NIAP CCEVS Announcements and Updates

• From the Director, NIAP

  Policy Clarification (Updated 04 June 2010)

  On 16 March 2009, the NIAP Program Office announced a new strategy for the Common Criteria Evaluation and Validation Scheme (CCEVS). Below is a clarification to the policy that will be followed as of 04 June 2010.

  NIAP will only accept into evaluation:

  1. Products claiming compliance with a U.S. approved Protection Profile (with an EAL no higher than that specified in the profile), or
  2. When a U.S. approved Protection Profile does not exist and a government agency requests a Common Criteria evaluation, NIAP will consider accepting a product into evaluation at EAL2 only. Validator resource availability and customer need (as specified in the LOI) will serve as the basis for acceptance.

  All product evaluations must complete within 12 months from the evaluation kick-off.

  Protection Profile Updates (2 June 2010)

  Click here for the latest Protection Profile status.

  11th International Common Criteria Conference (27 April 2010)

  
  NIAP CCEVS will be presenting certificates at the 11th International Common Criteria Conference, which will be held September 21st to September 23rd, 2010 in Antalya, Turkey.

  CCTL Applications Are Open (08 April 2010)

  NVLAP U.S. Common Criteria Testing Laboratories (CCTL) Applications are Open

  Due to many factors for the last several years the NIAP program did not take new applications into consideration for being active CCTLs. NIAP is again accepting applications for CCTL accreditation. If your organization wishes to become a CCTL please send a letter of intent to pursue accreditation to scheme-comments@niap-ccevs.org.

  NIAP Policy Letter Updates

  The NIAP Program Office updated the Scheme Policy Letters.
  Click here for a summary of the updates.
  Click here to view the current Policy letters

  NIAP is working with industry consortiums to develop the next evolution of protection profiles. The Protection Profiles for Enterprise Security Management are currently ready for the development stage. To assist in this process, we ask that you please complete this important survey on the creation of a new set of Protection Profiles for Enterprise Security Management. You can get to the survey by clicking on the following link: http://survey.confirmit.com/wix/p1160037249.aspx. Please complete the survey by April 30, 2010. It should take you no more than 10 minutes to complete. Should you have any questions regarding the ESM Working Group or the survey itself, please contact enterprisesecuritymanagement@officeliveusers.com .
  
  Thank You,
  Carol Saulsbury Houck
  Director NIAP

  Other Information

  Previous announcements
  Questions and Answers on the NIAP’s Evolution (21 October 2009)

Policy Clarification (21 October 2009, Updated 01 April 2010)

• On 16 March 2009, the NIAP Program Office announced a new strategy for the Common Criteria Evaluation and Validation Scheme (CCEVS). Below is the clarification of the policies being implemented as of 1 October 2009.

  Existing approved Protection Profiles will remain in place until superseded by new Standard Protection Profiles. The NIAP Program Office will work with the Committee for National Security Systems (CNSS) community to require evaluations against the new profiles.

  Beginning 1 October 2009, for products vendors want evaluated by a NIAP Common Criteria Testing Lab, either at a higher EAL than a U.S. approved Protection Profile or when no U.S. approved Protection Profile exists, vendors will need to submit documentation explicitly stating the requirement from a government agency (U.S. government, NATO, or foreign government covered by the Common Criteria Mutual Recognition Agreement). The intent is to have the opportunity to ask the government agency to not require the evaluation at an inappropriate EAL or without a Protection Profile (see CCEVS Policy Letter #12, dated 1 October 2009).

  The two cases will be addressed as follows (Updated 01 April 2010):

  1. When an approved Protection Profile exists and the government agency requires an evaluation at a higher EAL than specified in the profile, the vendor may submit a Security Target at the higher EAL if all requirements of the approved Protection Profile are met as a subset of the Security Target.
  2. When an approved Protection Profile does not exist and a government agency requires a Common Criteria evaluation, a vendor may submit a Security Target for evaluation at EAL2. Any product that a government customer requires evaluation higher than EAL2 will be considered on a case by case basis.

