Your Roadmap to Risk Reduction!
The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:
NIAP Common Criteria
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs, respectively) in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria maintains a list of certified products, including operating systems, access control systems, databases, and key management systems.
Modules include:
- NIAP Common Criteria
Our Approach to NIAP Compliance Audits
The National Information Assurance Partnership (NIAP) helps IT providers achieve the security requirements needed for national security systems. NIAP offers detailed documents outlining specific requirements for various IT products including off-the-shelf technology, apps, and mobile devices. Continuum GRC’s audits utilize Common Criteria, a framework that allows users to specify their security function and associated security requirements. That helps vendors evaluate products to meet the specific security needs of the user.
We do a security evaluation of products using Common Criteria testing to ensure that they meet the government’s protection profile for users at all levels.
Focused Audit and Assessments
A NIAP audit is a security evaluation of various IT products, apps, and mobile devices that are used in highly-sensitive government environments, like national security. These audits use Common Criteria testing, a standardized set of guidelines and requirements.
Protection Profiles (PPs) are the different security requirements that are needed, determined by certain vulnerabilities; the Protection Profile of all IT products is checked by an accredited third party. Their access controls and cryptographic features are also checked against PP standards.
Once a product has achieved this security certification, it’s listed on both U.S. and International lists of compliant products.
FAQ
How often should Common Criteria audits be conducted?
A Common Criteria certificate is good for five years, but with ever-evolving threats to security, it’s recommended that organizations conduct regular maintenance, re-evaluation, and re-assessment. It’s essential that IT devices demonstrate resistance to new security issues; a successful re-assessment can extend the certificate for another 5 years.
What is the difference between EAL1 and EAL7 in the Common Criteria?
In Common Criteria testing, EAL1 is a security evaluation of the basic functioning of an IT device. There’s very little focus on security. EAL7 goes further, with rigorous verification of the device’s design and security. The idea is to provide the highest level of confidence in its use within a secure environment.
Who needs NIAP Common Criteria certification?
Common Criteria testing and certification is used for any IT products, devices, apps, and systems that will be used for sensitive government information, such as within the Department of Defense. These products have been evaluated to meet security requirments noted by the National Security Agency.
How long does the NIAP Common Criteria audit process take?
Between evaluation and certification, the audit process can taken anywhere from six months to a year, depending on how complex the device is. The product is tested at an approved Common Criteria Testing Laboratory (CCTL). After the testing process, the lab submits a report to the NIAP and a certificate issued by the government.
What is the cost of obtaining NIAP Common Criteria certification?
The costs of having a product evaluated for certification varies depending on how complex it is, the amount of documentation required, and the chosen Protection Profile being tested. It can range from $150,000 and upwards. While the NIAP doesn’t charge, the costs come from the CCTL.
What is the role of vendors and manufacturers?
Vendors and manufacturers who want their IT products to pass the security evaluation for use in government need to think of the NIAP Common Criteria requirements at each step. Maintaining thorough documentation during the planning and manufacturing processes is essential. Manufacturers must also work with the CCTL during evaluation.
What are you waiting for?
You are just a conversation away from putting the power of Continuum GRC to work for you.
Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.