It seems that Acumen Security is not the only one who has been busy over the last month. NIAP has been quietly completing and publishing many new and updated scheme documents and completing evaluations. Let’s take a quick look at what NIAP has completed over the last month or so,
Three scheme publication have been updated:
- Publication #2 Common Criteria Evaluation and Validation Scheme – Quality Manual and Standard Operating Procedures
- Publication #3 Common Criteria Evaluation and Validation Scheme – Guidance to Validators
- Publication #5 Common Criteria Evaluation and Validation Scheme – Guidance to Sponsors
Two new policy letters have been posted:
- Policy Letter 021: NIAP Evaluated Product Assurance Maintenance – Products with Evaluation Assurance Level (EAL) Claims
- Policy Letter 022: NIAP Evaluated Product Assurance Maintenance – Protection Profile Compliant Products
Three new Protection Profiles have been published:
- Protection Profile for Certification Authorities Version 1.0
- Protection Profile for Email Clients Version 1.0
- Protection Profile for Redaction Version 1.0
A new DOD Annex for a PP has been published:
This is quite a bit of stuff to complete over a six week period. I am most excited about the new PPs and the DOD Annex that have been published. For a long while, one of the critiques that were lobbed at NIAP was that they were only supporting PP-based product evaluations and there were not many PPs to evaluate against. There are now a total of twenty-one NIAP-approved Protection Profiles and Extended Packages and they continue to add more. Already, many of the technology types that would traditionally be validated are covered by these PPs and EPs. I am very interested to see what the list looks like six months or a year from now. Ongoing efforts, such as, the Apps on OS PP working group, seem to continue to fill the pipe line with more content.
One blemish in what has been a great push by NIAP to further CC would be international participation. It would be great to see more international participation in creation of PPs as well as products evaluated against NIAP PPs in international schemes.
And NIAP isn’t only publishing documentation, no less than four evaluations completed and five new evaluations kicked off in April and May thus far. In short, NIAP is refining its processes, supporting more technology types by publishing new PPs, AND executing on product evaluations.