NIAP: Archived U.S. Government Approved Protection Profile - collaborative Protection Profile for Full Drive Encryption - Encryptio...

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - collaborative Protection Profile for Full Drive Encryption - Encryption Engine Version 2.0

Short Name: cpp_fde_ee_v2.0

Technology Type: Encrypted Storage

CC Version: 3.1

Date: 2016.09.09

Transition End Date: 2017.03.09

Preceded By: cpp_fde_ee_v1.0

Succeeded By: cpp_fde_ee_v2.0e

Sunset Date: 2019.02.01 [Sunset Icon]

Conformance Claim: None

Protection Profile [PDF]

Supporting Docs [PDF]

Control Mapping [PDF]



The purpose of the Collaborative Protection Profiles (cPPs) for Full Drive Encryption (FDE): Authorization Acquisition (AA) and Encryption Engine (EE) is to provide requirements for Data-at-Rest protection for a lost device that contains storage. These cPPs allow FDE solutions based in software and/or hardware to meet the requirements. The form factor for a storage device may vary, but could include: system hard drives/solid state drives in servers, workstations, laptops, mobile devices, tablets, and external media. A hardware solution could be a Self-Encrypting Drive or other hardware-based solutions; the interface (USB, SATA, etc.) used to connect the storage device to the host machine is outside the scope of this cPP.
Full Drive Encryption encrypts all data (with certain exceptions) on the storage device and permits access to the data only after successful authorization to the FDE solution. The exceptions include the necessity to leave a portion of the storage device (the size may vary based on implementation) unencrypted for such things as the Master Boot Record (MBR) or other AA/EE pre-authentication software. These FDE cPPs interpret the term “full drive encryption” to allow FDE solutions to leave a portion of the storage device unencrypted so lo71ng as it contains plaintext user or plaintext authorization data.

The FDE cPP - Encryption Engine describes the requirements for the Encryption Engine piece and details the necessary security requirements and assurance activities for the actual encryption/decryption of the data by the DEK. Each cPP will also have a set of core requirements for management functions, proper handling of cryptographic keys, updates performed in a trusted manner, audit and self-tests.      

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

Archived Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home