NIAP CCEVS Announcements

  • October 1, 2008 - For FY09, the NIAP CCEVS office will maintain the existing FY08 policy to continue accepting US Government PP or EAL 4 compliant products into evaluation.
  • September 8, 2008 - All of our Scheme Publications and Policy Letters were reviewed and revised where necessary. The publications had major revisions and therefore should be read in their entirety.
  • March 27, 2008 - The Validation Oversight Review (VOR) Evaluators and Validators Guide 2.0 outlining the Official VOR Process has been posted.
  • September 2007 - Beginning 1 October 2007, for FY08, the NIAP CCEVS office will begin accepting US Government PP compliant (basic, medium or high) and EAL 4 or above products in support of National Security customers. Product submissions meeting the above criteria will be queued and validation resources allocated as they become available. Detailed letters of interest identifying DoD or IC customers will continue to be required.

    CCEVS will continue to provide updates on the status of the program via the NIAP CCEVS website. Please direct questions to us at (410) 854-4458.

Fee-for-Service comments on Regulations.gov


  • Click this link for the Docket Detail page
  • Click the icons under Views for the corresponding view of each document
Validated Products image

Available products to
assist in making a more
secure infrastructure

 Validating IA and IA-Enabled Products image

Boosting consumer confidence
through evaluation and testing
of vendor products

 Communities of Interest image

Policy that influences
our adherence to the
Common Criteria
Validated Products List
Archived Validated Products List
Products in Evaluation
Validated Protection Profiles
PPs in Development 		Getting a Product Evaluated
Finding a CCTL
Getting a CCTL Accredited 		DOD Directive #8500.01E
DOD Directive #8500.1
DOD Instruction #8500.2
NSTISSP No. 11, Revised FAQs (March 2005)
NSTISSP No. 11, Revised Fact Sheet (July 2003)
NSTISSP No. 11 Fact Sheet (Jan 2000)
NIST Spec Pub 800-23
NSD 42
NSTISSAM Compusec/1-99
USAF CIO Memorandum
Pres. Decision Directive 63
CNSS Directive No. 502
IATF Release 3.1 - Chapter 03
IATF Release 3.1 - Appendix H
IATF Release 3.1 - Appendix J

For a comprehensive listing of other
IA-related docs, Click Here


Mutual Recognition Statement

Since the Common Criteria Portal is successfully up and running and in order to harmonize with other CC Schemes, the NIAP Staff is no longer posting certified products by other certificate-producing nations. The U.S. recognizes products that have been evaluated under the sponsorship of other signatories and in accordance with the International Common Criteria for Information Technology Security Evaluation Recognition Arrangement (CCRA) for EALs 1-4 only.

For a complete listing of products which have received Common Criteria certifications outside the U.S. please visit the Common Criteria Portal.

 

Common Criteria Version 3.1 Update

The below information does not supersede the new FY08 evaluation acceptance constraints.

The Common Criteria Version 3.1 Revision 2 was published on September 2007. The criteria and methodology, is available on the Common Criteria Portal and the NIAP web site.

All Common Criteria Mutual Recognition Arrangement Schemes agreed to mutually recognize the use of Version 3.1. All CC Schemes are now using CC Version 3.1. No further interpretations against CC Version 2 will be performed.

For the U.S. Common Criteria Evaluation and Validation Scheme (CCEVS) the following schedule shall be used for CC Version 3.1 evaluations:

For TOE/ST Evaluations with no PP Compliance Claims:

  • All new TOE/ST evaluations shall use Version 3.1

For CC Evaluations with PP Compliance Claims:

  • A TOE/ST must claim compliance to a Version 3.1 PP, if no version 3.1 PP exists, a TOE/ST may only claim compliance to a Version 2.x PP with the approval of the NIAP/CCEVS Director.

For PP Developments and Evaluations:

  • All new PP evaluations shall use CC Version 3.1 as the evaluation standard.

For Assurance Maintenance:

Assurance Maintenance of Evaluations with NO PP Compliance Claims:

  • Assurance maintenance activities against Version 2.x evaluations may continue until 30 September 2009, after which a new evaluation using Version 3.1 must be performed

Assurance Maintenance of Evaluations with PP Compliance Claims:

  • Assurance maintenance activities against an evaluation claiming conformance to a Version 2.x PP may continue until 30 September 2009.