What’s the Deal With NDcPP 3.0?

Lachlan TurnerCommon Criteria

NDcPP 3.0E has now been endorsed by NIAP. This post aims to answer the most common questions we get about NDcPP 3.0E:

  • What’s new in NDcPP 3.0E?
  • What will the transition period be between NDcPP 2.2E and NDcPP 3.0E?
  • What does this mean for current NDcPP projects?
  • What does Lightship Security recommend for new network device projects?

What’s New in NDcPP 3.0E?

Here’s the summary of changes that was presented during the last CCUF workshops:

  • Added TLS v1.3 [claiming this is optional]
  • Removed TLS v1.1 / DTLS 1.0
  • CCMB comment resolution from their review of the Supporting Document v2.2
  • Added ALC _FLR as an optional additional assurance component to better align with EUCC
  • SSH SFRs removed, NIAP’s Functional Package now required for SSH
  • Updated references to standards (RFCs and NIST SPs)
  • Removed support for published hash as a means of providing software integrity
  • Address formatting comments
  • First time document updates done using GitHub (via AsciiDoc)

None of these are particularly earth shattering but please contact your Lightship Project Manager if you have any concerns about your projects.

What is the Transition Period?

NIAP has set the NDcPP 2.2E sunset date at 2024-06-14. New evaluations will be accepted against either the old or the updated version of the PP up until the sunset date. For NIAP evaluations specifically, check-in must occur 3 weeks before sunset if using 2.2E.

What Does This Mean for Current NDcPP Projects?

Projects that will check-in after May 2024 will need to transition to NDcPP 3.0E. Please get in touch with your Lightship Project Manager if you have any concerns about your project timelines.

Recommendations for New Projects?

New NDcPP projects can now target NDcPP 3.0E requirements. Lightship recommends undertaking a Functional Gap Assessment to prepare for your evaluation.

If you have a network device project you think might be a good fit for the Network Device Protection Profile, please contact us to find out how we can help you!

Lachlan has 20+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. As the Director of Cyber Labs, Lachlan has overall responsibility for our Canadian and US Common Criteria laboratories.