About Us

Current Announcements

New Assurance Maintenance Policies & Updated Publication #5

To remain compliant with NIAP current practices and to answer customer questions regarding Assurance Maintenance, NIAP has posted Policy Letter #21, "NIAP Evaluated Product Assurance Maintenance - Products with Evaluation Assurance Level (EAL) Claims", and Policy Letter #22, NIAP Evaluated Product Assurance Maintenance - Protection Profile Compliant Products". Both of these Policy Letters outline the guidelines for products with EAL and PP Conformance Claims which go into effect immediately.

Policy Letters #21 and #22 can be found under "Current Policy Letters": https://www.niap-ccevs.org/Documents_and_Guidance/policy.cfm

In addition, NIAP Publication #5, Common Criteria Evaluation and Validation Scheme - Guidance to Sponsors, Version 3.0" has been updated to reflect the current practices and roles of the Sponsor.

Publication #5 can be found here: https://www.niap-ccevs.org/Documents_and_Guidance/guidance_docs.cfm

Open SSL TLS/DTLS Heartbeat Extension Vulnerability (CVE-2014-0160)

We strongly encourage vendors to implement mitigations in their evaluated products to address this vulnerability.  End users should apply vendor-delivered patches in their systems as soon as possible.  Upon completion of the mitigation, the vendor should analyze the updates to their product, following NIAP Assurance Maintenance guidance to determine whether the evaluated functionality has been impacted.

Additional information regarding this vulnerability and mitigation guidance may be found here:  http://www.nsa.gov/ia/mitigation_guidance/index.shtml

NIAP Technical Decisions

To continue our effort to ensure consistency across all evaluations, NIAP and the Technical Rapid Response Teams (TRRT) are now publically displaying non-proprietary Technical Decisions (TD). Much like the previous Observation Decisions, the Technical  Decisions are applicable across all evaluations. NIAP is in the process of populating this database with TRRT questions submitted previously. For more information please see the following page: https://www.niap-ccevs.org/Documents_and_Guidance/view_tds.cfm

Application Software Technical Community

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) is inviting Industry, government, end users, academic institutions, and labs with relevant technology expertise and research focus to participate in the Application Software Technical Community. This community will discuss requirements for mobile apps as well as applications which run on desktop or server platforms.  The kick-off telecon for this TC is scheduled on 11 April 2014 from 1300 - 1400 EST.

If you are interested in joining this community and participating in the telecon, contact NIAP/CCEVS at TC_APP_Staff@niap-ccevs.org

Please provide the following information in the email:

  • Name
  • Affiliation (Vendor/CCTL/Academic Institution/Scheme/Other)
  • Address
  • Telephone number
  • Email address
  • A brief statement of the qualifications/interest for participation

Web Browser and Email Client PPs

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) is pleased to announce the completion of the Web Browser and Email Client Protection Profiles. The PPs can be found here: https://www.niap-ccevs.org/pp/

NIAP Publication and Policy Updates

In an effort to align policy with process, NIAP is currently updating all available documentation to include Publications, Policies, and Guidance Documents. The first of these revisions is Publication #1  - Organization, Management and Concept of Operations which has been uploaded to the publications page.

MDM PP Annex Published

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex to the NIAP Mobile Device Management Protection Profile (MDMPP). This document, created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDMPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Device Management Systems and supersedes the current DISA MDM SRG version 1, release 1. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor's product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.

Revision of NIAP Policy #18

NIAP has revised Policy #18, which establishes time limits on NIAP evaluations. The announcement can be found here. Please review the policy and refer to NIAP with any questions.

MDF PP Version 1, Release 1 Published

NIAP has published the Mobile Device Fundamentals Protection Profile, Version 1, Release 1. This revision includes typographical corrections and additional clarifications within the application notes. The revision also removes the assignment from FCS_TLS_EXT.1 and limits testing to those ciphersuites listed in both FCS_TLS_EXT.1 and FCS_TLS_EXT.2.

As always, technical questions can be directed to the mobility TRRT (trrt-md@niap-ccevs.org).

MDFPP Annex Published

 

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex to the NIAP Mobile Device Fundamentals Protection Profile (MDFPP). This document, created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG version 1, release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor's product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.




  March 2014
Joint Statement of Support

As indicated in the Joint Statement of Support below, NIAP, in conjunction with the Common Criteria schemes from Australia, Canada, and the UK, has posted position statements regarding Common Criteria evaluation in three technology areas: General Purpose Operating Systems (GPOS), Database Management Systems (DBMS), and Enterprise Security Management (ESM).  The statements may be found here



  February 2014
Joint Statement of Support

The Common Criteria Recognition Arrangement Participants listed below, greatly encouraged by the 'agreement in principle' reached by the CC Management Committee in respect of the updated CCRA, and the associated work of the CC Development Board editing group producing the draft process for the creation of collaborative Protection Profiles, have been considering how best to support the demand for progress on cPPs.

