Industry Trends

NDPP CC Certification – More Than Just Alphabet Soup

By Chris Dawson | July 22, 2015


In the security hardware world, NDPP CC certification is a big deal, especially for government and enterprise customers who require independent assurance that devices can meet critical standards for network protection. These are more than just letters or one more test that vendors can wave around in the race to claim their products are “the best” or “the most secure”.

Let’s take a step back, though, and look at what CC certification really is and what it means to buyers and IT decision makers. “Common Criteria for Information Technology Security Evaluation” or CC is actually an international standard for computer security certification. There are currently 33 “Protection Profiles” defined for the Common Criteria ranging from email clients to network security devices. The latter, known as the Network Device Protection Profile (NDPP), sets out a fundamental set of Security Functional Requirements and Security Assurance Requirements (SFRs and SARs, respectively – like I said, alphabet soup, but important terms when we’re talking about this level of testing).

Version 1.1 of the NDPP can be found here. Although it was originally written in 2012, there are several errata and “extended packages” that allow it to be used in the evaluation of modern network protection devices. While it isn’t the most exciting reading, it is instructive in understanding just what testers are looking for when they evaluate devices. As described in the document,

This is a Protection Profile (PP) for a network device. A network device in the context of this PP is a device composed of hardware and software that is connected to the network and has an infrastructure role in the overall enterprise. Examples of a “network device” that should claim compliance to this PP include routers, firewalls, IDSs, audit servers, and switches that have Layer 3 functionality.

Fair enough, right? The key here is that the profile and related testing according to the Common Criteria standards are accepted by governments around the world via an international treaty. Devices that are certified to comply with the protection profile through rigorous testing aren’t guaranteed to solve every security problem faced by government agencies or enterprises with complex regulatory requirements. Obviously, configuration errors or security credentials divulged in phishing attacks can do damage for which testers can’t account.

Rather, NDPP CC certification means that 

  • TOEs (the “Targets of Evaluation”…I know, I know, more acronyms) meet a critical set of specifications suitable for regulated and secure environments (e.g., most government agencies – development of this particular PP was sponsored by the NSA). 
  • Testing is conducted transparently through the development and use of a CC Security Target (ST), a product-specific document that identifies and defines the TOE, including what protection profiles, errata documents and packages with which a product is compliant.
  • Vendor claims of functionality have been independently verified
  • FIPS certification is a prerequisite for NDPP CC certification, giving purchasers substantial assurance of great security tools

Bottom line? These CC certifications are useful tools for agencies evaluating network protection solutions in general and firewalls in particular. Not surprisingly, Common Criteria are top of mind for us at Fortinet since we were recently awarded our 8th CC certification for our FortiOS firmware and FortiGate next generation firewalls. For more details on the specific testing and certification, you can view the certificate and ST here and check out the press release.


Join the Discussion