NIAP: Archived U.S. Government Approved Protection Profile - Certificate Issuing and Management Components Security Level 3 Protect...

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - Certificate Issuing and Management Components Security Level 3 Protection Profile Version 1.0

Short Name: pp_cimc_sl3_v1.0

Technology Type: Certificate Authority

CC Version: 2.x

Date: 2001.10.31

Sunset Date: 2008.03.21 [Sunset Icon]

Conformance Claim: EAL3 Augmented

Protection Profile [PDF]



Herewith a brief summary, sufficiently detailed to enable a potential user to determine whether the PP is of interest.

Certificate Issuing and Management Components (CIMCs) may consist of one of more devices that are responsible for the issuance, revocation, and overall management of certificates and certificate status information. The CIMC PPs in this document define the minimum-security requirements for CIMCs for use in a variety of environments. These environments are summarized below and are described in detail in Section 2. The requirements for FIPS 140-1 validated cryptographic modules and specific FIPS 140-1 levels are based on the level of risk and specific threats identified for each CIMC PP. The FIPS 140-1 requirements are intended to provide additional assurance.


The security and assurance requirements specified at Security Level 3 are intended for environments where the risks and consequences of data disclosure and loss of data integrity are moderate. Level 3 requires additional integrity controls to ensure data is not modified. A CIMC meeting Security Level 3 includes mechanisms to protect against attacks by parties with physical access to the components and includes additional assurance requirements to ensure the CIMC is functioning securely. The EAL for Security Level 3 is EAL 3 augmented.


Because a PP is written to be implementation-independent, there may be some ambiguities that do not arise until a specific implementation is being evaluated against it. When this happens, a resolution is established through the Observation Decision (OD) process in the form of a Precedent Decision (PD), which is to be used consistently in subsequent evaluations involving the PP in question. The Precedent Decisions specifically associated with this PP are listed below:

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

This U.S. Government Approved Protection Profile does not have any related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home