We have, as a first step, agreed to provide draft 'endorsement statements' for the following 'new style' national PPs most of which have been developed in a joint manner. We expect to be able to publish broadly similar formal endorsement statements as soon as the corresponding cPPs are produced.

  1. Software Full Disk Encryption (U.S. Government Approved Protection Profile - Protection Profile for Software Full Disk Encryption Version 1.0)
  2. Firewall Extended Package (U.S. Government Approved Protection Profile - Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall Version 1.0)
  3. Network Devices (U.S. Government Approved Protection Profile - Protection Profile for Network Devices Version 1.1)
  4. Mobile Devices Fundamentals (U.S. Government Approved Protection Profile - Protection Profile for Mobile Devices Version 1.0)
  5. Mobile Device Management (U.S. Government Approved Protection Profile - Protection Profile for Mobile Device Management Systems Version 1.0)
  6. Virtual Private Network Client  (U.S. Government Approved Protection Profile - Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4)
  7. Virtual Private Network Gateway - Extended Package (U.S. Government Approved Protection Profile - Network Device Protection Profile (NDPP) Extended Package VPN Gateway Version 1.1)

Next Steps:

We will then work, together with any other interested CCRA participants, to take the first three technologies through the iTC/cPP process as it develops. The three were selected after a technical assessment of their level of complexity, priority, and match to available resources.

In parallel we will continue our ongoing support to the USB cPP development.

Our primary aims are to:

  1. indicate our strong support for detailed, repeatable, achievable, transparent cPPs
     
  2. produce a set of four cPPs (and associated supporting documents) as quickly as possible (expecting these to be completed before ICCC 2014)
     
  3. help assess and characterise the cPP process using well-understood start points
     
  4. create strong international Technical Communities in key areas to continue the development and maintenance of the cPPs etc.

Once these have been successfully produced, and lessons have been learned about the process, we will then apply our resources to other iTCs and cPPs.  Of course other participants may, in the interim, be using the developing/completed iTC process for other technologies but resource constraints dictate that we are unlikely to participate beyond providing our position statements for these.

Other Technologies:

To provide the clarity and transparency sought by industry regarding national cPP requirements there are three technology areas where we are reassessing whether or how to evaluate products using the Common Criteria.  These technology areas are General Purpose Operating Systems (GPOS), Database Management Systems (DBMS) and Enterprise Security Management (ESM).  More information regarding our use of Common Criteria to evaluate these technologies will be forthcoming.

Additionally, given the complexity of Hardware Security Modules (HSM) and Virtualisation, we are not yet clear on the best way to evaluate these technologies. These technologies require community discussion about the feasibility of evaluations using the Common Criteria.

Overall Aims:

We also believe it would be useful to publicly state our shared aims for the Common Criteria, and for the changes we are jointly advocating within it. These are:

  • To see CC used within our nations to ensure that commercial enterprise security products represent a commercial good practice level of security.
  • To see iTCs raise the security bar in the standards they produce towards a goal of secure-by-default products suitable for emerging threats.
  • We will not try and differentiate products within Common Criteria – we are simply saying they are ‘good enough’- appropriate to mitigate the likely threats they will face.
  • Our standards are minimal, both in scope and content. We will describe what good looks like for enterprise security products in simple and straightforward language.
  • We will be clear about those security technologies we see value in, and those which we don’t.
  • We will be honest and open about why we are, and aren’t, doing things – which will be repeatable, testable, comparable, and achievable.
  • The standards we help write and endorse will describe the totality of what will be assessed, and the totality of the level of assurance that we believe can be achieved.
  • We believe that CC must be accessible to all product developers – both large and small. We work to ensure that even the smallest companies around the world are able to participate in this market.
  • We need it to be easy for people procuring, deploying and using certified products to understand what was and what was not evaluated, the expected validity period, and how to effectively ensure the enduring security of their systems using them. These people should not need to be CC specialists to accurately understand the value of a particular certificate.
  • We aim to clearly explain to users how to use products in the evaluated configuration; as an aspiration, the evaluated configuration should be the out-of-the-box configuration. Evaluated configurations need to match real-world use-cases.
  • We will also raise awareness amongst vendors and users that certificates are not absolution from vulnerability – assured products must be used as part of an overall security ecosystem and architecture.
  • We will work collaboratively with CCRA participants and industry to achieve these aims as quickly as possible.

Statement Supported by The Following Common Criteria Schemes:

Australia

Canada

UK

US