NIAP and Protection Profiles

IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles.

This article will cover why these profiles are essential for federal security, how to find them, and what to do if there isn’t an available profile to follow. 


What Are NIAP Protection Profiles?

NIAP (National Information Assurance Partnership) Protection Profiles are documents describing the standard requirements for the security functionality of IT products and systems and the assurance measures used to evaluate them. The NIAP operates under the purview of the National Security Agency (NSA) and is a part of the U.S. Government’s effort to implement the Common Criteria for Information Technology Security Evaluation.

A Protection Profile (PP) serves several vital purposes:

  • Defines Security Requirements: It specifies a product or system’s security requirements and behaviors, including user authentication, access control, cryptographic support, and more.
  • Basis for Evaluation: A PP provides a standardized basis for evaluating the security properties of IT products. This allows manufacturers to design and implement their products according to these requirements to meet specific security needs.
  • Facilitates Mutual Recognition: PPs allow products evaluated against a standard set of requirements to be recognized and accepted across countries participating in the Common Criteria Recognition Arrangement (CCRA), facilitating international trade and cooperation in IT security.
  • Industry and Government Collaboration: PPs are often developed in collaboration between government agencies, commercial IT product developers, and other stakeholders. This ensures that the security requirements are relevant to the needs of both the public and private sectors.
  • Customization and Configuration Guidance: Besides setting requirements for product development and evaluation, PPs often include guidance for the secure configuration and deployment of the evaluated products, helping end-users maintain their systems’ security posture.

NIAP maintains a list of approved Protection Profiles for various categories of products, such as network devices, mobile devices, operating systems, and more. Product developers seeking to have their products certified will align their development efforts with a relevant Protection Profile to ensure their products can be evaluated and potentially certified under the NIAP program. 


What Are the Protection Profiles?

NIAP Protection Profiles

NIAP Protection Profiles cover a wide range of technology types, ensuring that IT products meet specific security requirements for use within national security systems. Examples of these protection profiles include:

  • Hardware Platform and Components: A collaborative protection profile for hardware that plays a critical role in system security is provided for dedicated security components.
  • Encrypted Storage: This includes profiles for full drive encryption, focusing on authorization acquisition and the encryption engine to secure data at rest.
  • Network Device: Protection profiles for network devices to secure network infrastructure components.
  • Biometrics: Secure and reliable biometric authentication methods are ensured for biometric enrollment and verification.
  • Firewall: Profiles for stateful traffic filter firewalls emphasize the importance of monitoring and controlling incoming and outgoing network traffic based on predetermined security rules.
  • Virtual Private Network (VPN): Profiles for VPN gateways and clients, providing secure communication over public networks.
  • Application Software: Focusing on the security of application software to ensure that applications handling sensitive information adhere to stringent security standards.
  • Wireless LAN: Addressing the security concerns associated with wireless networking for wireless local area network access systems and clients.

Other protection profiles can cover various technologies and categories, including USB drives, peripherals, and SIP Servers.


Why Are Protection Profiles Required for IT Products Used to Handle Secure Data?

Federal security standards mandate that IT products must meet NIAP Protection Profiles primarily under the Committee on National Security Systems Policy (CNSSP) No. 11. This policy requires that departments and agencies within the Executive Branch must acquire only those products or cryptographic modules that have been validated against the International Common Criteria for Information Technology Security Evaluation, the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS), or by the NIST FIPS Cryptographic Module Validation Program. 

CNSSP #11 is a critical policy component for the U.S. Government’s overall Information Assurance strategy. It ensures that IT products acquired for national security systems are validated to perform as advertised by their manufacturers or satisfy the security requirements of the intended user. The policy emphasizes the importance of standardized evaluation processes to validate the security claims of marketed IA products, ensuring they meet national security systems and information security needs.


What Happens When There Isn’t a Defined Protection Profile?

When vendors or end-users want to include a product for federal use but there is no existing protection profile, they can follow these steps:

  • Contact NIAP: The first step is to contact the NIAP. Vendors or end-users can express interest in developing a protection profile for their specific product or technology area.
  • Collaborate with NIAP: NIAP may work with the vendor and/or end-user to establish a path to evaluation. This process may involve collaboration between NIAP, the vendor, technical experts, and relevant stakeholders to define the security requirements and objectives for the protection profile.
  • Participate in Development: Vendors and end-users may be invited to participate in developing the protection profile. This involvement allows them to provide input, insights, and expertise into the specific security needs and challenges of the product or technology area.
  • Adhere to Guidelines: NIAP may provide guidelines or recommendations for vendors and end-users to follow during the development and evaluation. These guidelines ensure that the resulting protection profile meets the necessary security standards and addresses the specific needs of federal users.
  • Evaluation Against Criteria: Once NIAP develops and publishes the protection profile, vendors can have their products evaluated against its criteria. This process helps ensure that the product meets the required security standards for federal use.
  • Seek Certification: Vendors can seek certification for their products from NIAP after successful evaluation. Certification indicates that the product has met the security requirements specified in the protection profile and is approved for federal use by relevant security standards and policies.

By following these steps and collaborating with NIAP, vendors, and end-users can work towards ensuring that their products meet the necessary security standards for federal use, even in the absence of an existing protection profile.


We Handle NIAP and Related Assessments

If you’re looking to meet requirements under a NIAP Protection Profile or seek other related assessment services under FIPS or NVLAP, call Lazarus Alliance.

Lazarus Alliance