On December 1, NIAP published Labgram #107 titled “Collaborative PP (cPP) and Extended Package (EP) – compliant Product Posting”.  In short, product evaluations that claim conformance to both a collaborative Protection Profile (cPP) and a NIAP Extended Package (EP) will need to go through additional hoops to be listed on the Certified Product List (CPL).

What does this mean for vendors?

Vendors mainly rely on 2 web pages for confirmation of CC certificates for their products.  NIAP’s Product Compliant List (PCL) is more important for sales and marketing efforts in the US, while the CPL is more important for international efforts.  Listings on the PCL are not affected by this policy change.  On the CPL, no new certificates involving both cPPs and EPs will be posted (existing listings will not be removed).

This change takes effect immediately.  12 of the current entries on NIAP’s Products in Evaluation page are impacted, as well as an unknown number of planned evaluations.

What can vendors do?

In the short term, vendors whose products are being evaluated against cPP/EP combination would need to decide ahead of time whether CPL entry is of importance to their business case. If it is, vendors should work with their CCTL to ensure NIAP is informed at evaluation check-in about the desire for CPL posting. NIAP will work with the CCTL to have two versions of ST, Validation Report and Certificate. One set will be for the cPP/EP combination (for posting on NIAP PCL) and another set for CPL.

In the longer term, vendors can increase their participation in international Technical Communities (iTCs) to assist in converting NIAP EPs to cPP modules.  Evaluations claiming conformance to both cPPs and cPP modules will be listed on both the CPL and PCL.