In the evolving world of international IT infrastructure and security, it’s critical that organizations and regulatory bodies have a standard to assess technology effectively. A key player in the United States that works to uphold these standards is the National Information Assurance Partnership (NIAP).
NIAP manages the Common Criteria Evaluation and Validation Scheme (CCEVS) in the United States, ensuring commercial IT products meet robust, internationally recognized security standards.
This article discusses the relationship between the NIAP and the management of Common Criteria standards in the US, including a discussion of some of those standards.
What are Common Criteria Evaluation and Validation Schemes?
The Common Criteria Evaluation and Validation Scheme (CCEVS) provides a standard to evaluate the security of an IT product effectively and reliably. This international scheme aligns with ISO standards, and is managed in the US by the NIAP alongside the National Institute of Standards and Technology (NIST).
CCEVS is based on ISO/IEC 15408, which is typically not mandatory for organizations to adopt. However, since the Common Criteria provides a framework for users to specify their security requirements, it’s often included in, and otherwise managed by, regulatory bodies and frameworks to promote standard testing. Vendors can then implement and/or make claims about the security attributes of their products against this standard. Likewise, testing laboratories can evaluate the effects to determine if they meet the claims.
The process involves governing bodies using CCEVS to accredit Common Criteria Testing Laboratories (CCTLs) within those jurisdictions to ensure they consistently conduct IT product and service audits. This results in a level of assurance in the security functionality of the evaluated IT products.
What Is the National Information Assurance Partnership?
The NIAP is a US government initiative established by the National Security Agency (NSA) and NIST. NIAP aims to evaluate IT product conformance to Common Criteria standards.
One of the primary ways the NIAP fulfills its mission is through its administration of CCEVS used to guide CCTLs. As such, the NIAP provides guidance and requirements for specific Protection Profiles (PPs) or security evaluation schemes that apply to specific IT products, processes, or practices.
What Is a Protection Profile in Common Criteria Assessment?
A Protection Profile identifies the security requirements for a particular category of IT products, like network devices, firewalls, mobile devices, biometric systems, etc. It includes an overview of the security problem the products address, any assumptions about their operating environment, and specific security objectives.
One important part of a Protection Profile is the set of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that products must meet. SFRs describe the expected behaviors and features of a product. SARs outline the steps that must be taken during a product’s development and testing to ensure it meets its SFRs.
In the case of applications of Common Criteria assessment in the US, the NIAP defines PPs in line with CC requirements and maps them onto security controls defined by NIST Special Publication 800-53, a catalog of security controls implemented in various US security standards like FISMA and FedRAMP.
Example Protection Profiles
To achieve NIAP certification, a product must demonstrate conformance to an approved NIAP Protection Profile (PP). This entails being evaluated by a NIAP-approved Common Criteria Testing Laboratory (CCTL).
Per the NIAP website, dozens of well-structured PPs apply to several standard technologies. Some of these PPs include:
- Email Clients: The PP for email clients includes requirements for cryptography, authentication, and authorization such that the initial security of an email server is maintained and protected. Standard controls mapped to this PP include those from the System and Communication Protection (SC), Identification and Authentication (IA), and Configuration Management (CM) families.
- Encrypted Storage: There are several PPs for encrypted storage, including full-drive encryption, enterprise-wide encryption management, and file-level encryption. Common control families mapped here include SC, IA, and System and Information Integrity (SI).
- Firewalls: The CC calls for basic functionality that most organizations expect from an enterprise firewall. Such functionality includes the separation of services and privileges for shared resources inside and outside a perimeter, controls over traffic movement across that perimeter, processes for handling malformed or malicious traffic, and so on. This includes several similar controls to other PPs listed here, including those from the Audit and Accountability (AU), SC, and CM families.
- Biometrics: CC conformity requires that biometric products have methods to prevent impersonation, provide adequate reliability to individual identification, and support reliable onboarding and template creation. Controls mapped here come primarily from the IA and SC families.
- Web Browsers: This PP addresses security concerns around browser hijacking and extension and provides requirements to test for the capabilities of malicious third-party tools. Additionally, it requires that browsers can address origin violation attacks that circumvent access control policies. Controls mapped here include those already listed with the addition of Access Control (AC) and PII Processing and Transparency (PT) families.
Is NIAP the Same As the National Voluntary Laboratory Accreditation Program?
The National Voluntary Laboratory Accreditation Program (NVLAP) and the National Information Assurance Partnership (NIAP) are both initiatives related to the testing and evaluation of various aspects of technology and information systems, and they are both connected to NIST as a governing body. However, they serve different functions and cater to different needs.
- NVLAP, which NIST directly manages, provides third-party accreditation to testing and calibration laboratories. NVLAP accreditation shows that a laboratory has demonstrated that it operates according to NVLAP management and technical requirements and is capable of producing valid results.
- NIAP, on the other hand, is an initiative run jointly by the NSA and NIST. NIAP oversees evaluating commercial IT products for use in national security systems following Common Criteria standards.
Although NVLAP doesn’t specifically accredit CCTLs, the overall accreditation programs of NVLAP reflect the importance of third-party assessments of testing labs, a concept that’s also integral to NIAP’s operation through the CCTLs.
Stay In Line with Common Criteria
Seeking compliance with ISO, NIST, or Common Criteria standards? Lazarus Alliance has decades of experience working with industry and regulatory standards worldwide. Contact us today.