NIAP: U.S. Government Approved Protection Profile - PP-Module for MACsec Ethernet Encryption Version 1.0

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

NIAP

»»

Protection Profiles

»»

Approved PPs

»»

Details

U.S. Government Approved Protection Profile - PP-Module for MACsec Ethernet Encryption Version 1.0

Short Name: mod_macsec_v1.0

Technology Type: Network Encryption

CC Version: 3.1

Date: 2023.03.02

Transition End Date: 2023.09.02

Preceded By: pp_ndcpp_macsec_ep_v1.2

Conformance Claim: None

Protection Profile

Protection Profile [PDF]

Supporting Docs [PDF]

Supporting Docs

PP Configuration NDcPP-MACsec_v1.0 [PDF]

Control Mapping [PDF]

PP Configuration for CFG_NDcPP-FW-MACsec-VPNGW_v1.0 [PDF]

PP Configuration NDcPP-MACsec-VPNGW_v1.0 [PDF]

PP Configuration Document for NDcPP-FW-MACsec-VPNGW_v1.1 [PDF]

PP Configuration Document NDcPP-MACsec-VPNGW_v1.3 [PDF]

PP OVERVIEW

This PP-Module describes security requirements for a network device that implements Media Access Control Security (MACsec) encryption to secure communications over a trusted channel and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this PP-Module is not complete in itself, but rather extends the Security Requirements for Network Devices collaborative Protection Profile (NDcPP).

This PP-Module specifically addresses MACsec, which allows authorized systems using Ethernet Transport to maintain confidentiality of transmitted data and to take measures against frames that are transmitted or modified by unauthorized devices. MACsec protects communication between trusted components of the network infrastructure, thus protecting the network operation. It facilitates maintenance of correct network connectivity and services as well as isolation of denial of service attacks.

The hardware, firmware, and software of the MACsec device define the physical boundary. All of the security functionality is contained and executed within the physical boundary of the device. For example, given a computer with an Ethernet card, the whole computer is considered to be within the boundary.

Since this PP-Module builds on the NDcPP, conformant TOEs are obligated to implement the functionality required in the NDcPP along with the additional functionality defined in this PP-Module in response to the threat environment discussed later in this document.

Assigned to the following Validated Products

VID11422 – Aruba, a Hewlett Packard Enterprise Company 6300M and 8360v2 Switch Series MACsec

Active Related Technical Decisions

0826 – Aligning MOD_MACSEC_V1.0 with CPP_ND_V3.0E
- References: Section 1.1, MOD_MACSEC_V1.0-SD
0817 – MACsec Data Delay Protection, Key Agreement, and Conditional Support for Group CAK
- References: FCS_MKA_EXT.1.4, FCS_MKA.1.7, FPT_DDP_EXT.1, MOD_MACSEC_V1.0-SD
0816 – Clarity for MACsec Self Test Failure Response
- References: FPT_FLS.1, MOD_MACSEC_V1.0-SD
0748 – Correction to FMT_SMF.1/MACSEC Test 21
- References: FMT_SMF.1/MACSEC
0746 – Correction to FPT_RPL.1 Test 25
- References: FPT_RPL.1, MOD_MACSEC_V1.0-SD
0728 – Corrections to MACSec PP-Module SD
- References: FCS_COP.1/MACSEC, FPT_RPL_EXT.1

Archived Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map Contact Us Home