NIAP: U.S. Government Approved Protection Profile - Extended Package for MACsec Ethernet Encryption Version 1.2

Short Name: pp_ndcpp_macsec_ep_v1.2

Technology Type: Network Encryption

CC Version: 3.1

Date: 10 May 2016

Preceded By: pp_ndcpp_macsec_ep_v1.1

Conformance Claim: None



This Extended Package (EP) describes security requirements for a network device that implements Media Access Control Security (MACsec) encryption to secure communications over a trusted channel and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this EP is not complete in itself, but rather extends the Security Requirements for Network Devices collaborative Protection Profile (NDcPP).

This EP specifically addresses MACsec, which allows authorized systems using Ethernet Transport to maintain confidentiality of transmitted data and to take measures against frames that are transmitted or modified by unauthorized devices. MACsec protects communication between trusted components of the network infrastructure, thus protecting the network operation. It facilitates maintenance of correct network connectivity and services as well as isolation of denial of service attacks.

The hardware, firmware, and software of the MACsec device define the physical boundary. All of the security functionality is contained and executed within the physical boundary of the device. For example, given a computer with an Ethernet card, the whole computer is considered to be within the boundary.

Since this EP builds on the NDcPP, conformant TOEs are obligated to implement the functionality required in the NDcPP along with the additional functionality defined in this EP in response to the threat environment discussed later in this document.

Assigned to the following Validated Products

Related Technical Decisions

  • 0273 – Rekey after CAK expiration
  • 0272 – Update to FMT_SMF.1
  • 0190 – FPT_FLS.1(2)/SelfTest Failure with Preservation of Secure State and Modular Network Devices
  • 0135 – SNMP in NDcPP MACsec EP v1.2
  • 0134 – AES Data Encryption/Decryption in NDcPP MACsec EP v1.2
  • 0105 – MACsec Key Agreement

Please forward any questions or comments to

Site Map              Contact Us              Home