An Update to the Manufacturer Diversity Requirement Please submit completed questionnaires via email. Interested vendors must complete and submit the CSfC Questionnaire (PDF) for each product. The MoA may also reference technology-specific selections for NIAP testing. The MoA specifies that the vendor's product must be NIAP certified and that the vendor agrees to fix vulnerabilities in a timely fashion. The vendor will enter into a Memorandum of Agreement (MoA) with NSA. In deciding whether a particular product is appropriate for CSfC, NSA considers the totality of circumstances known to NSA, including the vendor's past willingness to fix vulnerabilities, supply chain, foreign ownership, control or influence, the proposed uses of the product under consideration and any other relevant information available to NSA. Vendors of products submitted for consideration under the CSfC process will be notified of NSA's decision on a product-by product basis. Common Criteria Testing Laboratory (CCTL) or a foreign CCTL, the Product will not be added to the Components List until the NIAP/Common Criteria evaluation is in complete and the Product is posted to NIAP's Product Compliant List (PCL).
What is the process to get a commercial product CSfC-listed? Vendors who wish to have their products eligible as CSfC components of a composed, layered information assurance solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process.įor vendors utilizing either a U.S. Government Protection Profiles currently in development.Īdditional information about NIAP and the Common Criteria Evaluation and Validation Scheme. View a current listing of NIAP approved U.S. Which protection profiles are published and which are in development? Customers wishing to use open source components should contact us with their evaluation and sustainment plans and the responsible parties for each.Ĭontact us here for questions regarding the CSfC Components List. Open source components may be listed, provided they have a responsible sponsor, and an NSA-approved plan for, taking a component through Common Criteria evaluation and sustainment of the component. To see the selectable requirements, go to the CSfC Components List and click on the links for IPSec VPN Gateways, IPSec VPN Clients, WLAN Clients, WLAN Access Systems, Certificate Authorities, MDM, SW FDE, Mobile Platforms, SIP Servers and VoIP Applications. Some selections, which are not required for the product to be listed on the NIAP Product Compliant List, are mandatory selections for products that are to be listed on the CSfC Components List. Customers must ensure that the components selected will permit the necessary functionality for the selected architecture.įor some technologies, the CSfC program requires specific, selectable requirements to be included in the Common Criteria evaluation validating that the product complies with the applicable NIAP-approved protection profile(s). Customers select products from this listing to satisfy the reference architectures and configuration information contained in published Capability Packages.
0 kommentar(er)
