Labgram #107/Valgram #127 - Collaborative PP (cPP) and Extended Package (EP) - compliant Product Posting
Based on discussions at recent Common Criteria Recognition Arrangement (CCRA) committee meetings and according to the wording in the CCRA, product claims of conformance to Extended Packages (EPs) with collaborative Protection Profiles (cPPs) cannot be added to the Common Criteria portal Certified Product List (CPL) at this time. Products with such claims that are already posted will remain on the CPL. Products claiming compliance to a NIAP PP and EP(s) can continue to be posted to the CPL.
In accordance with the CCRA Annex K, CCRA certificates that claim conformance to a cPP shall only cover the security functionality defined in the said cPP. NIAP EPs are developed to provide additional security functionality required for NSS users. NIAP strives to meet the needs of our NSS users in the context of the CCRA. However, in this case there is a disparity between NSS mission imperatives and the need for iTC review prior to inclusion of EP conformance claims in conjunction with the cPP. The United States NSS mission always takes primacy, so NIAP will continue to validate and publish cPP and EP conformant products to the PCL, although they are not yet approved for publication to the CPL.
NIAP is actively working with the international Technical Communities to update the cPPs and allow for CPL publication of EP conformance claims as soon as possible. Your active participation in the iTCs will help bring this to closure expeditiously. We recommend you and your vendors engage in the iTC by advocating for a rapid update to the cPPs to allow for conformance claims to EPs (called “modules” in CCRA terminology).
NIAP will continue to post products with cPP and EP conformance claims to the PCL for NSS procurement eligibility. Additionally, these products can be posted on the CPL with a cPP-only conformance claim. Posting the products on the CPL in this way will necessitate a separate cPP-only Security Target, Validation Report, and certificate. CCTLs with cPP/EP evaluations that will be posted in this way on both the CPL and the PCL must notify NIAP during check-in.
If you have any questions or concerns, please contact us at 410-854-4458 or by email email@example.com.