Compliant Product - NetApp Storage Encryption (NSE) running ONTAP 9.7P13
Certificate Date: 2021.09.07CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11174-2021
Product Type: Encrypted Storage
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Full Drive Encryption - Authorization Acquisition Version 2.0 + Errata 20190201
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is NetApp Storage Encryption (NSE) running ONTAP 9.7P13, an authorization acquisition product that obtains and maintains authorization data used to access encrypted data stored on a full disk encryption product. It provides authorization data to third party self-encrypting drives (SEDs).
The TOE is provided pre-installed on NetApp disk storage appliances consisting of storage controllers and one or more enclosures of SEDs. It supports third party SEDs that follow either the Trusted Computing Group’s (TCG) Opal or Enterprise standards. Both standards support the use of an authentication key (AK) and one or more data encryption keys (DEK) per drive. The AK is used by a client (client in this case indicating ONTAP, the NetApp operating system) to unlock a drive. Once the drive verifies that the AK is correct, it uses the AK to decrypt the drive’s DEK(s).
The NetApp appliances included in the evaluated configuration are as follows:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5.The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the NetApp Storage Encryption (NSE) running ONTAP 9.7P13 Security Target. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE includes NIST CAVP-validated cryptographic algorithms supporting cryptographic functions. The TOE provides key wrapping, key derivation, and validation of the Border Encryption Value (BEV).
The TOE supports management functions for forwarding requests to change the DEK to the SED, forwarding requests to cryptographically erase the DEK to the SED, allowing authorized users to change the authorization factor being used, and initiate TOE software updates using a command line interface.
Protection of the TSF
The TOE provides trusted firmware updates, protects keys and key material, and supports Compliant power saving states. The TOE runs a suite of self-tests during initial start-up (on power on).