The National Information Assurance Partnership (NIAP) is responsible for overseeing and monitoring the security of commercial IT products used in National Security Systems. NIAP certification is most applicable to the Department of Defense (DoD), the Intelligence community and any DoD contractors or affiliates. NIAP certification is also applicable and important to private sector companies.
What Is NIAP Certification?
NIAP certification is a commercial cybersecurity product certification that is mandated by federal procurement requirements (CNSSP 11) for use in U.S. National Security Systems (NSS). Its primary purpose is to certify commercial technology or products which will be used to handle sensitive data.
National Security Systems are defined as information systems operated by the U.S. Government, contractors for the government, or agents that contain classified information. These systems may do any of the following:
- involve intelligence activities;
- involve cryptographic activities related to national security;
- involve command and control of military forces;
- involve equipment that is an integral part of a weapon or weapons system(s); or
- are critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications).
When a product receives NIAP certification, that means that it can be used in any of the above applications, and that a manufacturer’s claims regarding security features and capabilities have been evaluated and confirmed by a neutral third party and verified by NSA’s NIAP office.
In addition, NIAP-certified, commercially available products are generally less expensive and more user-friendly than their COMSEC/Type 1 counterparts and have greater flexibility to integrate with various platforms and systems.
History of NIAP & The Common Criteria
The National Information Assurance Partnership (NIAP) was originally created as a partnership between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). It is now operated by the NSA and is a U.S. government initiative aimed at meeting the security testing needs of both IT consumers and providers.
The NIAP program was established to implement and administer a consistent, repeatable process governing the testing and evaluation of Commercial Off The Shelf (COTS) Information Assurance (IA) and IA-enabled IT products.
NIAP is responsible for U.S. implementation of the Common Criteria Evaluation and Validation Scheme (CCEVS). CCEVS is an internationally recognized set of guidelines (ISO 15408), which defines a common framework for evaluating security features and capabilities of Information Technology security products against functional and assurance requirements.
The CCEVS were developed collaboratively by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S. There is a mutual recognition agreement, called the Common Criteria Recognition Agreement (CCRA), whereby each country recognizes completed evaluations against the Common Criteria standard done by other parties.
NIAP is also responsible for running the validation body which certifies that products have effectively applied the CCEVS. According to NIAP, “all products evaluated within the Scheme must demonstrate exact compliance with the applicable technology protection profile.”
As a neutral third party, NIAP validation body assesses the results of the security evaluation, and if successful, issues a validation certificate to the product manufacturer. At that point, the product can be placed in the U.S. NIAP Product Compliant List and the international CCRA Certified Products List.
NIAP Certification Process
NIAP has adopted a new certification process, doing away with the previous practice of certifying against Evaluation Assurance Levels (EAL).
Today, NIAP no longer accepts EAL-based evaluations as they were too broad and didn’t provide the level of assurance needed to those organizations using the products.
Instead, NIAP has created more technology-specific certifications, referred to as Protection Profiles (PP). This new method of certification provides assurance that a product meets exact compliance requirements for a specific product category in order to provide repeatable and testable evaluation results across that entire product category.
Attila’s own GoSilent device, for instance, is a member of the VPN Gateway Protection Profile and NIAP certified. The GoSilent, as well as any other certified devices in the category, adheres to a specific set of compliance requirements that must be met for all VPN Gateways.
In order to obtain NIAP Certification for a product, manufacturers must go through all of the following steps:
- Engage and establish a contract with an accredited national laboratory;
- Select Target of Evaluation (TOE), a product or system that will be the subject of evaluation;
- Choose the appropriate NIAP Protection Profile(s) they fit within;
- Establish a Security Target (ST), a set of security requirements and specifications to be used as the basis for evaluation (You can view Attila’s Security Target as an example);
- Submit a package with all of the above information to the NIAP office;
- Receive approval to start the evaluation process from NIAP office (at this point, the product will be placed on the NIAP in-evaluation list);
- Complete required documentation and testing with the previously-selected lab and submit all completed testing results to the NIAP office;
- Receive final certification from NIAP and CCEVS.
Once all of these steps are completed, the product will have a NIAP certification and will be placed on the NIAP Product Compliant List (PCL).
Depending upon other compliance and certification needs, the product may still need additional certifications as well, like NIST or FIPS. However, NIAP certification is the first step or foundation upon which these further certifications will rely.
The NIAP PCL is also a precursor for other lists including the Commercial Solutions for Classified (CSfC) Components List and the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List (DoD UC-APL).
What Does a NIAP Certification Really Mean?
A NIAP Certification states that “The following products, evaluated and granted certificates by the NIAP validation body or under CCRA partnering schemes, comply with the requirements of the NIAP program and where applicable, the requirements of the Federal Information Processing Standard (FIPS) Cryptographic validation program(s). Products on the PCL are evaluated and accredited at licensed/approved evaluation facilities for conformance to the Common Criteria for IT Security Evaluation (ISO Standard 15408). U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products – dated June 2013.” (source)
Essentially, this means that products that are NIAP Certified have been approved by the government for use in National Security Systems. This provides peace of mind that any systems which touch sensitive information have the appropriate measures in place to keep that data secure.
NIAP Certification is incredibly important for any organizations that need to get their products working in an operational environment within the Department of Defense. If your product will handle sensitive or classified information or be used within DoD operations, every piece of that product must be NIAP Certified in order for it to be used.
It is important to make sure you understand what goes into a NIAP Certification, that you are aware of the changes to the NIAP Certification process, and that you use only NIAP Certified products or parts to build any systems that will handle classified data.