Site icon

NIAP and Protection Profiles

IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles.

This article will cover why these profiles are essential for federal security, how to find them, and what to do if there isn’t an available profile to follow. 

 

What Are NIAP Protection Profiles?

NIAP (National Information Assurance Partnership) Protection Profiles are documents describing the standard requirements for the security functionality of IT products and systems and the assurance measures used to evaluate them. The NIAP operates under the purview of the National Security Agency (NSA) and is a part of the U.S. Government’s effort to implement the Common Criteria for Information Technology Security Evaluation.

A Protection Profile (PP) serves several vital purposes:

NIAP maintains a list of approved Protection Profiles for various categories of products, such as network devices, mobile devices, operating systems, and more. Product developers seeking to have their products certified will align their development efforts with a relevant Protection Profile to ensure their products can be evaluated and potentially certified under the NIAP program. 

 

What Are the Protection Profiles?

NIAP Protection Profiles cover a wide range of technology types, ensuring that IT products meet specific security requirements for use within national security systems. Examples of these protection profiles include:

Other protection profiles can cover various technologies and categories, including USB drives, peripherals, and SIP Servers.

 

Why Are Protection Profiles Required for IT Products Used to Handle Secure Data?

Federal security standards mandate that IT products must meet NIAP Protection Profiles primarily under the Committee on National Security Systems Policy (CNSSP) No. 11. This policy requires that departments and agencies within the Executive Branch must acquire only those products or cryptographic modules that have been validated against the International Common Criteria for Information Technology Security Evaluation, the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS), or by the NIST FIPS Cryptographic Module Validation Program. 

CNSSP #11 is a critical policy component for the U.S. Government’s overall Information Assurance strategy. It ensures that IT products acquired for national security systems are validated to perform as advertised by their manufacturers or satisfy the security requirements of the intended user. The policy emphasizes the importance of standardized evaluation processes to validate the security claims of marketed IA products, ensuring they meet national security systems and information security needs.

 

What Happens When There Isn’t a Defined Protection Profile?

When vendors or end-users want to include a product for federal use but there is no existing protection profile, they can follow these steps:

By following these steps and collaborating with NIAP, vendors, and end-users can work towards ensuring that their products meet the necessary security standards for federal use, even in the absence of an existing protection profile.

 

We Handle NIAP and Related Assessments

If you’re looking to meet requirements under a NIAP Protection Profile or seek other related assessment services under FIPS or NVLAP, call Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version