NDcPPv2.1 is hot off the presses from the Network iTC. It is yet to be officially accepted by NIAP for PCL usage however this is probably not too far off, perhaps with some minor tweaks (the new NTP SFR being something to watch).
Here are some notes from our initial review:
- NTP. A new SFR has been added for NTP which we understand refers to mechanisms that are supported by commonly available NTP clients. Vendors still have the option of specifying manual time configuration. If v2.1 is accepted by NIAP as is, this will remove the mandated use of a trusted channel for NTP which was causing problems for some vendors in v2.0e.
- TLS. Administrators can now elect to ignore certificate validation failures. Support for 192-bit ciphersuites has been removed and a couple of new suites have been added.
- X.509. Certificate revocation checking requirements have been ‘clarified’ by an application note. This may result in changes for implementations that meet the current requirements.
- Audit Events. All generation/import/change of long-term cryptographic keys (i.e. not session keys) need to be audited, including those that are automatically generated by the TOE.