Welcome to the Acumen Security Blog

Updated NIAP PPs!

Yesterday, NIAP published updates to several Protection Profiles, including, the SIP Server EP, NPDD Errata (#3), and the Application SW PP. For reference, Acumen has created a difference document which can be found here.

Compared to previous NIAP PP updates, these updates are very small and consist of,

  1. Adding references to CNSSP 15 – This is the policy document that will require Suite-B cryptography to protect National Security Systems (NSS) starting 10/1/2015. These references do not add any additional mandatory functional to the PPs/References.
  2. Adding several optional ciphersuites to the TLS SFRs in each PP/errata – The PPs have been updated to selectively allow both the Suite-B transitional ciphersuites and the Suite-B ciphersuites to be evaluated.

Acumen’s Take: These updates were made to explicitly support upcoming Suite-B protection requirements. If a product is targeting a market that requires Suite-B protection or wants to be compliant with CNSSP 15 these new ciphersuites should be included in the product evaluation. These requirements will continue to grow in importance to product vendors as policies like the ones defined in CNSSP 15 take place and as CC evaluation is used more and more as prerequisites for programs like CSFC. We fully expect future PP revisions to more closely mirror the requirements in these policies/programs.

Also, these updates are Suite-B focused. If you have any questions about how Suite-B applies to product certification, give us a call, drop us a note, or check out our white paper on Suite-B cryptography and how it applies to the most commonly certified network protocols.

It’s Been a Busy Month

It seems that Acumen Security is not the only one who has been busy over the last month. NIAP has been quietly completing and publishing many new and updated scheme documents and completing evaluations.  Let’s take a quick look at what NIAP has completed over the last month or so,

Three scheme publication have been updated:

Two new policy letters have been posted:

Three new Protection Profiles have been published:

A new DOD Annex for a PP has been published:

This is quite a bit of stuff to complete over a six week period. I am most excited about the new PPs and the DOD Annex that have been published. For a long while, one of the critiques that were lobbed at NIAP was that they were only supporting PP-based product evaluations and there were not many PPs to evaluate against. There are now a total of twenty-one NIAP-approved Protection Profiles and Extended Packages and they continue to add more. Already, many of the technology types that would traditionally be validated are covered by these PPs and EPs. I am very interested to see what the list looks like six months or a year from now. Ongoing efforts, such as, the Apps on OS PP working group, seem to continue to fill the pipe line with more content.

One blemish in what has been a great push by NIAP to further CC would be international participation. It would be great to see more international participation in creation of PPs as well as products evaluated against NIAP PPs in international schemes.

And NIAP isn’t only publishing documentation, no less than four evaluations completed and five new evaluations kicked off in April and May thus far. In short, NIAP is refining its processes, supporting more technology types by publishing new PPs, AND executing on product evaluations.

Well done!