ConvoCourses

Cyber Security Compliance and IT Jobs

protection profile

DoD Annex for NIAP Protection Profiles For Mobile Devices

by Leave a Comment

NIAP assurance technology
NIAP assurance technology

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex for NIAP Protection Profiles for mobile devices.  Mobile Device Fundamentals Protection Profile (MDFPP) is a document created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG Version 1, Release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available.

DoD Annex for NIAP Protection Profiles For Mobile Devices
DoD Annex for NIAP Protection Profiles For Mobile Devices

The DoD Annex for NIAP Protection Profiles for mobile devices, MDFPP, is located at http://iase.disa.mil/stigs/niap/index.html.

The scope of the DoD Annex for NIAP Protection Profiles for mobile devices is applicable to all DoD-administered systems and all systems connected to DoD networks.

According to the document:

[DoD Annex for NIAP Protection Profiles for mobile devices] does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria
evaluation will be used to formulate a STIG. The benefit of this approach is that at the
conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the
requisite NIST SP 800-53 controls and the information needed for a STIG will be available

Mobile Device Fundamentals

Approved Protection Profiles

 

More one Assurance Technology

Assurance Technology

by 1 Comment

NIAP assurance technology
NIAP assurance technology

Information Assurance technology is in growing demand as security takes center stage for information technology.

According to U.S. Bureau of Labor statistics, Information Security Analyst was among the fastest growing industries in the U.S. in 2012 and projected to grow another 30% by 2022 (bls.gov).  Information Security Analysts work with information assurance technology.  Assurance technology includes technologies like firewalls, intrusion prevention systems, security information & event management systems, web proxies, encryption systems, encryption software, authentication devices, vulnerability scanners, protocol analyzers, and many other devices specifically made to protect the confidentiality, integrity and availability of information.  In defense these systems are known collectively as security products.

Information systems with security features built in are known as security-enabled devices.  Examples would be operating systems, storage devices, internetworking devices such as switches and routers and any other device that can be locked down, secured and hardened with built in information assurance technology.

assurance technology common criteria
assurance technology common criteria

Assurance technology is evaluated to make sure the security features perform as the manufacturers intended.  Typically, agencies, departments and organizations that maintain critical infrastructure make sure that the information assurance technologies that they choose are in the Common Criteria Evaluation database:

  • http://www.commoncriteriaportal.org/products/
  • https://www.niap-ccevs.org/

These are systems that have been vetted in a lab under very specific conditions.  So under specified settings, and under specific conditions, an organization can operate these assured technologies with a high level of confidence.

CommonCriteria-assurance-technology
CommonCriteria-assurance-technology

Protection Profiles have a set of criteria to conduct security evaluation to determine the validity of vendors’ claims.  The product is given a Evaluation Assurance Level (EAL) which is an assurance level between 1 and 7.

Choosing the right information assurance technology is covered in NIST 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products.  Assurance for U.S. defense technology used to be done with a policy called, Trusted Computer System Evaluation Criteria (TCSEC), DoDD 5200.28-STD (aka the Orange Book, AKA DITSCAP).  It eventually got replaced with DoDD 8500.1 on October 24, 2002 and branched in DIACAP, which is NOW DIARMF!  So you see DIARMF is all about not only assurance technology but how those technologies are used.

Works Cited:

U.S. Bureau of Labor Statistics. Fastest growing occupations. U.S. Bureau of Labor Statistics, http://www.bls.gov/emp/ep_table_103.htm date: Accessed: February 03, 2014