NIAP: FAQs on NIAP’s Evolution (21 October 2009)
  NIAP  »»  Evolution  »»  FAQs  »»  FAQs on NIAP’s Evolution (21 October 2009)  
FAQs on NIAP’s Evolution (21 October 2009)
  1. Why is NIAP implementing these changes?

    Answer: Based on nearly 10 years worth of experience with Common Criteria evaluations, the NIAP program has concluded comparable and repeatable results cannot be obtained in the evaluation of a technology without a Protection Profile and a set of Supporting Documents developed in partnership with vendors and the other Common Criteria Schemes.

    These changes in policy are the natural result of understanding the assurance that can be achieved with different types of technologies and the limitations of what can be achieved with the evaluation of vendor products by 3rd parties. The first observation is comparable, consistent results require an agreed upon threat model and set of security functional requirements that can be captured in a Protection Profile. The second observation is to have comparable, consistent evaluation results for subjective components of an evaluation requires working out test plans and models for each assurance category with the cooperation of the vendors and the evaluators. To be binding, this work must be published in Supporting Documents, which must be vetted with and approved by the processes agreed upon in the Common Criteria Recognition Agreement. The third observation is more information has to be disclosed across Schemes to have confidence that evaluations have been consistently performed with the same level of competence and diligence at the higher, more subjective levels. The final observation is one that has been made since the original papers on assurance: confidence in a product is limited by its complexity and its separation from other products in the same environment. No amount of documentation and no method of evaluation can overcome these inherent limitations.

  2. What will change?

    Answer: Our first step is to update our current Basic/Medium Robustness PPs to what we are referring to as Interim PPs. Concurrently, we are creating a Standard Protection Profile for each technology that will replace any corresponding U.S. Government Protection Profile. We will work with industry, our customers, and the Common Criteria community to create these profiles. The first generation of these Protection Profiles will take into account the current assurance that is achievable for a technology and the Evaluation Assurance Level (EAL) will be set based on the availability of the documentation, test plans, and tools needed to obtain consistent and comparable results.

  3. When and how will the changes be implemented?

    Answer: Existing U. S. Government Protection Profiles are being updated to reflect more current functional requirements. Existing U.S. Protection Profiles are being used to create a set of EAL2 Interim Protection Profiles with updated functional requirements. Beginning 1 October 2009, NIAP/CCEVS will only accept products into evaluation that comply with either an updated Interim U.S. Government Protection Profile or with the corresponding new Standard Protection Profile. As each new Standard Protection Profile is published, the old corresponding Interim U.S. Government Protection Profiles will be given a sunset date after which no further evaluations will be recognized. All in process evaluations will continue until completion. No Medium Robustness Protection Profile evaluations will be accepted after 1 October 2009

  4. Will the current DOD 8500 policy be affected?

    Answer: Yes, NIAP/CCEVS is working with the DoD to update current policies to accommodate the changes. DoD 8500 references the old Robustness model and therefore will need to be revised.

  5. How will the changes affect products already in evaluation?

    Answer: Products in evaluation may continue to completion in accordance with all previously posted CCEVS policies. If a vendor is currently undergoing a Medium Robustness PP evaluation, they may choose to drop down to an Interim U.S. Government PP evaluation without penalty or delay.

  6. Will I need to have my evaluated product re-evaluated?

    Answer: No, all previously evaluated products will remain certified for the stated version of the product.

  7. Once the changes are implemented, if the product has minor changes, may I still update a previously validated product using Assurance Maintenance?

    Answer: Yes.

  8. When will the new Standard Protection Profiles be generated to reflect the NIAP changes?

    Answer: New Standard PPs will be developed over the next few years as time and resources permit. We will maintain a status chart on our web page indicating estimated completion dates.

  9. Will the Common Criteria Recognition Arrangement (CCRA) be affected?

    Answer: Since the new Standard Protection Profiles will be written in accordance with the existing Common Criteria standard at or below EAL4, they will continue to be recognized under CCRA. The evaluations against an Interim U.S. Government PP and Standard Protection Profiles can be performed by any certified Common Criteria Lab.

  10. Is there still a need for higher assurance products and if so how will they be evaluated?

    Answer: Yes, there will always be a need for high assurance products and those products will be evaluated using NSA-approved processes. However, Protection Profiles and Supporting Documentation are still required to achieve meaningful results from evaluations at higher assurance levels . These profiles and supporting documentation will be generated as the need is required and resources are available.

  11. Will the evaluation Validation Oversight Review (VOR) process remain the same?

    Answer: Yes

  12. Will NIAP accept Protection Profiles developed by other Schemes and Vendor Consortia?

    Answer: NIAP will consider for validation any Protection Profile that has been developed by a vendor consortium and that has the necessary Supporting Documents to achieve consistent and repeatable results.

  13. Can you clarify if the changes mean any product’s certification (assuming it does not fit any Govt. PP) will be waived or will this simply mean certification will still be required but we would have to do it through some international accrediting lab/body (i.e. Canada or Australia)?

    Answer: When an approved Protection Profile does not exist and a government agency requires a Common Criteria evaluation, a vendor may submit a Security Target for evaluation at the EAL required by the government agency. (If no EAL level is prescribed, the security target must be EAL1.) NIAP will not list these products on its Validated Products List. These products will still be listed on the Certified Product List located on the Common Criteria Portal.

  14. If an evaluation starts after 1 October 2009 in another scheme and does not conform to a US government PP, will it be recognized by NIAP since the policy then will be to require US PP compliance?

    Answer: Effective October 1, 2009, any product accepted into evaluation under the U.S. CC Scheme will have to claim compliance to a U.S. Government approved Protection Profile. Certifications by other CCRA schemes remain in accordance with that countries’ scheme.

    NIAP will work with members of the CCRA to certify products using U.S. Government approved Protection Profiles.

  15. Can a vendor increase the EAL of the product being evaluated to something greater than specified in the Protection Profile?

    Answer: When an approved Protection Profile exists and the government agency requires an evaluation at a higher EAL than specified in the profile, the vendor may submit a Security Target at the higher EAL if all the requirements of the approved Protection Profile are met as a subset of the Security Target. If the evaluation is successful, the product will be listed on the NIAP’s Validated Products List, but with no reference to the EAL.

  16. How will the NIAP changes affect the Federal Information Processing Standard (FIPS) 140-2 Level 4 requirements, which states that if an operating system is used that it must be EAL4?

    Answer: NIAP is working with NIST to update the latest FIPS 140 document.

Site Map              Contact Us              Home