How to get on the NSA/NIAP Product Compliant List (PCL)

Lachlan Turner Certifications, Common Criteria

Many vendors seeking to sell hardware or software to the U.S. Government, particularly to defense and intelligence agencies, will find that cyber security product certification is mandated by federal procurement requirements (CNSSP 11) for these environments. We know, because many of our clients come to us for this very reason – fast, efficient, low risk evaluations that ultimately end up on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL).

NIAP, administered by the National Security Agency (NSA), state the following regarding the PCL:

The following products, evaluated and granted certificates by NIAP or under CCRA partnering schemes, comply with the requirements of the NIAP program and where applicable, the requirements of the Federal Information Processing Standard (FIPS) Cryptographic validation program(s). Products on the PCL are evaluated and accredited at licensed/approved evaluation facilities for conformance to the Common Criteria for IT Security Evaluation (ISO Standard 15408). U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products – dated June 2013 (https://www.cnss.gov/CNSS/issuances/Policies.cfm).

The NIAP PCL in-turn is a pre-cursor for other lists, such as Commercial Solutions for Classified (CSfC) and the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List (DoD UC-APL). As Syneren Technologies Corporation discovered, failing to address software accreditation requirements can be costly – Selling Software to the Government: Four Cybersecurity Lessons from a Failed DoD Bid Protest.

So how does a vendor get on to the NIAP PCL? The steps are as follows:

  1. Select a NIAP approved Protection Profile that is suitable for your product. Conformance to an approved Protection Profile is required – Evaluation Assurance Level (EAL) based evaluations are no longer accepted by NIAP.
  2. Perform a Functional Gap Analysis (preferably by testing as described in our Network Device Protection Profile blog post) and remediate gaps to address the mandatory Protection Profile requirements.
  3. Undertake evaluation with a Common Criteria Laboratory – to facilitate timely PCL listing, our experience has shown that it is preferable to use a ‘five-eyes’ (US, UK, Canada, Australia, New Zealand) based lab.

Unless you have a team of in-house certification experts, you’ll likely want to engage with experienced professionals who can guide you through each step. Contact us today to find out how our Greenlight automation platform and highly experienced team can accelerate your NIAP PCL certification.