NIAP: U.S. Government Approved Protection Profile - PP-Module for SSL/TLS Inspection Proxy Version 1.1

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Approved PPs  »»  Details  
U.S. Government Approved Protection Profile - PP-Module for SSL/TLS Inspection Proxy Version 1.1

Short Name: mod_stip_v1.1

Technology Type: Traffic Monitoring

CC Version: 3.1

Date: 2022.11.17

Transition End Date: 2023.05.15

Preceded By: mod_stip_v1.0

Conformance Claim: None

Protection Profile [PDF]

Protection Profile

Supporting Docs [PDF]

Supporting Docs

PP Configuration for ND-STIP_V1.1 [PDF]

Control Mapping [PDF]

PP Configuration Document for NDcPP-STIP_v2.0  [PDF]



This PP-Module is intended to specify the functionality of a network device that includes limited Certification Authority (CA) functionality to issue certificates for the purpose of providing network security services on the underlying plaintext. The device accomplishes this by terminating an intended TLS session between a monitored client and specified external servers. The device instead establishes a TLS session thread consisting of a TLS session between the device and the external server and a second TLS session between the device, acting as the external server, and the client. By replacing the end-to-end TLS session with two TLS sessions terminated at the TOE, the device is able to provide additional security services based on the decrypted plaintext.

A network device meeting this PP-Module may perform additional security services on the plaintext, provide the decrypted payload to external network devices to perform the security services, or do both. These additional security services, whether processed internally or externally, may be performed inline, or passively. If multiple security services are provided, some may be inline, while others are performed passively. This PP-Module does not cover the specific requirements associated with various additional services.

Assigned to the following Validated Products

Active Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home