NIAP: Archived U.S. Government Approved Protection Profile - Protection Profile for Mobile Device Fundamentals Version 2.0

Short Name: pp_md_v2.0

Technology Type: Mobility

CC Version: 3.1

Date: 17 September 2014

Transition End Date: 17 March 2015

Preceded By: pp_md_v1.1

Succeeded By: pp_md_v3.0

Sunset Date: 10 December 2016 [Sunset Icon]

Conformance Claim: None



This assurance standard specifies information security requirements for Mobile Devices for use in an enterprise. A Mobile Device in the context of this assurance standard is a device which is composed of a hardware platform and its system software. The device typically provides wireless connectivity and may include software for functions like secure messaging, email, web, VPN connection, and VoIP (Voice over IP), for access to the protected enterprise network, enterprise data and applications, and for communicating to other Mobile Devices.

Examples of a “Mobile Device” that should claim conformance to this Protection Profile include smartphones, tablet computers, and other Mobile Devices with similar capabilities.

The Mobile Device provides essential services, such as cryptographic services, data-at-rest protection, and key storage services to support the secure operation of applications on the device. Additional security features such as security policy enforcement, application mandatory access control, anti-exploitation features, user authentication, and software integrity protection are implemented in order to address threats.

This assurance standard describes these essential security services provided by the Mobile Device and serves as a foundation for a secure mobile architecture. As illustrated in Figure 2, it is expected that a typical deployment would also include either third-party or bundled components. Whether these components are bundled as part of the Mobile Device by the manufacturer or developed by a third-party, they must be separately validated against the related assurance standards such as the Protection Profile for Mobile Device Management Systems, Protection Profile for IPsec VPN Clients, and Protection Profile for VoIP Applications. It is the responsibility of the architect of the overall secure mobile architecture to ensure validation of these components. Additional applications that may come pre-installed on the Mobile Device that are not validated are considered to be potentially flawed, but not malicious. Examples include VoIP client, email client, and web browser.

Assigned to the following Validated Products

Related Technical Decisions

  • 0120 – FMT_SMF_EXT.1, Functions 2 & 5, Users and/or Administrators Configuration
  • 0118 – FAU_GEN.1 Application of Audit Requirements Update
  • 0107 – FCS_CKM - ANSI X9.31-1998, Section 4.1.for Cryptographic Key Generation
  • 0103 – Access Control Policy Prohibiting Apps Write/Exe Permissions
  • 0091 – Modification of High-Security Use Case in MDF PP v2.0
  • 0079 – RBG Cryptographic Transitions per NIST SP 800-131A Revision 1
  • 0064 – Whitelisting SSIDs (FMT_SMF_EXT.1, function 6) in MDF PP v2.0
  • 0060 – FDP_IFC_EXT.1 & FMT_SMF_EXT.1 Function 3
  • 0059 – FCS_SRV_EXT.1 & CAVS
  • 0058 – MDFPP v2.0 FMT_SMF_EXT.1, function 15
  • 0057 – Update to TD0047 for Non Wear Leveled Flash Memory
  • 0048 – Curve25519 Implementations in FDP_DAR_EXT.2.2 Requirement
  • 0047 – MDFPP v2.0 FCS_CKM_EXT.4 Update
  • 0044 – Update to FMT_SMF_EXT.1
  • 0038 – Asymmetric KEKs (including the REK) in MDFPP v1.1 and v2.0
  • 0034 – Revision of Test 5 in FCS_TLSC_EXT.1.1 & EXT.2.1 reqs in MDF PP V2.0, MDM PP V2.0, MDM Agent PP V2.0
  • 0030 – Separation of FIA_BLT_EXT.2 Elements
  • 0028 – MDFPP v2.0 FCS_ CKM_EXT.4 Memory Clear and Read-verify
  • 0023 – Update to FCS_CKM_EXT.4 in MDF PP v1.1

Please forward any questions or comments to

Site Map              Contact Us              Home