Policy Clarification (21 October 2009)

  • From the Director, NIAP

    POLICY CLARIFICATION
    (21 October 2009)

    On 16 March 2009, the NIAP Program Office announced a new strategy for the Common Criteria Evaluation and Validation Scheme (CCEVS). Below is the clarification of the policies being implemented as of 1 October 2009.

    Existing approved Protection Profiles will remain in place until superseded by new Standard Protection Profiles. The NIAP Program Office will work with the Committee for National Security Systems (CNSS) community to require evaluations against the new profiles.

    Beginning 1 October 2009, for products vendors want evaluated by a NIAP Common Criteria Testing Lab, either at a higher EAL than a U.S. approved Protection Profile or when no U.S. approved Protection Profile exists, vendors will need to submit documentation explicitly stating the requirement from a government agency (U.S. government, NATO, or foreign government covered by the Common Criteria Mutual Recognition Agreement). The intent is to have the opportunity to ask the government agency to not require the evaluation at an inappropriate EAL or without a Protection Profile (see CCEVS Policy Letter #12, dated 1 October 2009).

    The two cases will be addressed as follows:

    1. When an approved Protection Profile exists and the government agency requires an evaluation at a higher EAL than specified in the profile, the vendor may submit a Security Target at the higher EAL if all requirements of the approved Protection Profile are met as a subset of the Security Target. If the evaluation is successful, the product will be listed on NIAP's Validated Products List, but with no reference to the EAL.
    2. When an approved Protection Profile does not exist and a government agency requires a Common Criteria evaluation, a vendor may submit a Security Target for evaluation at the EAL required by the government agency. (If no EAL level is prescribed, the Security Target must be EAL1.) NIAP will not list these products on its Validated Products List. These products will still be listed on the Certified Product List located on the Common Criteria Portal.

    Previous announcements

    Questions and Answers on the NIAP’s Evolution (21 October 2009)


Validated Products image

Available products to
assist in making a more
secure infrastructure

 Validating IA and IA-Enabled Products image

Boosting consumer confidence
through evaluation and testing
of vendor products

 Communities of Interest image

Policy that influences
our adherence to the
Common Criteria
Products in Evaluation
U.S. Government Approved Protection Profiles
U.S. Government Protection Profiles in Development
Validated Products List 		Finding a CCTL
Getting a CCTL Accredited
Getting a Product Evaluated 		CNSS Directive No. 502
DOD Directive #8500.01E
DOD Directive #8500.1
DOD Instruction #8500.2
NSTISSP No. 11, Revised FAQs (March 2005)
NSTISSP No. 11, Revised Fact Sheet (July 2003)
NSTISSP No. 11 Fact Sheet (Jan 2000)
NIST Spec Pub 800-23
NSD 42
NSTISSAM Compusec/1-99
Pres. Decision Directive 63
USAF CIO Memorandum

For a comprehensive listing of other
IA-related docs, Click Here