A lot of vendors are targeting their Common Criteria (CC) efforts towards Network Device Collaborative Protection Profile (NDcPP) compliance. A survey of the Australian, Canadian and US in-evaluation lists showed that there are around twelve ongoing NDcPP evaluations (Feb 2017). In comparison, there are ten ongoing Evaluation Assurance Level (EAL)2 evaluations (AU/CA only). This reflects the five-eyes policy shift towards Protection Profiles and the corresponding long sunset of EAL evaluations (at least in the five-eyes*).
I think there will be a continuing need for EAL evaluations given that Protection Profile (PP) development will not be able to keep up with product innovation. Hopefully certain schemes will continue to allow this on a case-by-case basis.
It is not surprising that NDcPP stands out in take-up because it is the most generic Collaborative Protection Profile available and allows many different products to seek compliance. Most importantly, achieving NDcPP certification gets you onto the NSA/NIAP Product Compliant List (PCL) a prerequisite for the Commercial Solutions for Classified Program (CSfC) and often the US Department of Defense Information Network Approved Products List (DODIN APL / UC APL).
Has anyone been able to complete an NDcPP evaluation? Yes. Cisco has taken three products through in the US. Others will be sure to follow and new versions of the NDcPP should address early growing pains (evidenced by the number of NIAP Technical Decisions that apply to the NDcPP). The Network International Technical Community (iTC) is working on the next version of the NDcPP. If you are interested in getting involved, participation in the iTC is open and occurs via the CC User Forum.
I’ll tackle the differences between NDcPP v1.0 and v2.0 in a future post once the draft is submitted for CC Development Board approval (assuming that it is a public document) and touch on some lessons learned from my experience with the NDcPP.
Until then, feel free to get in touch with any questions you have about NDcPP or CC in general. All the best with your certifications!
*The UK National Cyber Security Centre (NCSC) doesn’t post Protection Profile details on their in evaluation list. New Zealand gets included in with the Aussies.