What is the process for NIAP certification?
In order to obtain NIAP Certification for a product, manufacturers must go through all of the following steps:
- Engage and establish a contract with an accredited national laboratory;
- Select Target of Evaluation (TOE), a product or system that will be the subject of evaluation;
- Choose the appropriate NIAP Protection Profile(s) they fit within;
- Establish a Security Target (ST), a set of security requirements and specifications to be used as the basis for evaluation (You can view Attila’s Security Target as an example);
- Submit a package with all of the above information to the NIAP office;
- Receive approval to start the evaluation process from NIAP office (at this point, the product will be placed on the NIAP in-evaluation list);
- Complete required documentation and testing with the previously-selected lab and submit all completed testing results to the NIAP office;
- Receive final certification from NIAP and CCEVS.
Once all of these steps are completed, the product will have a NIAP certification and will be placed on the NIAP Product Compliant List (PCL).
What is the Common Criteria?
NIAP is responsible for U.S. implementation of the Common Criteria Evaluation and Validation Scheme (CCEVS). CCEVS is an internationally recognized set of guidelines (ISO 15408), which defines a common framework for evaluating security features and capabilities of Information Technology security products against functional and assurance requirements.
The CCEVS were developed collaboratively by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S. There is a mutual recognition agreement, called the Common Criteria Recognition Agreement (CCRA), whereby each country recognizes completed evaluations against the Common Criteria standard done by other parties.
NIAP is also responsible for running the validation body which certifies that products have effectively applied the CCEVS.
According to NIAP, “all products evaluated within the Scheme must demonstrate exact compliance with the applicable technology protection profile.”
As a neutral third party, NIAP assesses the results of the security evaluation, and if successful, issues a validation certificate to the product manufacturer. At that point, the product can be placed in the U.S. NIAP Product Compliant List and the international CCRA Certified Products List.