NIAP Requests for a Mitigation Plan

Lachlan Turner Certifications, Common Criteria

Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 which is intended to “ensure products receiving a NIAP Common Criteria certificate do not contain known vulnerabilities”.

What is a Mitigation Plan?

NIAP Policy 17 provides the following options to vendors:

  1. Provide a rationale as to why the vulnerability does not require product modification (e.g. why not exploitable / why not applicable); or
  2. Provide a plan to address the vulnerability (e.g. patch or workaround available / in development).

Typically, a vendor’s own Security Advisory will address either of the above points and would itself be sufficient to provide to NIAP. In the absence of a published advisory, vendors will need to produce a Mitigation Plan (which may be as simple as a single paragraph) addressing either 1 or 2 above.

What should I do if I receive a vulnerability notification from NIAP?

Make sure you respond! The notification will include a deadline to respond to NIAP – if they do not receive a response your product will be removed from the PCL. You will likely already have a public Security Advisory that will be sufficient, if not, you’ll need to do some investigation and produce a plan addressing 1 or 2 above. If you need assistance, your lab or consultant should be able to help.

If you are a Lightship Security customer, we’ll provide complimentary advice to help you address NIAP requests for a mitigation plan.

Contact us for assistance with your mitigation plan or general enquiries about Common Criteria and the NIAP PCL.