Eligibility for Procurement
The Unified Capabilities Approved Products List — UC APL
The Department of Defense (DoD) maintains a single list of products that have completed security certification. All DoD agencies are mandated by law to purchase products that are on this list. Vendors that intend to sell products to the DoD must go through a complex multi-step approval process that includes FIPS and Common Criteria certifications.
CygnaCom can guide your organization through this process by offering following services:
- Conduct FIPS 140-2 and Common Criteria certifications
- Develop STIG documentation and consultancy for CSfC
- Consultancy for JITC testing
- Develop documentation including preparation of compliant user manuals
Do you need Common Criteria (CC) or Federal Information Processing Standards (FIPS) certification?
The CC evaluation is a focused examination of the security claims of a system or product. This includes the strength of the claims and the design, as well as development, secure delivery and user guidance. The primary document of a CC evaluation is the Security Target (ST); it often follows a Protection Profile (PP) as the design requirements for a type of system or product.
The FIPS 140-2 module validation is required for Federal products that implement cryptographic functionality, and is often performed at the same time as CC evaluation. This validation verifies the cryptographic functionality, including key management, of a module against the requirements of the FIPS 140-2 standard. The primary public-facing document of the FIPS 140-2 validation is the Vendor Evidence (VE) accompanies by the non-proprietary Security Policy (SP).
CC and FIPS certifications are related, but are not interchangeable. The certification that you need depends on the procurement.