If you ship network devices into environments that care about Common Criteria, the Network Device Collaborative Protection Profile (NDcPP) is the baseline you live with. NDcPP v3.0e has been the approved version since December 2023; the ND iTC is now iterating on a NDcPP v4.0 draft. This post offers a practitioner’s comparison of v3.0e and the v4.0 draft, the NIAP acceptance window you need to plan around, and concrete steps to de‑risk your roadmap.
NIAP Deadline Alert!
New evaluations claiming NDcPP v3.0e will only be accepted through December 31, 2025 for NIAP PCL listings. After that, v4.0 (or later) under CC:2022 is mandatory.
Action: Unless you’re locked and loaded on v3.0e and about to start evaluation, plan to target v4.x.
Key Differences Between v3.0e and v4.0 Draft
| Area | v3.0e | v4.0 Draft |
| CC Baseline | CC v3.1R5 | CC:2022 (adds Parts 4 & 5) |
| TLS & X.509 | Embedded in PP | Moved to functional packages (PKG_TLS v2.x, PKG_X.509 v1.0) |
| SSH | Already modular (PKG_SSH v1.0) | Continues modular (PKG_SSH v2.0) |
| PKI | FIA_X509_EXT | Adds explicit cert path rules (e.g., FCO_CPC_EXT.1) |
| Modules | Stable allowed-with list | v4.0 section in progress |
What’s Driving These Changes?
- CC:2022 Alignment – New structure, updated evaluation methods, and assurance packaging.
- Protocol Modularization – TLS and X.509 move to functional packages; SSH was already modular.
- PKI Tightening – Expect stricter certificate path validation and revocation handling.
- Transition Deadlines – NIAP will only accept new v3.0e evaluations until Dec 31, 2025.
Practical Steps for Vendors
- Decide Your Strategy Now
- Already well on the way with v3.0e? Start formal evaluation before Dec 31, 2025.
- Otherwise, pivot to v4.0 planning for long-term compliance.
- Map Your Crypto Stack
- Align TLS, SSH, and X.509 features to PKG_TLS v2.x, PKG_SSH v2.0, and PKG_X.509 v1.0.
- Engage Early with Your Lab
- Confirm timelines, transition policies, and any scheme-specific nuances.
- Functional Gap Assessment
- Engage with a lab that uses testing to perform the gap assessment – at Lightship Security we call this a Functional Gap Assessment (FGA)
Bottom Line
NDcPP v4.0 isn’t a revolution—it’s a refactor for CC:2022 and modular packages. If you’re solid on v3.0e, you’re close, but the clock is ticking for NIAP-bound products. Start planning now to avoid surprises.
Contact us to tailor your NDcPP strategy.
Lachlan has 20+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. As the Director of Cyber Labs, Lachlan has overall responsibility for our Canadian and US Common Criteria laboratories.