Labgram #080/Valgram #100 - Situations in Which an Entropy Assessment Report Does Not Require an IAD Review
Validators and CCTLs,
Subject: Situations in which an Entropy Assessment Report does not require an IAD review
Effective: 8 May 2015
Background: In an effort to streamline the evaluation process and increase efficiency, NIAP and IAD have identified situations in which an Entropy Assessment Report (EAR) does not need to be reviewed by IAD. Validator review of all EARs is still required, but in specific situations, the IAD EAR review may be eliminated.As we continue EAR reviews and exercise the criteria below, we expect there to be modifications to the process to add clarity and possibly additional categories. If at any time a validator wants/needs IAD input, they may request an IAD review - regardless of these criteria.
It is important to note that elimination of an IAD EAR review is based on two aspects of product evaluation: both the product and the product’s entropy must be similar to a previously evaluated product. This includes cases in which a product’s functionality is evaluated against multiple PPs. For example, if a product formerly evaluated against a PP (say, NDPP) is now being evaluated against another PP (App PP), IAD review is not required.
An IAD EAR review is still required if a vendor uses the “same” entropy among different products.
Criteria for elimination of IAD EAR Review: If an EAR meets all of the following criteria, the validators can perform final acceptance without IAD review:
Criteria for when an IAD EAR Review is still required: An EAR still requires IAD review if any of the following criteria apply:
If a validator is unsure whether an EAR requires IAD review, consult NIAP directly for guidance.
If you have any questions or concerns, please contact us at 410-854-4458 or by email firstname.lastname@example.org.
(U) The information contained herein that is marked (U//FOUO) is for the exclusive use of Government and Contractor personnel with a need-to-know for NIAP CCEVS information. Such information is specifically prohibited from posting on unrestricted bulletin boards or other unlimited access applications.