Vendor Information

Cryptographic Products and Cryptographic Mechanisms

Only cryptographic products which are developed and produced in a NATO member Nation and which are evaluated and approved in accordance with the INFOSEC Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms, by the developing nations National Communications Security Authority are eligible to be submitted for inclusion to the NATO Information Assurance Product Catalogue (NIAPC).

Those products subject to an additional release action shall be so noted in the product’s listing. This list of cryptographic products and cryptographic mechanisms should include both those products which are approved for use in NATO and national systems to protect NATO classified information, as well as all products produced by NATO member nations which are evaluated and approved for use by non-NATO nations and International Organizations to protect NATO classified information.

The list of cryptographic products and cryptographic mechanisms shall be updated and maintained by the NCI Agency Cyber Security on behalf of the NHQC3S based on input provided by the National Communications Security Authority of NATO member nations.

Information Assurance (IA) Security Products
Protection Profiles and Packages

A Protection Profile (PP) defines an implementation-independent set of security requirements and objectives for a category of products or systems, which meet similar consumers’ needs for IA security. A PP is intended to be reusable and to define requirements that are known to be useful and effective in meeting the identified objectives.

A Package is a reusable set of either functional or assurance components (e.g. an Evaluation Assurance Level) combined together to satisfy a set of identified security objectives.

Only evaluated and certified/validated Protection Profiles and Packages, which are developed by NATO or NATO member states and/or sponsored by NATO nations, shall be included in the NIAPC.

The list of Protection profiles shall be updated and maintained by the NCI Agency Cyber Security based on input provided by the NATO Nation’s National Communication Security Authority

NIAPC Inclusion Criteria

Attainment of any or all of the following criteria is a minimum requirement for listing in the NIAPC. Attainment of the minimum requirement is necessary but not sufficient for NIAPC listing. It will be possible to attain the minimum requirement and not obtain a listing in the NIAPC. Failure to maintain attainment of the minimum criteria will normally result in loss or suspension of an existing NIAPC listing.

1. Inclusion Criteria for NIAPC Products.
 
1.1. Cryptographic products are the subject of additional national approval and therefore only cryptographic products that are approved for release by a National Security Authority of a NATO nation shall be listed in the NIAPC.

1.2. Products listed in the NIAPC shall be in receipt of a recognized NATO, national or international evaluation or certification. In instances where this is other than Common Criteria then a mapping across of the evaluation or certification to the Common Criteria shall be provided by the relevant NATO technical agency or by the relevant National Security Authority.

1.3. Information submitted in support of an application for a listing in NIAPC shall be deemed releasable across NATO.

1.4 Information submitted in support of a listing in NIAPC shall be deemed releasable across NATO.

1.5. Only products deemed commercially suitable for NATO market conditions shall be listed in the NIAPC.

1.6. For Common Criteria evaluated and certified products, only products sponsored within a NATO member nation and which would, additionally, be considered within that nation for protection of national information shall be listed in the NIAPC.

1.7. In respect of products designated as Security Tools then the NIAPC shall include only those products assessed in accordance with the “IA Technical and Implementation Directive on Use of Security Tools.”

1.8. Only cryptographic key fill devices developed and produced in a NATO member nation and which are evaluated and approved according to the “IA Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms” and the “IA Technical and Implementation Directive for Emissions Security” are eligible for inclusion in the NIAPC.

1.9. Only cryptographic products which are developed and produced in a NATO member nation, and which are evaluated, approved (according to the “IA Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms”) and controlled by a NATO member’s National Communications Security Authority shall be included in the NIAPC.

2. Inclusion Criteria for NIAPC Protection Profiles and Packages.

2.1. Only evaluated and certified/validated Protection Profiles and Packages, or Protection Profiles and Packages currently undergoing evaluation and certification/validation, which are developed by NATO and/or sponsored by NATO nations, shall be included in the NIAPC.

NIAPC Application Process

1. Approval for inclusion in NIAPC is at the sole discretion of the NIAPC Management.

2. Inclusion of a product in the NIAPC does not in any way guarantee that any orders whatsoever will be placed for the products or services offered. Inclusion of a product or service in the NIAPC is by no way a guarantee of business.

3. Application for a listing in the NIAPC is done at the sole discretion and sole expense of the applicant and is to be considered as an at risk activity.

4. The NIAPC application process will, normally, entail consideration of the following elements:

The certification status of the product

The likely value of the product to NATO as an organisation

The terms and conditions of sale offered by the company

The terms and conditions of any end user license agreement offered by the vendor

The value for money offered by the vendor

The provenance and capability of the vendor

Issues around release of the product to the NATO market arising from national considerations such as the production and release of cryptographic key material or national law on the export of dual use goods

The general suitability of the product for the NATO market

The availability of similar capability through NATO research and development programs

NATO customer demand

5. The NIAPC application process will normally proceed as follows:

The prospective applicant will prepare an NIAPC Application (either by using the NIAPC online forms or via e-mail).

Each NIAPC application will be allocated a unique serial number. This number will be shown on all documents related to the application.

The NIAPC Management will review the completed Application and will check to ensure that all relevant sections have been completed correctly and that all supporting documentation has been provided by the applicant.

In instances where the NIAPC Management identifies technical deficiencies in the application, then the application will be returned with guidance regarding remedial action required.

The NIAPC Management will review the application and will either:

Endorse the application and recommend inclusion in the NIAPC

Decline to endorse the application and require additional information from the applicant

Decline to endorse the application and recommend rejection from inclusion in the NIAPC

 

Application Forms

In order for products to be considered for inclusion in the NIAPC the following forms need to be completed and submitted to the NATO Information Assurance Certification Panel:

Please enter a search term !