Approved IA Products

by Bruce Brown | 1 Comment

IA Control – DCAS-1, Acquisition Standards Security Design

This does not apply to EVERY type of devices and/or applications only IA Products (firewalls, IDS, anti-virus ect) and IA-Enabled products (operating systems, Routers, DBMS ect). If the IA Enabled product lets say a router will be used as a dumb device like a hub in which it is just passing data between two stand alone computers (no connection to the Internet or major LAN) you probably don’t need to worry about most of this. All systems that are IA-Enabled or IA Products (defined below) that require the use of IA capabilities must match IA “protection profiles” for a particular technology. In other words, if you have a firewall (which is an IA Product) it has to have all of the security, cryptological and robust features detailed in the applicable NIAP firewall list of features better known as protection profiles. I wish it were that simple. But the firewall in the example above also has to comply with the evaluation and validation requirements of NSTISSP No. 11 which states that the firewall you bought must have a Common Criteria evaluation. Furthermore, each branch of the DoD has a list of products that they prefer that you purchase due to contractual arrangements. In the end your best bet is to only buy IA-Enabled and IA Products that have an IA capability (will protect data in some way) that are on this site http://www.niap-ccevs.org or have been accredited in accordance with the Common Criteria. If the device is not on the NIAP site you may able to find something close by googling “[YOUR PRODUCT Common Criteria]”. Also, keep in mind that all operating systems may have to have anti-virus applications that must also meettheir protection profiles.

Protection Profiles: http://www.niap-ccevs.org/cc-scheme/pp/index.cfm

Products used within the Department of Defense may be submitted for evaluation at evaluation assurance levels (EALs) 1-7 through the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS). Alternatively, the United States recognizes products that have been evaluated under the sponsorship of other signatories and in accordance with the International Common Criteria E2.1.30.

IA-Enabled Product. Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. E2.1.29.

IA Product. Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control or non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices. (DoDI 8500.2) http://www.niap-ccevs.org/cc-scheme/

Product Specification and Evaluation

(DoDI 8500.2) E3.2.5. Product Specification and Evaluation. At the enterprise level, implementation-independent specifications for IA and IA-enabled IT products are provided in the form of protection profiles. Protection profiles are developed in accordance with the Common Criteria (reference (j)) within the NIAP framework. Regardless of the mission assurance category or confidentiality level of the DoD information system, all incorporated IA products, and IA-enabled IT products that require use of the product’s IA capabilities, acquired under contracts executed after July 1, 2002, shall comply with the evaluation and validation requirements of NSTISSP No. 11 (reference (ah)), with the following qualifications: E3.2.5.1. If an approved U.S. Government protection profile exists for a particular technology area and there are validated products available for use that match the protection profile description, then acquisition is restricted to those products; or to products that vendors, prior to purchase, submit for evaluation and validation to a security target written against the approved protection profile. Products used within the Department of Defense may be submitted for evaluation at evaluation assurance levels (EALs) 1-7 through the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS). Alternatively, the United States recognizes products that have been evaluated under the sponsorship of other signatories and in accordance with the International Common Criteria for Information Security Technology Evaluation Recognition Arrangement (CCRA) for EALs 1-4 only. E3.2.5.2. If an approved U.S. Government protection profile exists for a particular technology area, but no validated products that conform to the protection profile are available for use, the acquiring organization must require, prior to purchase, that vendors submit their products for evaluation and validation by a NIAP EVP or CCRA laboratory to a security target written against the approved protection profile or acquire other U.S.-recognized products that have been evaluated under the sponsorship of other signatories to the CCRA. E3.2.5.3. If no U.S. Government protection profile exists for a particular technology area and the acquiring organization chooses not to acquire products that have been evaluated by the NIAP CCEVS or CCRA laboratories, then the acquiring organization must require, prior to purchase, that vendors provide a security target that describes the security attributes of their products, and that vendors submit their products for evaluation and validation at a DAA-approved EAL. Robustness requirements, mission, and customer needs will together enable an experienced information systems security engineer to recommend a specific EAL for a particular product to the DAA.

(edited: 29 August 2011. Fixed some text. Clarified some issues.)

1 Comment on Approved IA Products

  1. Rmorris
    April 23, 2012 at 7:35 am (6 years ago)

    Another step in the approval/purchasing process, yeah!
    I have two NAS' that I now need to find approval NIAP for.

    Synology DS110j
    NETGear 12TB Storage

    I looked on the very slim list of approved devices, they are not there, along with the rest of common hardware. Any suggestions?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *