In late January 2016 an updated version of the Intrusion Prevention System (IPS) Extended Package (EP) was released. Although the changes to the EP itself are minor, changes to its scope may make this update significant for vendors seeking accreditation.
At first glance version 2.1 of the IPS EP is nearly identical to version 2.0 which preceded it. The scope of the EP remains the same, as are the threats it addresses and its objectives. Both the required and optional Security Functional Requirements (SFRs) have not been altered, nor have there been any changes to the Assurance Activities (AAs). What has changed is the Protection Profile (PP) that the EP can be used with. Version 2.0 of the IPS EP could only be used to extended the collaborative Protection Profile for Network Devices (NDcPP), whereas version 2.1 can be applied to products going against the NDcPP or the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP). Under the old version of the EP vendors did have the option of certifying their products against the FWcPP as well, but this would not have freed them from NDcPP requirements. With the changes to version 2.1 vendors can now add the IPS EPcPP (whose official short name is still PP_NDcPP_IPS_EP despite the change of applicable PPs) to a FWcPP evaluation without going against NDcPP as well.
As of today there are no products on the Product Compliant List (PCL) or officially in evaluation that go against the FWcPP or the IPS EP so the full real life implications of this change are yet to be seen. It is interesting to note that although the NDcPP and FWcPP do not support distributed TOEs the IPS EP does allow different SFRs to be enforced by distributed TOE components, as long as those components are all capable of meeting NDcPP or FWcPP requirements on their own.