Answer: Based on nearly 10 years worth of experience with Common Criteria evaluations, the NIAP program has concluded comparable and repeatable results cannot be obtained in the evaluation of a technology without a Protection Profile and a set of Supporting Documents developed in partnership with vendors and the other Common Criteria Schemes.

These changes in policy are the natural result of understanding the assurance that can be achieved with different types of technologies and the limitations of what can be achieved with the evaluation of vendor products by 3rd parties. The first observation is comparable, consistent results require an agreed upon threat model and set of security functional requirements that can be captured in a Protection Profile. The second observation is to have comparable, consistent evaluation results for subjective components of an evaluation requires working out test plans and models for each assurance category with the cooperation of the vendors and the evaluators. To be binding, this work must be published in Supporting Documents, which must be vetted with and approved by the processes agreed upon in the Common Criteria Recognition Agreement. The third observation is more information has to be disclosed across Schemes to have confidence that evaluations have been consistently performed with the same level of competence and diligence at the higher, more subjective levels. The final observation is one that has been made since the original papers on assurance: confidence in a product is limited by its complexity and its separation from other products in the same environment. No amount of documentation and no method of evaluation can overcome these inherent limitations.

Answer: Our first step is to update our current Basic/Medium Robustness PPs to what we are referring to as Interim PPs. Concurrently, we are creating a Standard Protection Profile for each technology that will replace any corresponding U.S. Government Protection Profile. We will work with industry, our customers, and the Common Criteria community to create these profiles. The first generation of these Protection Profiles will take into account the current assurance that is achievable for a technology and the Evaluation Assurance Level (EAL) will be set based on the availability of the documentation, test plans, and tools needed to obtain consistent and comparable results.

Answer: Existing U. S. Government Protection Profiles are being updated to reflect more current functional requirements. Existing U.S. Protection Profiles are being used to create a set of EAL2 Interim Protection Profiles with updated functional requirements. Beginning 1 October 2009, NIAP/CCEVS will only accept products into evaluation that comply with either an updated Interim U.S. Government Protection Profile or with the corresponding new Standard Protection Profile. As each new Standard Protection Profile is published, the old corresponding Interim U.S. Government Protection Profiles will be given a sunset date after which no further evaluations will be recognized. All in process evaluations will continue until completion. No Medium Robustness Protection Profile evaluations will be accepted after 1 October 2009

Answer: Yes, NIAP/CCEVS is working with the DoD to update current policies to accommodate the changes. DoD 8500 references the old Robustness model and therefore will need to be revised.

Answer: Products in evaluation may continue to completion in accordance with all previously posted CCEVS policies. If a vendor is currently undergoing a Medium Robustness PP evaluation, they may choose to drop down to an Interim U.S. Government PP evaluation without penalty or delay.

Answer: No, all previously evaluated products will remain certified for the stated version of the product.

Answer: Yes.

Answer: New Standard PPs will be developed over the next few years as time and resources permit. We will maintain a status chart on our web page indicating estimated completion dates.

Answer: Since the new Standard Protection Profiles will be written in accordance with the existing Common Criteria standard at or below EAL4, they will continue to be recognized under CCRA. The evaluations against an Interim U.S. Government PP and Standard Protection Profiles can be performed by any certified Common Criteria Lab.

Answer: Yes, there will always be a need for high assurance products and those products will be evaluated using NSA-approved processes. However, Protection Profiles and Supporting Documentation are still required to achieve meaningful results from evaluations at higher assurance levels . These profiles and supporting documentation will be generated as the need is required and resources are available.

Answer: Yes

Answer: NIAP will consider for validation any Protection Profile that has been developed by a vendor consortium and that has the necessary Supporting Documents to achieve consistent and repeatable results.

Answer: When an approved Protection Profile does not exist and a government agency requires a Common Criteria evaluation, a vendor may submit a Security Target for evaluation at the EAL required by the government agency. (If no EAL level is prescribed, the security target must be EAL1.) NIAP will not list these products on its Validated Products List. These products will still be listed on the Certified Product List located on the Common Criteria Portal.

Answer: Effective October 1, 2009, any product accepted into evaluation under the U.S. CC Scheme will have to claim compliance to a U.S. Government approved Protection Profile. Certifications by other CCRA schemes remain in accordance with that countries’ scheme.

NIAP will work with members of the CCRA to certify products using U.S. Government approved Protection Profiles.

Answer: When an approved Protection Profile exists and the government agency requires an evaluation at a higher EAL than specified in the profile, the vendor may submit a Security Target at the higher EAL if all the requirements of the approved Protection Profile are met as a subset of the Security Target. If the evaluation is successful, the product will be listed on the NIAP’s Validated Products List, but with no reference to the EAL.

Answer: NIAP is working with NIST to update the latest FIPS 140 document.