  Questions and Answers on the NIAP’s Evolution (21 October 2009)

NIAP CCEVS Evolution for FY10

• March 16, 2009 - Based on the results of evaluations against the Basic and Medium Robustness Protection Profiles and comments from vendors and our customers, NIAP has determined that the current U.S. Protection Profile Robustness model needs to be revised. The model assumed that the same assurance levels could be achieved for every technology. Also, the implementation did not create the necessary test plans and documentation needed to achieve consistent results across different products evaluated in different labs.
• The security requirements for many technologies are the same for many sectors of Government and industry. For each technology, NSA is creating a Standard Protection Profile, which will replace any corresponding U.S. Government Protection Profile. We will work with industry, our customers, and the Common Criteria community to create these Protection Profiles. The first generation of these Protection Profiles will take into account the current assurance that is achievable for a technology and the Evaluated Assurance Level (EAL) will be set based on the availability of the documentation, test plans, and tools needed to obtain consistent and comparable results.
• Future increases in the Evaluated Assurance Level (EAL) of each Protection Profile will require more refinement of the assurance criteria, more detailed test plans, and greater disclosure of evaluator evidence, testing performed, and vulnerabilities found. NIAP will work with the Common Criteria community to ensure that Common Criteria 4.0 supports these requirements.
• All evaluated products will maintain their certification and remain on the NIAP CCEVS Validated Products List (VPL). All on-going evaluations will continue to completion and receive their certification and VPL listing based on their original entry criteria. Over the next few months, the existing U.S. Government Basic Robustness Protection Profiles will be updated to reflect more current functional requirements. Beginning 1 October 2009, NIAP will only accept products into evaluation that comply with either the updated U.S. Government Basic Robustness Protection Profile or with the corresponding new Standard Protection Profile. As each new Standard Protection Profile is published, the old corresponding U.S. Government Protection Profile will be given a 1-year expiration date.
• When no validated U.S. Government Protection Profile exists and FIPS validation is not appropriate, NSTISSP #11 currently requires that COTS IA and IA enabled IT products be Common Criteria evaluated. Consequently, many products are evaluated against a vendor provided Security Target without any reference to government needs in a validated Protection Profile. NSA and NIAP will pursue revisions to existing U.S. Government policies to only require a Common Criteria evaluated product if a validated U.S. Government Protection Profile exists for that technology.
• CCEVS will continue to provide updates on the status of the program via the NIAP CCEVS website. Please direct questions to us at scheme-comments@niap-ccevs.org or (410) 854-4458.

FY09 Acceptance Policy

• October 1, 2008 - For FY09, the NIAP CCEVS office will maintain the existing FY08 policy to continue accepting US Government PP or EAL 4 compliant products into evaluation.

Common Criteria Version 3.1 Update

• The below information does not supersede the new FY08 evaluation acceptance constraints.
• The Common Criteria Version 3.1 Revision 2 was published on September 2007. The criteria and methodology, is available on the Common Criteria Portal and the NIAP web site.
• All Common Criteria Mutual Recognition Arrangement Schemes agreed to mutually recognize the use of Version 3.1. All CC Schemes are now using CC Version 3.1. No further interpretations against CC Version 2 will be performed.
• For the U.S. Common Criteria Evaluation and Validation Scheme (CCEVS) the following schedule shall be used for CC Version 3.1 evaluations:
• For TOE/ST Evaluations with no PP Compliance Claims:
• All new TOE/ST evaluations shall use Version 3.1
• For CC Evaluations with PP Compliance Claims:
• A TOE/ST must claim compliance to a Version 3.1 PP, if no version 3.1 PP exists, a TOE/ST may only claim compliance to a Version 2.x PP with the approval of the NIAP/CCEVS Director.
• For PP Developments and Evaluations:
• All new PP evaluations shall use CC Version 3.1 as the evaluation standard.
• For Assurance Maintenance:
• Assurance Maintenance of Evaluations with NO PP Compliance Claims:
• Assurance maintenance activities against Version 2.x evaluations may continue until 30 September 2009, after which a new evaluation using Version 3.1 must be performed
• Assurance Maintenance of Evaluations with PP Compliance Claims:
• Assurance maintenance activities against an evaluation claiming conformance to a Version 2.x PP may continue until 30 September 2009.