Labgram #080/Valgram #100 - Situations in Which an Entropy Assessment Report Does Not Require an IAD Review

Validators and CCTLs,

Subject:  Situations in which an Entropy Assessment Report does not require an IAD review

Effective:  8 May 2015

Background:  In an effort to streamline the evaluation process and increase efficiency, NIAP and IAD have identified situations in which an Entropy Assessment Report (EAR) does not need to be reviewed by IAD. Validator review of all EARs is still required, but in specific situations, the IAD EAR review may be eliminated.As we continue EAR reviews and exercise the criteria below, we expect there to be modifications to the process to add clarity and possibly additional categories. If at any time a validator wants/needs IAD input, they may request an IAD review - regardless of these criteria. 

It is important to note that elimination of an IAD EAR review is based on two aspects of product evaluation:  both the product and the product’s entropy must be similar to a previously evaluated product. This includes cases in which a product’s functionality is evaluated against multiple PPs.  For example, if a product formerly evaluated against a PP (say, NDPP) is now being evaluated against another PP (App PP), IAD review is not required.

An IAD EAR review is still required if a vendor uses the “same” entropy among different products.

Criteria for elimination of IAD EAR Review:  If an EAR meets all of the following criteria, the validators can perform final acceptance without IAD review:

1. The product, or similar product (same product, different version), has had an EAR submitted and approved within the last 6 months;
2. An IAD review of this EAR has occurred within the last 18 months;
3. The  product’s functionality remains the same (not solely entropy);
4. The product’s hardware is the same across evaluations; and
5. The CCTL has provided an EAR “equivalency” argument for reuse which includes a description of how any differences in the product line do not affect entropy source/collection and, as a result, the entropy estimate and justification are unchanged. 

Criteria for when an IAD EAR Review is still required:  An EAR still requires IAD review if any of the following criteria apply:

1. The product has not had an EAR submitted and approved within the last 6 months;
2. An IAD review of this EAR has not occurred within the last 18 months;
3. The product’s entropy-related hardware has changed since the original EAR review;
4. The product’s entropy-related software has changed since the original EAR review; or
5. The product’s interfaces have changed (inclusion, exclusion, or modification).

If a validator is unsure whether an EAR requires IAD review, consult NIAP directly for guidance.

If you have any questions or concerns, please contact us at 410-854-4458 or by email niap@niap-ccevs.org.

Thank you,

NIAP Staff

NIAP Staff

410-854-4458 office

410-854-6615 fax

(U) The information contained herein that is marked (U//FOUO) is for the exclusive use of Government and Contractor personnel with a need-to-know for NIAP CCEVS information.  Such information is specifically prohibited from posting on unrestricted bulletin boards or other unlimited access applications.

Posted on 2015-05-08 by NIAP Staff