1 of 19

US NIAP Overview:

QRC in Commercial Technology

JON ROLF – DIRECTOR NIAP/US

25 MAR 2025

NIAP-CCEVS.ORG

2 of 19

3 of 19

National Information Assurance Partnership

COTS Product Validation

Represent U.S. in CCRA

Protection Profile Development

NSS [CSfC]

U.S. Gov’t

Industry

Gov’t, Industry

4 of 19

COTS Product Validation

Establish and implement processes to oversee COTS product evaluations under the terms of the Common Criteria Recognition Arrangement to ensure evaluated COTS IT products are available for use in NSS. 

Protection �Profile

250+ Products & 1000+ Product Configurations

COTS IT Product

Security Target (Draft)

NIAP Validation�Oversee | Review | Validate

Evaluation by Common Criteria Testing Lab�Analyze | Test | Document | Report

NIAP Certificate

Validation �Report

Assurance� Activity Report

Admin �Guide

Security �Target (Final)

5 of 19

NIAP Portfolio

NIAP-CCEVS.ORG

Mobility

Automation

Encrypted

Storage

Computing �Platform

Secure Component

Apps

Cloud

Virtualization

Security �Mgmt

Network

6 of 19

  • Mature COTS Product Evaluation for National Security Systems
  • Define minimum security requirements for commercial technologies
  • Represent US in Common Criteria Recognition Arrangement
  • CNSSP 11 Enforcement Mechanism

81

FY24 Product Evaluations

33

Nation Partnerships

52

Protection Profiles

NIAP Today

Continued growth of PP coverage and �product evaluations

  • 81 Evaluations
  • 250+ Configurations

FY24 Evaluations �by Technology

26%

Application�Software

10%

Mobility

9%

Full Drive �Encryption

5%

Operating�System

2%

Certificate�Authority

1%

Enterprise �Security �Management

48%

Network

Device

11

MACSEC

4

VPNGW

1

FW

1

IPS

1

FW + VPNGW

1

FW + VPNGW + IPS

1

MACSEC + VPNGW + WLAN

16

ND ONLY

7 of 19

UNCLASSIFIED

UNCLASSIFIED

(U) Total NIAP Evaluations by Fiscal Year

  • Total NIAP Evaluations by Fiscal Year

8 of 19

Relationship Between NIAP and CSfC

  • CSfC enables products on NIAP Product Compliant List to be used in layered solutions to protect classified National Security Systems (NSS).
  • After receiving NIAP validation, a vendor follows a separate process with CSfC to obtain approval to be used in CSfC.
  • CSfC may require a product to support certain, more secure selections that are only optional for NIAP compliance.
  • Approved products are added to the CSfC Components List.

9 of 19

Represent U.S. in CCRA

Position the U.S. as a leader among Common Criteria Recognition Agreement (CCRA) nations. Further U.S. government and industry objectives to eliminate trade barriers and ensure transparent, meaningful, and repeatable evaluations. 

Certificate Producers

Certificate Consumers

Australia

Canada

France

Germany

India

Italy

Japan

Malaysia

Netherlands

Norway

Republic of Korea

Singapore

Spain

Sweden

Turkey

United States

Austria

Indonesia

Czech Republic

Denmark

Ethiopia

Finland

Greece

Hungary

New Zealand

Israel

Pakistan

Poland

Qatar

Slovak Republic

United Kingdom

Belgium

Jordan

10 of 19

NIAP Protection Profiles

11 of 19

Requirements Driving Protection Profile Development (2024/2025)

  • International standards updates to all Protection profiles – CC:2022
  • Post Quantum updates to algorithms – CNSA 2.0
  • Cybersecurity Requirements Updates –
    • Supply Chain (SBOM)
    • Vulnerability tracking
    • SSDF
    • Zero Trust
  • Commercial Solutions for Classified Roadmap coordination and product availability - CSfC
  • Cloud strategy – Operational Requirements, Whole of government coordination, Industry and International Coordination

12 of 19

CNSA 2.0 Overview

Anticipated Timeline

13 of 19

Predicted Timeline for Adding Algorithms to PPs

LMS

�Standardized by NIST

�Implemented in CAVP/CMVP

2024-2025� Add LMS as selection in PPs

XMSS

�Standardized by NIST

�Implemented in CAVP/CMVP

2024-2025� Add XMSS as selection in PPs

CRYSTALS-Kyber (ML-KEM)

�Standardized by NIST

�Implemented in CAVP

2024-2025� Add CRYSTALS-Kyber as selection in PPs

CRYSTALS-� Dilithium (ML-DSA)

�Standardized by NIST

�Implemented in CAVP

2024-2025

Add CRYSTALS-� Dilithium as selection in PPs

14 of 19

Protection Profile updated with CNSA 2.0

Prior to 2025

Q1/Q2 2025

Q2 2025

Q3 2025

Q4 2025

Beyond

Functional Packages

SSH v1.1

X.509 v1.0

PPs

DSC

Functional Package

TLS v2.1

PPs

GPCP

GPOS

PP Modules

VPN GW

WIDS

IPS

MACSec

ESC/SBC/

VVOIP

PPs

App SW v2.0

NDcPP

PP Modules

Web Browsers

Email Client

FE/ FEEM

Protection Profiles

ESM

PPs

Cert Authority

Virtualization

Mobility

FDE

PP Modules

WLAN

VPNC

EDR/HA

STIP

BT FW

15 of 19

NIAP Current Path to QRC Testing

Update Protection Profiles

Talk to Industry

Test and Evaluate Products with QRC

Field Products with QRC

FY25🡪 FY26🡪 Late FY26🡪

16 of 19

Cryptographic Algorithm Testing Using ACVP

  • Policy Letter #5: NIST CAVP certificate required
  • Full testing supported:
    • LMS
    • ML-DSA
    • ML-KEM
    • SLH-DSA

17 of 19

Entropy Source Testing Using ESVP

  • Labgram #118: NIST ESV certificate required
  • QRC requires strong random numbers
  • ESV process is rigorous, but enables reuse:
    • Across NIAP and FIPS evaluations
    • Across multiple NIAP evaluations
  • atsec tested 30% of all ESV certificates

18 of 19

How to Contribute

  • Technical Communities

  • Common Criteria User Forum

  • GitHub site: https://github.com/commoncriteria

19 of 19

For More Information…

Visit the NIAP Website: www.niap-ccevs.org

Contact Us via E-mail: niap@niap-ccevs.org

CCRA:  www.commoncriteriaportal.org