It is a fundamental requirement that the code bases of the two products be significantly different. operating system), software cryptographic libraries, and development teams. To demonstrate this, a manufacturer must document the similarities and differences between the two products, to include cryptographic hardware components, software code base (i.e. The manufacturer must show sufficient independence in the code base and cryptographic implementations of the products used to implement each layer. The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers. ![]() An Update to the Manufacturer Diversity Requirement Please submit completed questionnaires via email. Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product. The MoA may also reference technology-specific selections for NIAP testing. The MoA specifies that the vendor's product must be NIAP certified and that the vendor agrees to fix vulnerabilities in a timely fashion. The vendor will enter into a Memorandum of Agreement (MoA) with NSA. In deciding whether a particular product is appropriate for CSfC, NSA considers the totality of circumstances known to NSA, including the vendor's past willingness to fix vulnerabilities, supply chain, foreign ownership, control or influence, the proposed uses of the product under consideration and any other relevant information available to NSA. Vendors of products submitted for consideration under the CSfC process will be notified of NSA's decision on a product-by product basis. NSA's objective is to collaborate with vendors to support the addition of suitable products to the CSfC Components List. Vendors are encouraged to contact NSA with any questions or issues related to CSfC selections for Components and/or the CSfC Components List Process. preferably during product development and before contracting to complete an evaluation). Vendors interested in having their products eligible as CSfC Components should notify NSA of your intent during the initial stage of the process (i.e. Common Criteria Testing Laboratory (CCTL) or a foreign CCTL, the Product will not be added to the Components List until the NIAP/Common Criteria evaluation is in complete and the Product is posted to NIAP's Product Compliant List (PCL). Vendors who wish to have their products eligible as CSfC components of a composed, layered information assurance solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process.įor vendors utilizing either a U.S. What is the process to get a commercial product CSfC-listed? Government Protection Profiles currently in development.Īdditional information about NIAP and the Common Criteria Evaluation and Validation Scheme. View a current listing of NIAP approved U.S. Which protection profiles are published and which are in development? Customers wishing to use open source components should contact us with their evaluation and sustainment plans and the responsible parties for each.Ĭontact us here for questions regarding the CSfC Components List. Open source components may be listed, provided they have a responsible sponsor, and an NSA-approved plan for, taking a component through Common Criteria evaluation and sustainment of the component. ![]() To see the selectable requirements, go to the CSfC Components List and click on the links for IPSec VPN Gateways, IPSec VPN Clients, WLAN Clients, WLAN Access Systems, Certificate Authorities, MDM, SW FDE, Mobile Platforms, SIP Servers and VoIP Applications. ![]() Some selections, which are not required for the product to be listed on the NIAP Product Compliant List, are mandatory selections for products that are to be listed on the CSfC Components List. Customers must ensure that the components selected will permit the necessary functionality for the selected architecture.įor some technologies, the CSfC program requires specific, selectable requirements to be included in the Common Criteria evaluation validating that the product complies with the applicable NIAP-approved protection profile(s). Customers select products from this listing to satisfy the reference architectures and configuration information contained in published Capability Packages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |