fall within our list of critical technologies for the CNSS community.
   2. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03 (SKPP) – NSA/IAD’s efforts to support existing SKPP evaluations have revealed a number of difficulties in the areas of assurance maintenance, scalability, cost and complexity when applied to complex commodity platforms. Please go to the link below for a detailed explanation of the reason for sunsetting the SKPP as well as two papers related to this decision: http://www.niap-ccevs.org/pp/pp_skpp_hr_v1.03/
2. Created a New Protection Profile: Sunset Date: 1 September 2011
   1. U.S. Government Approved Protection Profile - Role Based Access Control Protection Profile Version 1.0 – this PP has been replaced by the new OSPP published on 30 August 2010.
3. Evaluate Against Draft PPs: Sunset Date: 1 September 2011
   There are two current PPs listed that no longer represent accurate requirements for the specific technology but for which a new PP is not yet available. For these two, NIAP will sunset these PPs and work with vendors to evaluate against the draft PPs. These draft PPs are expected to be published in final form in September 2011. Please contact NIAP to get a copy of the appropriate draft PP.
   1. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Client for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Wireless Local Area Network (WLAN) Access System for Basic Robustness Environments, Version 1.1
4. Combination of PP for an ST: Sunset Date: 1 September 2011
   The following three PPs no longer represent accurate requirements for the specific technology and a draft PP is not under development that has direct mapping to the technologies. For these products, NIAP will work with the vendor and the lab to use the crypto requirements listed in the Network Device Protection Profile as well as other applicable requirements from other PPs to develop an approved ST.
   1. U.S. Government Protection Profile Web Server for Basic Robustness Environments, Version 1.1
   2. U.S. Government Protection Profile Authorization Server for Basic Robustness Environments, Version 1.1
   3. U.S. Government Family of Protection Profiles for Public Key Enabled Applications for Basic Robustness Environments, Version 2.8

As always, should you have questions regarding the sunsetted PPs listed above or have specific questions about a product for which is ready for a Common Criteria evaluation, please contact NIAP or call 410-854-4458.

Technical Communities have been added to the list of links under the CCEVS Big Picture. Please view the list of communities for information and Protection Profile status.

Chris Salter, a Technical Strategist for the NIAP, wrote this paper, “Common Criteria Reforms”, to describe the new direction for NIAP and the Common Criteria Community. The reforms discussed within the paper are intended to convince enterprises to request IT products be Common Criteria evaluated. He outlines the criteria for success and the steps necessary to convince governments and enterprises to require these CC evaluations. He goes on to state that these reforms cannot be achieved by one nation or one vendor alone – it takes a community. And it also takes time!

The Network Device Protection Profile (NDPP) describes the security requirements for an infrastructure network device (as opposed to an end-user device) that can be connected to a network. It is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. It represents an evolution of “traditional” Protection Profiles and the associated evaluation of the requirements contained within the document.

Modules are being developed to address specific devices on the network and will identify unique requirements, over and above the NDPP, for that particular device (e.g., firewall and VPN). Products within this network device community are currently being accepted into NIAP evaluation against the NDPP. Once a module is published, it is intended that products be evaluated against the NDPP and the product relevant module.

Network devices that are of NDPP type (as defined in the NDPP) will be accepted into evaluation with either a NDPP compliance claim or at EAL 2 with an LOI until 01 June 2011. After 01 June 2011, all products that are of NDPP type must comply with the NDPP and any applicable modules.

Firewall products will be accepted into NIAP against one of the current Firewall PPs* or against the NDPP until 01 June 2011. After 01 June 2011, firewall devices must comply with the NDPP or the NDPP and the applicable set of SFRs from a current Firewall PP. Once the Firewall Module is published, firewall devices can immediately claim compliance to both the NDPP and the Firewall Module. Additionally, for six months following the Firewall Module publish date, firewall devices may comply with the NDPP and the SFRs from the current Firewall PPs. Six months after publish date of the Firewall Module; all firewall devices must comply with the NDPP and the Firewall Module.

* U.S. Government Protection Profile for Application-level Firewall in Basic Robustness Environments Version 1.1 ;
   U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments Version 1.1

The 13th International Common Criteria Conference was held on 18-20 September, 2012 in Paris, France.

• AFCEA West: 24-27 January 2011 in San Diego, CA
• RSA Conference 2011: 14-18 February 2011 in San Francisco, CA
• IA Expo 20x20: 7-11 March 2011 in Nashville, TN
• Information Technology New Generation: 12-14 April 2011 in Las Vegas, NV
• INFOSEC World: 19-21 April 2011 in Orlando, FL
• DoDIIS Conference: 1-6 May 2011 in Detroit, MI
• Joint Warfighting Conference: 10-12 May 2011 in Virginia Beach, VA
• LandWarNet: 23-25 August 2011 in Tampa, FL
• AFITC: 28-31 August in Montgomery, AL
• 2nd Annual NSA Trusted Computing Conference & Exposition: 20-22 September in Orlando, FL – Caribe Royale Orlando Hotel
• 12th International Common Criteria Conference, 27-29 September, 2011 in Kuala Lumpur, Malaysia

“Updated Guidance Concerning the Acquisition of Information Assurance (IA) and IA-enabled Products”

NSTISSP No. 11, DoDD 8500.01E, and DoDI 8500.2 are all currently under revision, and all three will provide updated guidance regarding the acquisition of IA and IA-enable IT products. Until these documents are completed and released, the DoD has provided the following memorandum as interim guidance.

Click here for the Updated guidance memorandum.

On 16 March 2009, the NIAP Program Office announced a new strategy for the Common Criteria Evaluation and Validation Scheme (CCEVS). Below is a clarification to the policy that will be followed as of 04 June 2010.

NIAP will only accept into evaluation:

Products claiming compliance with a U.S. approved Protection Profile (with an EAL no higher than that specified in the profile), or

When a U.S. approved Protection Profile does not exist and a government agency requests a Common Criteria evaluation, NIAP will consider accepting a product into evaluation at EAL2 only. Validator resource availability and customer need (as specified in the LOI) will serve as the basis for acceptance.

All product evaluations must complete within 12 months from the evaluation kick-off.

NVLAP U.S. Common Criteria Testing Laboratories (CCTL) Applications are Open

Due to many factors for the last several years the NIAP program did not take new applications into consideration for being active CCTLs. NIAP is again accepting applications for CCTL accreditation. If your organization wishes to become a CCTL please send a letter of intent to pursue accreditation to scheme-comments@niap-ccevs.org.

The NIAP Program Office updated the Scheme Policy Letters.
Click here for a summary of the updates.
Click here to view the current Policy letters

NIAP is working with industry consortiums to develop the next evolution of protection profiles. The Protection Profiles for Enterprise Security Management are currently ready for the development stage. To assist in this process, we ask that you please complete this important survey on the creation of a new set of Protection Profiles for Enterprise Security Management. You can get to the survey by clicking on the following link: http://survey.confirmit.com/wix/p1160037249.aspx. Please complete the survey by April 30, 2010. It should take you no more than 10 minutes to complete. Should you have any questions regarding the ESM Working Group or the survey itself, please contact enterprisesecuritymanagement@officeliveusers.com .

Thank You,
Carol Saulsbury Houck
Director NIAP

Beginning 1 October 2009, for products vendors want evaluated by a NIAP Common Criteria Testing Lab, either at a higher EAL than a U.S. approved Protection Profile or when no U.S. approved Protection Profile exists, vendors will need to submit documentation explicitly stating the requirement from a government agency (U.S. government, NATO, or foreign government covered by the Common Criteria Mutual Recognition Agreement). The intent is to have the opportunity to ask the government agency to not require the evaluation at an inappropriate EAL or without a Protection Profile (see CCEVS Policy Letter #12, dated 1 October 2009).

The two cases will be addressed as follows (Updated 01 April 2010):

1. When an approved Protection Profile exists and the government agency requires an evaluation at a higher EAL than specified in the profile, the vendor may submit a Security Target at the higher EAL if all requirements of the approved Protection Profile are met as a subset of the Security Target.
2. When an approved Protection Profile does not exist and a government agency requires a Common Criteria evaluation, a vendor may submit a Security Target for evaluation at EAL2. Any product that a government customer requires evaluation higher than EAL2 will be considered on a case by case basis.

