NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Veeam ONE v12

Certificate Date:  2023.08.18

Validation Report Number:  CCEVS-VR-VID11371-2023

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.4

CC Testing Lab:  Leidos Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide: Veeam ONE v12 Common Criteria Evaluated Configuration Guide (CCECG) [PDF]

Administrative Guide: Reporting Guide [PDF]

Administrative Guide: Quick Start Guide [PDF]

Administrative Guide: Monitoring Guide [PDF]

Administrative Guide: Deployment Guide [PDF]

Administrative Guide: CC Hardening Guide for 12a [PDF]

Product Description

The Target of Evaluation (TOE) is Veeam ONE v12. The TOE provides a monitoring and analytics solution for backup, virtual and physical environments, providing support for Veeam Backup & Replication™ and Veeam Agents, as well as VMware, Hyper-V and Nutanix AHV.

Veeam ONE v12 is a software application. In its evaluated configuration, it is installed on an instance of Microsoft Windows Server 2019 executing on an x86-64 processor with the following additional software components, which are included in the Veeam ONE setup package:

                     Microsoft .NET Framework 4.7.2 or later

                     Microsoft .NET Core Runtime 3.1.16

                     Microsoft Visual C++ 2015-2019 Redistributable (x64)

                     Microsoft System CLR Types for SQL Server 2014

                     Microsoft SQL Native Client 2012

                     Microsoft SQL Server 2014 Management Objects

                     Microsoft SQL Server 2012 Management Objects

                     Microsoft OLE DB Driver for SQL Server

                     Microsoft XML 6.0 Parser and SDK

                     Microsoft ASP.NET Core Shared Framework 3.1.16

                     Microsoft Universal C Runtime

                     Microsoft SQL Server 2016 (Microsoft SQL Server 2016 Express edition is included in Veeam ONE setup).

The TOE additionally requires Microsoft SQL Server installed on the same host platform and a workstation with a web browser to connect to the TOE’s user interface.

The TOE connects to an instance of the separately evaluated Veeam Backup and Replication (VBR) software to retrieve event logs of backup and recovery tasks performed by VBR and infrastructure information of the hosts to which VBR connects.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Veeam ONE v12 Security Target, Version 1.6, 9 July 2023. The evaluation was completed in August 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11371-2023) prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE invokes platform-provided cryptography to protect data at rest and in transit.

User Data Protection

The TOE accesses the minimum amount of Windows Server hardware and data in order to perform its function. The TOE stores database connectivity information in the Windows Registry and stores other TOE configuration information in the SQL Server database.

Security Management

Both the TOE binary components themselves and the configuration settings they use are stored in locations recommended for Microsoft Windows Server.

The TOE includes a console user interface (UI). Users must login to Windows and have permissions to access the UI in order to access the TOE.

Administrators may configure which VBR instances have their Event Logs analyzed by the TOE, and access reports resulting from that analysis.


The TOE does not process any personally identifiable information (PII).

Protection of the TSF

The TOE enforces various mechanisms to prevent itself from being used as an attack vector to its Windows platform. The TOE implements address space layout randomization (ASLR), does not allocate any memory with both write and execute permissions, does not write user-modifiable files to directories that contain executable files, and is compatible with the Windows Defender security features of its host platform.

The TOE contains libraries and invokes system APIs that are well known and explicitly identified.

The TOE has a mechanism to display its current software version.  The TOE can be used to determine if software updates for it are available.  If so, an administrator uses out of band mechanisms to acquire, validate, and install the update securely.

The TOE developer provides a secure mechanism for receiving reports of security flaws.   Product vulnerabilities are tracked and addressed. Availability of updates is announced via email sent to customers as well as via the Veeam website.


Trusted Path/Channels

The TOE protects data in transit with remote administrators by invoking the platform-provided IIS.

Vendor Information

Veeam Software Corporation
Jose R. Mendoza
Site Map              Contact Us              Home