Many vendors seeking to sell hardware or software to the U.S. Government, particularly to defense and intelligence agencies, will find that cyber security product certification is mandated by federal procurement requirements (CNSSP 11) for these environments. We know, because many of our clients come to us for this very reason – fast, efficient, low risk evaluations that ultimately end up on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL).
NIAP, administered by the National Security Agency (NSA), state the following regarding the PCL:
All products evaluated within the Scheme must demonstrate exact compliance to the applicable technology Protection Profile. NIAP assesses the results of the security evaluation conducted by the lab and, if the evaluation is successful, issues a validation certificate and lists the product on the U.S. NIAP Product Compliant List and the international CCRA Certified Products List. U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Cybersecurity and Cybersecurity-Enabled Information Technology Products.
The NIAP PCL in-turn is a pre-cursor for other lists, such as Commercial Solutions for Classified (CSfC). As Syneren Technologies Corporation discovered, failing to address software accreditation requirements can be costly – Selling Software to the Government: Four Cybersecurity Lessons from a Failed DoD Bid Protest.
So how does a vendor get on to the NIAP PCL? The steps are as follows:
- Select a NIAP approved Protection Profile that is suitable for your product. Conformance to an approved Protection Profile is required – Evaluation Assurance Level (EAL) based evaluations are no longer accepted by NIAP.
- Perform a Functional Gap Analysis (preferably by testing as described in our Network Device Protection Profile blog post) and remediate gaps to address the mandatory Protection Profile requirements.
- Undertake evaluation with a Common Criteria Laboratory – to facilitate timely PCL listing, our experience has shown that it is preferable to use a ‘five-eyes’ (US, UK, Canada, Australia, New Zealand) based lab.
Unless you have a team of in-house certification experts, you’ll likely want to engage with experienced professionals who can guide you through each step. Contact us today to find out how our Greenlight automation platform and highly experienced team can accelerate your NIAP PCL certification.
Lachlan has 20+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. As the Director of Cyber Labs, Lachlan has overall responsibility for our Canadian and US Common Criteria laboratories.