What is NIAP/CCEVS?
The National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial Off-The-Shelf (COTS) Information Technology (IT) products for conformance to the international Common Criteria. This program includes the NIAP-managed Common Criteria Evaluation and Validation Scheme (CCEVS or Scheme), a national program for developing protection profiles, evaluation methodologies, and policies that ensures achievable, repeatable, and testable security requirements.
The CCEVS is a partnership between the public and private sectors to provide COTS IT products that meet consumer needs and to help manufacturers of those products gain acceptance in the global marketplace. Successful evaluations benefit industry product developers/vendors and government procurers by validating that the products meet security requirements for U.S. national security system procurement. Because NIAP is a member of the international 27-nation Common Criteria Recognition Arrangement (CCRA), NIAP-validated products are also available to procurers in the CCRA member nations.
IT security testing is conducted by NIST-accredited and NIAP-approved commercial testing labs. A product vendor chooses an approved lab to complete the product evaluation against a selected applicable protection profile. A protection profile is an implementation-independent set of security requirements for a particular technology that enables achievable, repeatable, and testable evaluation activities for each evaluation.
All products evaluated within the Scheme must demonstrate exact compliance to the applicable technology protection profile. NIAP assesses the results of the security evaluation conducted by the lab and, if the evaluation is successful, issues a validation certificate and lists the product on the U.S. NIAP Product Compliant List and the international CCRA Certified Products List. U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products - dated June 2013 (https://www.cnss.gov/CNSS/issuances/Policies.cfm).
Timeline and Costs
The entire evaluation process can be completed in just 90 days or up to six months. NIAP does not charge for services. IT product vendors/developers contract independently with an approved Common Criteria Testing Laboratory (CCTL) for evaluation services. Vendors are encouraged to shop around for the services that best meet their needs, as the prices vary. Only approved labs are authorized to provide product evaluations under the CCEVS and CCRA scheme. See the list of approved CCTLs.