The latest update to NIAP Policy Letter #12 (Update 5) brings a significant change that vendors should be aware of: the inclusion of core functionality as a critical requirement for products undergoing evaluation under NIAP. This new addition places an important responsibility on vendors to ensure that their products’ core functionality is explicitly included in the scope of evaluation. Let’s dive into why this change is so crucial for vendors and how they can prepare.
What’s New in NIAP Policy Letter #12 Update 5?
In previous versions of Policy Letter #12, the focus was primarily on ensuring that evaluated products conformed to NIAP-approved Protection Profiles (PPs) without explicitly emphasizing the inclusion of the product’s core functionality. However, Update 5 introduces the requirement that the selected PP and PP modules must encompass the core functionality of the product.
Core Functionality refers to the primary purpose for which a product is designed and marketed. It’s the essential security feature or features that define the product’s value proposition and are critical to its performance.
Vendors can estimate their product’s core functionality by reviewing their marketing materials. Start by selecting the top three to five key selling points that highlight your product’s value proposition from a security perspective. These points are likely to reflect its core functionality. However, this approach has its limitations, especially if your product spans multiple technology areas that may not yet be ready for evaluation. Lightship Security can assist in navigating these complexities.
Engage with Lightship Security for Strategic Support
With the introduction of the core functionality requirement, vendors must be prepared for the selection of PPs and Modules to be more rigid than in the past. As a lab we have already seen that NIAP is looking closely at this aspect and strictly enforcing the policy. For example, by requiring the addition of modules that were not required in previous evaluations.
Here’s how Lightship Security can assist in developing a robust strategy:
- Expert Guidance on Protection Profiles and Modules: We can help assess your product’s core functionality and ensure it is accurately captured by the selected Protection Profiles and Modules.
- Streamlining the Evaluation Process: We have extensive experience navigating the NIAP Common Criteria evaluation process. By partnering with us, you can avoid common pitfalls, accelerate your evaluation timeline, and ensure that your product is evaluated based on its most critical security features.
- Tailored Strategy Development: We recognize that each product is unique, and the core functionality may vary depending on the use case. We help develop a tailored strategy that aligns with the latest NIAP policies while addressing your product’s specific security needs and market requirements.
- Ongoing Compliance Support: As the landscape of cybersecurity evaluations evolves, our team provides ongoing support to help maintain compliance with future updates to NIAP policies and other relevant standards.
Contact Lightship Security today to discuss your evaluation strategy.
Lachlan has 20+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. As the Director of Cyber Labs, Lachlan has overall responsibility for our Canadian and US Common Criteria laboratories.