If you’ve been looking into CC certification, chances are you may have heard the term Collaborative Protection Profile (cPP), or at least Protection Profile (PP). This post provides a quick intro and some reference links.
What is a Protection Profile?
At the most basic level, a PP is just a statement of security requirements for a specific technology. Depending on the level of adoption, governments around the world have historically published their own PPs and vendors would have to comply with each different government PP for a given technology. Here in North America, the most often referenced PPs are published by NSA / NIAP – these are NIAP Approved Protection Profiles
(note that NIAP has approved a number of cPPs). There are plenty of other profiles though, a central list can be found at the Common Criteria Portal Protection Profiles list
. Whether these are relevant to you depends on the target market for the certified product.
What is a Collaborative Protection Profile?
A cPP is a Protection Profile that has been created through – you guessed it – a collaborative process. The intention is to address the historical stovepipe nature of government specific PPs whilst defining better requirements and testing methodology through industry engagement. To achieve this, cPPs are created by Technical Communities made up of CC and technology area experts with sponsorship from two or more CCRA nations
. During the development of a cPP, all CCRA nations are invited to issue informal Position Statements which indicate whether that nation intends to endorse the cPP. Once the cPP is complete, endorsing nations are invited to issue formal Endorsement Statements which may specify links to procurement and any caveats. The cPP development process is sill in refinement – a draft process description
has been published by the CC Development Board.
Collaborative Protection Profile links
Despite process refinements to come, there have been a number of cPPs published with more on the way. Here’s where to find cPPs and more information:
How to get involved in Protection Profile development
If you want to shape the Common Criteria requirements that your product might one day have to meet, you should get involved with (or push to start via your CC scheme
) a Technical Community relevant to your product space. The most active communities are NIAP Technical Communities
and CCRA Technical Communities
. You should also join the Common Criteria User Forum
which is a great resource for all things related to the Common Criteria.
Lachlan has 15+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. Lachlan leads our consulting team to assist vendors to get through the certification process efficiently.