NIAP has had a busy summer. While taking in record number of products into evaluation and issuing new PPs they recently released a collection of interesting documents. On September 11, NIAP announced publication of mapping between Protection Profiles (PPs) and NIST SP 800-53 Revision 4 controls. Specifically mappings have been released for:

1. Software Applications PP


3. Network Devices cPP

This is important especially for agencies and C&A personnel where SA-4(7) (requirement to procure products evaluated against NIAP PPs) is applicable. Using these controls the C&A personnel can reduce the amount of work required to verify compliance with the applicable controls. For example IA-6 requires that authentication feedback is obscured. There is an equivalent SFR in network device cPP namely FIA_UAU.7. So if a product is known to be CC evaluated and running in it’s evaluated configuration, IA-6 can be deemed to have been met for that particular product. Below is a snapshot of this mapping:

NDcPP to SP 800-53 mapping example

There are couple of important points to note before leveraging these mappings:

1. Common Criteria evaluation is for individual products where as SP 800-53 compliance is for systems. This has to be considered while utilizing the mappings. Just because the product meets the 800-53 control does not mean the system is compliant

2. The product has to be run in it’s evaluated configuration as defined by the product specific Common Criteria user guidance

Please feel free to contact us with questions or comments.