Last week, the US Government’s Common Criteria Evaluation and Validation Scheme (CCEVS) announced Protection Profiles for Mobile Devices (MD) and Mobile Device Management (MDM) systems. The Common Criteria is an international standard for the evaluation of security features within IT products. It is also widely recognized as a crucial certification needed for products seeking addition to the Unified Capabilities Approved Products List (UC APL), administered by the U.S. Defense Information Systems Agency (DISA). Products which successfully earn addition to the UC APL become eligible for procurement and deployment by the various agencies of the United States Department of Defense.
These new Protection Profiles embody the requirements that are to be met by a specific technology type in Common Criteria evaluations. The Mobile Device Protection Profile (MDPP) contains the security functional requirements for mobile devices such as smartphones and tablets. The Mobile Device Management Protection Profile (MDMPP) includes the security functions to be evaluated including key protection, protected communications, mobile device configuration, and administration.
Cryptographic support functions are critical requirements in these new Protection Profiles, as anticipated. It is important to note that while many vendors pursue both Common Criteria certification and FIPS 140-2 validation, the latter does not automatically satisfy the former. The encryption requirements in these new Protection Profiles reflect certain standards imposed by NIST for FIPS 140-2, but they are not interchangeable.
We are proud to present a white paper explaining the cryptographic elements of these new Protection Profiles, available for immediate download. This paper also presents information on how CryptoComply, our drop-in module, addresses and meets each encryption requirement for the MDPP and MDMPP and discusses the benefits of leveraging the crypto module. CryptoComply integration is streamlined, designed to eliminate the several engineer-years it would take to build and implement these functions.
For a real life scenario, please refer to SafeLogic’s Case Study with API Technologies, also available for immediate download. API Technologies was seeking an updated listing on the UC APL, and they were able to accelerate the process by integrating CryptoComply. In tandem with SafeLogic’s RapidCert, API Technologies satisfied all requirements and proceeded directly to the JITC testing phase.
For SafeLogic customers who integrate CryptoComply, drop-in compliance is just the first advantage. RapidCert is a huge differentiator for those who seek FIPS 140-2 validation, while CryptoComply Professional Services brings SafeLogic’s expertise to the table, whether that entails custom software development, Common Criteria consulting, or something else altogether. Our goal is to make these processes as easy as possible.