NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: cpp_nd_v2.1

Technology Type: Network Device

CC Version: 3.1

Date: 2019.03.11

Preceded By: cpp_nd_v2.0e

To Be Succeeded By: cpp_nd_v2.2e

Sunset Date: 2020.09.27

Conformance Claim: None

Protection Profile 

Supporting Docs 

Control Mapping 

PP OVERVIEW

This is a Collaborative Protection Profile (cPP) whose Target of Evaluation (TOE) is a network device. It provides a minimal set of security requirements expected by all network devices that target the mitigation of a set of defined threats. This baseline set of requirements will be built upon by future cPPs to provide an overall set of security solutions for networks up to carrier and enterprise scale. A network device in the context of this cPP is a device composed of both hardware and software that is connected to the network and has an infrastructure role within the network. The TOE may be standalone or distributed, where a distributed TOE is one that requires multiple distinct components to operate as a logical whole in order to fulfil the requirements of this cPP.

Assigned to the following Validated Products

• VID10977 – BlackBerry SecuGATE version 4.0
• VID10978 – Cisco Identity Services Engine (ISE) V2.6
• VID10980 – Palo Alto Networks M-100, M-200, M-500, and M-600 Hardware, and Virtual Appliances all running Panorama 8.1.10
• VID10988 – Junos OS 18.3R1-S1 for MX240, MX480, MX960, MX2010, MX2020, EX9204, EX9208 and EX9214 with MPC7E-10G/Ex9200-40XS
• VID10996 – Apriva MESA VPN
• VID10998 – NetIron Family MLXE and CER devices with Multi-Service Iron Ware R06.3.00aa
• VID10999 – Junos OS 18.3R1-S2 for MX80, MX104, MX240, MX480, and MX960 with MICMACSEC-20G
• VID11009 – MMA10G-IPX Series v3.2
• VID11020 – Pulse Policy Secure v.9.1
• VID11021 – Pulse Connect Secure v9.1
• VID11022 – MAGNUM-HW-C-CC
• VID11025 – Junos OS 19.1R2 for EX2300, EX2300-C and EX3400
• VID11027 – IBM QRadar Security Intelligence Platform, version 7.3.2
• VID11029 – Cisco Catalyst 9600 Series Switches running IOS-XE 16.12
• VID11030 – Cisco Catalyst 9200 Series Switches running IOS-XE 16.12
• VID11031 – Cisco Embedded Services 3300 Series Switches (ESS3300)
• VID11032 – Palo Alto Networks WF-500 with WildFire 8.1.11
• VID11033 – Cisco IR1101 Integrated Services Router
• VID11037 – Junos OS 19.1R2 for MX104 with Multiservices MIC MS-MIC-16G
• VID11038 – Ruckus SmartZone WLAN Controllers and Access Points, R5.1.1.3
• VID11049 – Dell EMC Networking Platforms running Dell EMC Networking OS 9.14
• VID11052 – Aruba Remote Access Point Series with Aruba Mobility Controllers, running AOS 8.2
• Juniper Junos OS 19.2R1 for MX204 AND EX9251
• F5 BIG-IP 14.1.0 for LTM+APM
• Arista Networks Switches EOS 4.22.1FX-CC
• Junos OS 19.2R1 for SRX300, SRX320, SRX340, SRX345, SRX345-DUAL-AC and SRX550M Series
• Junos OS 19.2R1 for SRX1500, SRX4100, SRX4200 and SRX4600 Series
• Cisco ASR 900 Series and NCS4200 Series running IOS-XE 16.9

Active Related Technical Decisions

• 0484 – NIT Technical Decision for Interactive sessions in FTA_SSL_EXT.1 & FTA_SSL.3
• 0483 – NIT Technical Decision for Applicability of FPT_APW_EXT.1
• 0482 – NIT Technical Decision for Identification of usage of cryptographic schemes
• 0481 – NIT Technical Decision for FCS_(D)TLSC_EXT.X.2 IP addresses in reference identifiers
• 0480 – NIT Technical Decision for Granularity of audit events
• 0478 – NIT Technical Decision for Application Notes for FIA_X509_EXT.1 iterations
• 0477 – NIT Technical Decision for Clarifying FPT_TUD_EXT.1 Trusted Update
• 0475 – NIT Technical Decision for Separate traffic consideration for SSH rekey
• 0453 – NIT Technical Decision for Clarify authentication methods SSH clients can use to authenticate SSH se
• 0451 – NIT Technical Decision for ITT Comm UUID Reference Identifier
• 0450 – NIT Technical Decision for RSA-based ciphers and the Server Key Exchange message
• 0447 – NIT Technical Decision for Using 'diffie-hellman-group-exchange-sha256' in FCS_SSHC/S_EXT.1.7
• 0425 – NIT Technical Decision for Cut-and-paste Error for Guidance AA
• 0424 – NIT Technical Decision for NDcPP v2.1 Clarification - FCS_SSHC/S_EXT1.5
• 0423 – NIT Technical Decision for Clarification about application of RfI#201726rev2
• 0412 – NIT Technical Decision for FCS_SSHS_EXT.1.5 SFR and AA discrepancy
• 0411 – NIT Technical Decision for FCS_SSHC_EXT.1.5, Test 1 - Server and client side seem to be confused
• 0410 – NIT technical decision for Redundant assurance activities associated with FAU_GEN.1
• 0409 – NIT decision for Applicability of FIA_AFL.1 to key-based SSH authentication
• 0408 – NIT Technical Decision for local vs. remote administrator accounts
• 0407 – NIT Technical Decision for handling Certification of Cloud Deployments
• 0402 – NIT Technical Decision for RSA-based FCS_CKM.2 Selection
• 0401 – NIT Technical Decision for Reliance on external servers to meet SFRs
• 0400 – NIT Technical Decision for FCS_CKM.2 and elliptic curve-based key establishment
• 0399 – NIT Technical Decision for Manual installation of CRL (FIA_X509_EXT.2)
• 0398 – NIT Technical Decision for FCS_SSH*EXT.1.1 RFCs for AES-CTR
• 0397 – NIT Technical Decision for Fixing AES-CTR Mode Tests
• 0396 – NIT Technical Decision for FCS_TLSC_EXT.1.1, Test 2
• 0395 – NIT Technical Decision for Different Handling of TLS1.1 and TLS1.2

Archived Related Technical Decisions

• 0452 – NIT Technical Decision for FCS_(D)TLSC_EXT.X.2 IP addresses in reference identifiers
• 0449 – NIT Technical Decision for Identification of usage of cryptographic schemes
• 0448 – NIT Technical Decision for Documenting Diffie-Hellman 14 groups