What’s the Deal With NDcPP 3.0?

Lachlan Turner Common Criteria

This post aims to answer the most common questions we get about NDcPP 3.0:

  • When is NDcPP 3.0 going to drop?
  • What’s new in NDcPP 3.0?
  • What will the transition period be between NDcPP 2.2E and NDcPP 3.0?
  • What does this mean for current NDcPP projects?
  • What does Lightship Security recommend for new network device projects?

When is NDcPP 3.0 Going to Drop?

For most of our clients, getting on the NIAP PCL is the primary driver for their evaluations. Therefore NDcPP 3.0 is only relevant once NIAP endorses it as a NIAP Approved PP at https://www.niap-ccevs.org/Profile/PP.cfm

That being the case, there are two things that still have to happen before NDcPP 3.0 really comes into play:

  1. The Network Device iTC has to address public comments on the draft of NDcPP 3.0 and publish the final version – this work is in progress. See https://github.com/ND-iTC/Documents/issues
  2. NIAP has to endorse the final version – we may well end up with an ‘E’ version (as we did with NDcPP 2.2) with a few changes thrown in at the last minute from NIAP.  It is not clear how long this will take.

So, there is no definitive answer to this question. It could be as early as Q1 2023 but it may take longer – say Q2 or Q3. We will be keeping an eye on progress and keep our customer informed.

What’s New in NDcPP 3.0?

Here’s the summary of changes that was presented during the last CCUF workshops:

  • Added TLS v1.3 [claiming this is optional]
  • Removed TLS v1.1 / DTLS 1.0
  • CCMB comment resolution from their review of the Supporting Document v2.2
  • Added ALC _FLR as an optional additional assurance component to better align with EUCC
  • SSH SFRs removed, NIAP’s Functional Package now required for SSH
  • Updated references to standards (RFCs and NIST SPs)
  • Removed support for published hash as a means of providing software integrity
  • Address formatting comments
  • First time document updates done using GitHub (via AsciiDoc)

None of these are particularly earth shattering but please contact your Lightship Project Manager if you have any concerns about your projects.

What is the Transition Period?

Focusing solely on the NIAP acceptance policy (as this is what is most relevant for our customers), there will typically be a transition period of 6 months between when a new PP is endorsed and the old PP is sunset. During the transition period, applicable products will be allowed to comply with either the old or the updated version of the PP.

So, new evaluations may still begin (check-in) against NDcPP 2.2E right up until it is sunset.

What Does This Mean for Current NDcPP Projects?

Unless it is anticipated that your evaluation will not start until mid to late 2023, this should not impact current NDcPP projects. Please get in touch with your Lightship Project Manager if you have any concerns about your project timelines.

Recommendations for New Projects?

Until NIAP endorsement, new NDcPP projects should factor in NDcPP 3.0 requirements during the Functional Gap Assessment (FGA) phase to allow the flexibility to conform with either NDcPP 2.2E or NDcPP 3.0.

This primarily means:

  • Disable TLS 1.1 / DTLS 1.0
  • Support TLS 1.2
  • Disable TLS 1.3 or make it configurable (toggle on/off)
  • Use digital signatures for software/firmware integrity


If you have a network device project you think might be a good fit for the Network Device Protection Profile, please contact us to find out how we can help you!

Lachlan has 15+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. Lachlan leads our consulting team to assist vendors to get through the certification process efficiently.