NIAP and Protection Profiles

IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles.

This article will cover why these profiles are essential for federal security, how to find them, and what to do if there isn’t an available profile to follow. 

What Are NIAP Protection Profiles?

NIAP (National Information Assurance Partnership) Protection Profiles are documents describing the standard requirements for the security functionality of IT products and systems and the assurance measures used to evaluate them. The NIAP operates under the purview of the National Security Agency (NSA) and is a part of the U.S. Government’s effort to implement the Common Criteria for Information Technology Security Evaluation.

A Protection Profile (PP) serves several vital purposes:

• Defines Security Requirements: It specifies a product or system’s security requirements and behaviors, including user authentication, access control, cryptographic support, and more.
• Basis for Evaluation: A PP provides a standardized basis for evaluating the security properties of IT products. This allows manufacturers to design and implement their products according to these requirements to meet specific security needs.
• Facilitates Mutual Recognition: PPs allow products evaluated against a standard set of requirements to be recognized and accepted across countries participating in the Common Criteria Recognition Arrangement (CCRA), facilitating international trade and cooperation in IT security.
• Industry and Government Collaboration: PPs are often developed in collaboration between government agencies, commercial IT product developers, and other stakeholders. This ensures that the security requirements are relevant to the needs of both the public and private sectors.
• Customization and Configuration Guidance: Besides setting requirements for product development and evaluation, PPs often include guidance for the secure configuration and deployment of the evaluated products, helping end-users maintain their systems’ security posture.

NIAP maintains a list of approved Protection Profiles for various categories of products, such as network devices, mobile devices, operating systems, and more. Product developers seeking to have their products certified will align their development efforts with a relevant Protection Profile to ensure their products can be evaluated and potentially certified under the NIAP program. 

What Are the Protection Profiles?

NIAP Protection Profiles cover a wide range of technology types, ensuring that IT products meet specific security requirements for use within national security systems. Examples of these protection profiles include:

• Hardware Platform and Components: A collaborative protection profile for hardware that plays a critical role in system security is provided for dedicated security components.
  
• Encrypted Storage: This includes profiles for full drive encryption, focusing on authorization acquisition and the encryption engine to secure data at rest.
  
• Network Device: Protection profiles for network devices to secure network infrastructure components.
  
• Biometrics: Secure and reliable biometric authentication methods are ensured for biometric enrollment and verification.
  
• Firewall: Profiles for stateful traffic filter firewalls emphasize the importance of monitoring and controlling incoming and outgoing network traffic based on predetermined security rules.
  
• Virtual Private Network (VPN): Profiles for VPN gateways and clients, providing secure communication over public networks.
  
• Application Software: Focusing on the security of application software to ensure that applications handling sensitive information adhere to stringent security standards.
  
• Wireless LAN: Addressing the security concerns associated with wireless networking for wireless local area network access systems and clients.

Other protection profiles can cover various technologies and categories, including USB drives, peripherals, and SIP Servers.

Why Are Protection Profiles Required for IT Products Used to Handle Secure Data?

Federal security standards mandate that IT products must meet NIAP Protection Profiles primarily under the Committee on National Security Systems Policy (CNSSP) No. 11. This policy requires that departments and agencies within the Executive Branch must acquire only those products or cryptographic modules that have been validated against the International Common Criteria for Information Technology Security Evaluation, the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS), or by the NIST FIPS Cryptographic Module Validation Program. 

CNSSP #11 is a critical policy component for the U.S. Government’s overall Information Assurance strategy. It ensures that IT products acquired for national security systems are validated to perform as advertised by their manufacturers or satisfy the security requirements of the intended user. The policy emphasizes the importance of standardized evaluation processes to validate the security claims of marketed IA products, ensuring they meet national security systems and information security needs.

What Happens When There Isn’t a Defined Protection Profile?

When vendors or end-users want to include a product for federal use but there is no existing protection profile, they can follow these steps:

• Contact NIAP: The first step is to contact the NIAP. Vendors or end-users can express interest in developing a protection profile for their specific product or technology area.
• Collaborate with NIAP: NIAP may work with the vendor and/or end-user to establish a path to evaluation. This process may involve collaboration between NIAP, the vendor, technical experts, and relevant stakeholders to define the security requirements and objectives for the protection profile.
• Participate in Development: Vendors and end-users may be invited to participate in developing the protection profile. This involvement allows them to provide input, insights, and expertise into the specific security needs and challenges of the product or technology area.
• Adhere to Guidelines: NIAP may provide guidelines or recommendations for vendors and end-users to follow during the development and evaluation. These guidelines ensure that the resulting protection profile meets the necessary security standards and addresses the specific needs of federal users.
• Evaluation Against Criteria: Once NIAP develops and publishes the protection profile, vendors can have their products evaluated against its criteria. This process helps ensure that the product meets the required security standards for federal use.
• Seek Certification: Vendors can seek certification for their products from NIAP after successful evaluation. Certification indicates that the product has met the security requirements specified in the protection profile and is approved for federal use by relevant security standards and policies.

By following these steps and collaborating with NIAP, vendors, and end-users can work towards ensuring that their products meet the necessary security standards for federal use, even in the absence of an existing protection profile.

We Handle NIAP and Related Assessments

If you’re looking to meet requirements under a NIAP Protection Profile or seek other related assessment services under FIPS or NVLAP, call Lazarus Alliance.

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→