The National Information Assurance Partnership (NIAP) is responsible for overseeing and monitoring the security of commercial IT products that can be used in National Security Systems. NIAP certification is a commercial cybersecurity product certification that is mandated by federal procurement requirements (CNSSP 11).
NIAP certification is most applicable to the Department of Defense (DoD), the Intelligence Community, and any DoD contractors or affiliates. Its primary purpose is to certify commercial technology or products which will be used to handle sensitive and classified data.
What is NIAP certification?NIAP certification is a US Government commercial cybersecurity product certification that is mandated by federal procurement requirements and used to validate commercial technologies or products that will be used to handle sensitive and classified data.
The onus for achieving NIAP certification falls to technology vendors that want their products to be able to be used within the DoD community. Government agencies that are required to have NIAP certified products will simply need to ensure that the technology they choose for their solutions is NIAP certified.
As a DoD agency or contractor, selecting technology components that are on the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List (DoD UC-APL) or the NIAP Product Compliant List is the best way to ensure your final solution is given authority to operate.
While government agencies are the primary users of NIAP certified technology, NIAP certification is also applicable and important to private sector companies, many of which are also required to meet these criteria for regulatory, contractual, or other purposes. Other private organizations simply appreciate the high cybersecurity standards associated with the Common Criteria.
What needs to be NIAP certified?
Knowing who NIAP applies to is the easy part, but deciding what technology needs to be certified is another ballgame. In general, any technology that is part of a National Security System (NSS) must be NIAP certified.
National Security Systems are defined as information systems operated by the U.S. Government, contractors for the government, or agents, that contain classified information.
A good place to start in determining if something is considered a National Security System is the NIST Guideline for Identifying an Information System as a National Security System.
At a high level, this Guideline uses the basis for identifying an NSS established by FISMA and includes any information systems used or operated by an agency or contractor of an agency in which:
- The function of that system:
- involves intelligence activities;
- involves cryptographic activities related to national security;
- involves command and control of military forces;
- involves equipment that is an integral part of a weapon or weapons system(s); or
- is critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications).
- Classified information is touched in any way.
This does not usually include systems used for administrative purposes or routine business applications like those involved in payroll, finance, logistics, and personnel management.
Appendix A of the NIST Guideline provides a checklist to make it easier to identify if a system is in fact considered a National Security System.
How to approach NIAP certification
There are two routes for achieving NIAP certification for most government agencies to which it is applicable.
You can choose to go through the Defense Information Systems Agency (DISA) to see if they have already built an architecture for your application (so you don’t have to go through the process yourself).
The NIAP Product Compliant List (PCL) is a precursor for the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List (DoD UC-APL), so anything on DISA’s approved products list has already been NIAP certified.
Most often, we see agencies take the second route, which is building something themselves. This is primarily because their application is highly specific and DISA may not yet have something purpose-built that meets their particular needs.
When approaching NIAP certification for your unique application, you’ll want to start by going through each component you need within your architecture and finding an appropriate NIAP certified component through the NIAP PCL.
The PCL contains commercial products across a variety of categories, or "Protection Profiles" (PP). NIAP has created more technology-specific certifications for each Protection Profile.
This method of certification provides assurance that a product meets exact compliance requirements for a specific product category in order to provide repeatable and testable evaluation results across that entire product category.
The NIAP PCL is broken up into the following categories:
- Application Software
- Certificate Authority
- Email Client
- Encrypted Storage
- Enterprise Security Management
- Multi-Function Device
- Network Device
- Network Encryption
- Operating System
- Peripheral Switch
- Remote Access
- SIP Server
- Virtual Private Network
- Web Browser
- Wireless LAN
- Wireless Monitoring
If you have a component in your desired architecture that does not fit within one of the protection profiles, then there will be some additional work required.
NIAP itself does not have the authority to waive the CNSSP 11 requirements, but it does take several factors into consideration if you need a product evaluated that doesn’t adhere to one of the Protection Profiles.
If no Protection Profile is relevant to your specific product, there are two potential courses of action. If a PP is in development or planned, NIAP may ask that you be involved in the Technical Community to develop the PP, and then submit the product immediately upon completion.
As NIAP category changes take a long time, it is rare that the first course of action is feasible. Instead, we most commonly see organizations take the second course of action, which is when there is no PP in development or planned for their particular technology.
In this case, NIAP will work with you to determine if a Common Criteria evaluation is required, and you can request a waiver for that particular technology. The waiver process is unique to each different government agency, so you’ll have to work within your prescribed waiver process.
NIAP and CSfC
Quite often, we see organizations that are interested in NIAP related to a Commercial Solutions for Classified (CSfC) deployment. The NIAP PCL is also a precursor for the Commercial Solutions for Classified (CSfC) Components List.
NIAP certification is required prior to entering the CSfC certification process, so any product that is on the CSfC Components List will have already achieved NIAP certification.
NIAP Certification is incredibly important for any organizations that need to get their products working in an operational environment within the Department of Defense. If your solution will handle sensitive or classified information or be used within DoD operations, every piece of that solution must be NIAP Certified in order for it to be used.
It is important to make sure you understand what goes into a NIAP Certification, that you are aware of the changes to the NIAP Certification process, and that you use only NIAP certified products or parts to build any systems that will handle classified data.