Protection Profiles (PP)

A Protection Profile (PP) is a standardized set of security requirements for a category of IT products. It defines what a product must do to be considered secure for a specific use case, independent of any particular vendor’s implementation.

Summary: A Protection Profile is a vendor-independent security requirements template for a product category; Security Targets claim conformance to it.

Key facts

Role: Vendor-independent security requirements for a product category
Relationship to ST: A Security Target may claim conformance to one or more PPs
Main types: Collaborative Protection Profiles (cPPs), national PPs, industry PPs
cPP governance: Developed by international Technical Communities (iTCs) under the CCRA
NIAP requirement: Since 2014, NIAP evaluations must conform to an approved PP
Typical categories: Network devices, operating systems, application software, full disk encryption, smart cards, HSMs

How Protection Profiles work

In a Common Criteria evaluation, the vendor writes a Security Target (ST) describing their product’s security claims. If a Protection Profile exists for the product category, the vendor can claim PP conformance - meaning their ST meets all the requirements defined in the PP.

This standardization is valuable because:

Procurement teams can require PP conformance instead of writing their own security requirements
Vendors know exactly what to build and test against
Evaluators have a consistent baseline for each product type
Comparisons between certified products in the same category become meaningful

Types of Protection Profiles

Collaborative Protection Profiles (cPP)

Developed by international Technical Communities (iTCs) under the CCRA. cPPs represent consensus requirements from multiple nations and are the preferred form for CCRA mutual recognition. Examples include cPPs for network devices, full disk encryption, and dedicated security components.

National Protection Profiles

Developed by individual national schemes for their specific requirements. NIAP maintains a large library of PPs for US government procurement. ANSSI publishes PPs for French government requirements.

Industry Protection Profiles

Developed by industry bodies for specific sectors. For example, payment industry PPs for point-of-sale terminals or smart card PPs developed by organizations like GlobalPlatform or EMVCo.

NIAP and PP-based evaluations

Since 2014, NIAP (the US CC scheme) requires all evaluations to conform to an approved Protection Profile. NIAP does not accept standalone EAL-based evaluations. This approach focuses evaluations on threat-relevant security requirements rather than arbitrary assurance levels.

NIAP’s PP library covers major product categories including:

Network devices (firewalls, VPN gateways, routers, switches)
Operating systems (general-purpose, mobile)
Application software
Virtualization and VDI
Full disk encryption
Multi-function devices (printers)
Enterprise mobility management

PP conformance in procurement

When writing procurement requirements, specifying PP conformance is more precise than specifying an EAL level alone:

A PP defines what security functions the product must implement
An EAL level defines how rigorously those functions were tested
Together, they provide both functional and assurance guarantees

For example, requiring “CC certification conformant to the NDcPP (Network Device collaborative Protection Profile) at EAL2” is more meaningful than simply “CC EAL2 certified” because the PP ensures the product was tested against specific network security requirements.

Tracking PP conformance

NenkinTracker tracks Protection Profile conformance alongside all other certification metadata. See which products conform to which PPs across all CCRA member schemes. Browse the Protection Profile directory for every PP referenced by indexed certificates, with per-PP lists of conforming products.