Questions and Answers on the NIAP’s Evolution (21 October 2009)

Updated 01 April 2010

Based on the results of evaluations against the Basic and Medium Robustness Protection Profiles and comments from vendors and our customers, NIAP has determined that the current U.S. Protection Profile Robustness model needs to be revised. The model assumed that the same assurance levels could be achieved for every technology. Also, the implementation did not create the necessary test plans and documentation needed to achieve consistent results across different products evaluated in different labs.

The security requirements for many technologies are the same for many sectors of Government and industry. For each technology, NSA is creating a Standard Protection Profile, which will replace any corresponding U.S. Government Protection Profile. We will work with industry, our customers, and the Common Criteria community to create these Protection Profiles. The first generation of these Protection Profiles will take into account the current assurance that is achievable for a technology and the Evaluated Assurance Level (EAL) will be set based on the availability of the documentation, test plans, and tools needed to obtain consistent and comparable results.

Future increases in the Evaluated Assurance Level (EAL) of each Protection Profile will require more refinement of the assurance criteria, more detailed test plans, and greater disclosure of evaluator evidence, testing performed, and vulnerabilities found. NIAP will work with the Common Criteria community to ensure that Common Criteria 4.0 supports these requirements.

All evaluated products will maintain their certification and remain on the NIAP CCEVS Validated Products List (VPL). All on-going evaluations will continue to completion and receive their certification and VPL listing based on their original entry criteria. Over the next few months, the existing U.S. Government Basic Robustness Protection Profiles will be updated to reflect more current functional requirements. Beginning 1 October 2009, NIAP will only accept products into evaluation that comply with either the updated U.S. Government Basic Robustness Protection Profile or with the corresponding new Standard Protection Profile. As each new Standard Protection Profile is published, the old corresponding U.S. Government Protection Profile will be given a 1-year expiration date.

When no validated U.S. Government Protection Profile exists and FIPS validation is not appropriate, NSTISSP #11 currently requires that COTS IA and IA enabled IT products be Common Criteria evaluated. Consequently, many products are evaluated against a vendor provided Security Target without any reference to government needs in a validated Protection Profile. NSA and NIAP will pursue revisions to existing U.S. Government policies to only require a Common Criteria evaluated product if a validated U.S. Government Protection Profile exists for that technology.

CCEVS will continue to provide updates on the status of the program via the NIAP CCEVS website. Please direct questions to us at scheme-comments@niap-ccevs.org or (410) 854-4458.

October 1, 2008 - For FY09, the NIAP CCEVS office will maintain the existing FY08 policy to continue accepting US Government PP or EAL 4 compliant products into evaluation.

The below information does not supersede the new FY08 evaluation acceptance constraints.

The Common Criteria Version 3.1 Revision 2 was published on September 2007. The criteria and methodology, is available on the Common Criteria Portal and the NIAP web site.

All Common Criteria Mutual Recognition Arrangement Schemes agreed to mutually recognize the use of Version 3.1. All CC Schemes are now using CC Version 3.1. No further interpretations against CC Version 2 will be performed.

For the U.S. Common Criteria Evaluation and Validation Scheme (CCEVS) the following schedule shall be used for CC Version 3.1 evaluations:

For TOE/ST Evaluations with no PP Compliance Claims:

All new TOE/ST evaluations shall use Version 3.1

For CC Evaluations with PP Compliance Claims:

• A TOE/ST must claim compliance to a Version 3.1 PP, if no version 3.1 PP exists, a TOE/ST may only claim compliance to a Version 2.x PP with the approval of the NIAP/CCEVS Director.

For PP Developments and Evaluations:

• All new PP evaluations shall use CC Version 3.1 as the evaluation standard.

For Assurance Maintenance:

Assurance Maintenance of Evaluations with NO PP Compliance Claims:

• Assurance maintenance activities against Version 2.x evaluations may continue until 30 September 2009, after which a new evaluation using Version 3.1 must be performed

Assurance Maintenance of Evaluations with PP Compliance Claims:

• Assurance maintenance activities against an evaluation claiming conformance to a Version 2.x PP may continue until 30 September 2009.