New NIAP CCEVS Strategy for FY10

• March 16, 2009 - Based on the results of evaluations against the Basic and Medium Robustness Protection Profiles and comments from vendors and our customers, NIAP has determined that the current U.S. Protection Profile Robustness model needs to be revised. The model assumed that the same assurance levels could be achieved for every technology. Also, the implementation did not create the necessary test plans and documentation needed to achieve consistent results across different products evaluated in different labs.
• The security requirements for many technologies are the same for many sectors of Government and industry. For each technology, NSA is creating a Standard Protection Profile, which will replace any corresponding U.S. Government Protection Profile. We will work with industry, our customers, and the Common Criteria community to create these Protection Profiles. The first generation of these Protection Profiles will take into account the current assurance that is achievable for a technology and the Evaluated Assurance Level (EAL) will be set based on the availability of the documentation, test plans, and tools needed to obtain consistent and comparable results.
• Future increases in the Evaluated Assurance Level (EAL) of each Protection Profile will require more refinement of the assurance criteria, more detailed test plans, and greater disclosure of evaluator evidence, testing performed, and vulnerabilities found. NIAP will work with the Common Criteria community to ensure that Common Criteria 4.0 supports these requirements.
• All evaluated products will maintain their certification and remain on the NIAP CCEVS Validated Products List (VPL). All on-going evaluations will continue to completion and receive their certification and VPL listing based on their original entry criteria. Over the next few months, the existing U.S. Government Basic Robustness Protection Profiles will be updated to reflect more current functional requirements. Beginning 1 October 2009, NIAP will only accept products into evaluation that comply with either the updated U.S. Government Basic Robustness Protection Profile or with the corresponding new Standard Protection Profile. As each new Standard Protection Profile is published, the old corresponding U.S. Government Protection Profile will be given a 1-year expiration date.
• When no validated U.S. Government Protection Profile exists and FIPS validation is not appropriate, NSTISSP #11 currently requires that COTS IA and IA enabled IT products be Common Criteria evaluated. Consequently, many products are evaluated against a vendor provided Security Target without any reference to government needs in a validated Protection Profile. NSA and NIAP will pursue revisions to existing U.S. Government policies to only require a Common Criteria evaluated product if a validated U.S. Government Protection Profile exists for that technology.
• CCEVS will continue to provide updates on the status of the program via the NIAP CCEVS website. Please direct questions to us at scheme-comments@niap-ccevs.org or (410) 854-4458.

FY09 Acceptance Policy

• October 1, 2008 - For FY09, the NIAP CCEVS office will maintain the existing FY08 policy to continue accepting US Government PP or EAL 4 compliant products into evaluation.