SPONSORSHIP
How do I know if a product is on the Approved Product List (APL) or has been removed ?
Products approved for use on the DoD networks are available at https://aplits.disa.mil/processAPList.do/. A list of removed products can be viewed on the Approved Products List Removal page.
Can I purchase a product that has been removed from APL?
No. Only products currently on the APL can be purchased IAW DoDI 8100.3, DoDI 8100.04. Products that have been removed from the APL are eligible for obtaining an Authority to Connect (ATC).
Can I connect to the DSN prior to receiving approval to connect (ATC)?
No. You must receive approval from the DSN Unified Capabilities Connection Office prior to connecting to the DSN. You need to request connection approval by filling out the JIC submittal form.
Who can sponsor a product for testing?
The requirement for a sponsor was established for the first time in the DoDI 8100.3. With the signing of the DoDI, it became a violation of Department of Defense Policy for either Interoperability or Information Assurance testing to occur without the product having a government sponsor. The current DoDI instruction, DoDI 8100.04, supports this requirement as well.
If my product is already Interoperability certified, do I need a sponsor for Information Assurance Testing?
Yes. Even if a product is currently Interoperability certified, effective on Jan. 16, 2004 with the signing of the DoDI 8100.3, any testing performed requires a test sponsor.
What role does the sponsor play in the testing process?
The sponsor will be responsible for working with a vendor to get the test submittal application completed and submitted to the UCCO. The sponsor will also be involved in the testing process as far as being notified of any problems that occur during testing. In the case of a negative test report, it is the sponsor's decision whether or not an appeal is made up to the Military Communications-Electronics Board (MCEB) if the case is for Interoperability, or to the DISN Designated Approving Authority (DAA) in the case of Information Assurance.
Why do I need a sponsor for my product to be tested?
The requirement for a sponsor was established for the first time in the DoDI 8100.3. With the signing of the DoDI, it became a violation of Department of Defense Policy for either Interoperability or Information Assurance testing to occur without the product having a government sponsor.
STIG COMPLIANCE
How do I know what STIGs to apply to my products?
It is up to the vendor to work with the sponsor to examine all components of the solution desired to be tested, and compare against the list of available STIGs to see which apply and which do not. It is strongly advised that any applicable STIGs that are available for any components of your solution be applied prior to applying for testing. Non-compliance with available STIGs will result in increased vulnerabilities discovered and reported at the end of testing.
Where can I get the latest STIGs from?
The latest STIGs are available at http://iase.disa.mil/stigs/Pages/index.aspx.
What STIGs have SRR scripts?
SRR scripts are available for all operating systems that have STIGs. Also, all databases that have STIG's also have SRR scripts. There is an SRR available for webservers using IIS as well.
What if applying every item of the STIG breaks my product?
In the case of certain items within a STIG rendering a device inoperable try to pinpoint exactly which item of the STIG is causing the problem. You then have two choices; you can either try to make changes to your product so that it will work with that item in the STIG or you can document a mitigation procedure for that item and submit to the IA test team with your product prior to testing. In the case of the latter, the vulnerability and mitigation will be reflected in the final report of the product.
AUXILIARY COMPONENTS
What is an auxiliary component?
Some larger solutions submitted for testing rely on sub-devices to operate properly. For example, a VoIP solution submitted may require a network management server, firewall, etc., to be operational in a secure manner to complete certification. Any additional devices outside of the main solution need to be described in the auxiliary components section.
What if I have more than one auxiliary component?
If there are multiple auxiliary components, please list the specifications for the additional ones in the General Information Section in box 9 d, Technical Specifications.
COMMON CRITERIA CERTIFICATION
What is common criteria certification?
Common criteria certification is a standard that came into effect on July 1, 2002 with the passing of the NSTISSP #11. It mandated that departments and agencies within the Executive Branch, for use on National Security Systems, only acquire IA and IA-enabled information technology products that are certified as meeting common criteria security standards. In an effort to not repeat testing, for device types that common criteria certified devices exist such as firewalls and operating systems we prefer that common criteria certified devices are used. It is strongly recommended for a solution to use common criteria certified components when they are available. For more information, go to http://iase.disa.mil/common/Pages/index.aspx.
How do I know if a product is common criteria certified?
The list of common criteria certified products go to http://www.commoncriteriaportal.org/products.html. For a list of products currently undergoing testing for common criteria certification, go to http://www.niap-ccevs.org/cc-scheme/in_evaluation/.
FIPS
What is FIPS?
FIPS stands for Federal Information Processing Standard. FIPS are the standards and guidelines for information processing developed by NIST and approved by the Secretary of Commerce as requirements for the federal government for information assurance and interoperability. For more information on FIPS please refer to http://www.itl.nist.gov/fipspubs/index.htm.
What does FIPS have to do with the testing of my product? If your product performs any type of encryption of data, it is required that the encryption method being used meet FIPS standards for both information assurance and interoperability testing. For more information on FIPS, go to
http://www.itl.nist.gov/fipspubs/by-num.htm.