NIAP — The U.S. Common Criteria Scheme

NIAP, the National Information Assurance Partnership, operates the United States’ Common Criteria Evaluation and Validation Scheme (CCEVS). Since 2014 NIAP has required evaluations to conform strictly to an approved Protection Profile, departing from open-ended EAL targets.

Key facts

• Authorizing body: National Information Assurance Partnership (NIAP), a collaboration between NSA and industry
• Country / region: United States
• Year established: NIAP was founded in 1997; the CCEVS operating model shifted to PP-based evaluations in 2014
• Product types: network devices, mobile OSes and applications, virtualization, full-disk encryption, operating systems, application software, MFDs, enterprise mobility
• CCRA status: Certificate Authorizing Member; does not accept standalone EAL claims but recognizes certificates issued under cPPs
• Canonical portal: https://www.niap-ccevs.org/

Overview

NIAP validates evaluations against the U.S. Protection Profile library. Vendors can only pursue NIAP validation if a corresponding NIAP-Approved Protection Profile exists for their technology type. NIAP emphasizes exact conformance: the Security Target contains the PP’s SFRs with allowed selections and assignments, and no unauthorized additions.

How evaluations work under this scheme

A vendor engages a NIAP-accredited Common Criteria Testing Laboratory (CCTL). The CCTL performs evaluation activities defined in the PP and its Supporting Document, producing an Evaluation Technical Report and an Assurance Activities Report. NIAP validates the evaluation and publishes the Validation Report and certificate. Active NIAP certificates appear on the Product Compliant List (PCL); archived entries are maintained on the Archived Products list for historical reference.

Notable product categories

• Network devices and VPN gateways (cPP Network Device, NDcPP)
• General-purpose operating systems
• Mobile device management and mobile OS platforms
• Application software and web browsers
• Full-disk and file encryption software
• Multifunction devices and Hardcopy Device PP
• Enterprise session controllers and dedicated security components

Relationship to CC baseline

NIAP-approved PPs are built on ISO/IEC 15408 and the CEM, with evaluation activities tailored for PP-driven evaluation. NIAP participates in CCRA Technical Communities (iTCs) that develop collaborative Protection Profiles recognized internationally. NIAP does not use EAL labels in certificates; assurance is expressed as conformance to the PP and its SD.

Where to find official records

• NIAP Product Compliant List: https://www.niap-ccevs.org/products/
• NIAP Approved Protection Profiles: https://www.niap-ccevs.org/protection-profiles/
• CCRA portal listings: https://www.commoncriteriaportal.org/products/
• NenkinTracker aggregates NIAP records with other schemes, mapping PP conformance into unified filters.

See also: Protection Profiles, EAL Levels, Glossary.