The NTA shall establish a Certified Vendor Program designed to reduce the time required to modify and deliver certified TEMPEST products based on the latest commercial-off the-shelf (COTS) IT equipment. A certified vendor program should produce modified versions of critically needed products in less time than that required for a traditional government reviewed program. The NTA shall address all of the qualification and control components described below when developing national processes.
The NTA shall develop a process that customers can use to verify the TEMPEST status of a product. This could be accomplished with an official product letter, product listing on an NTA website, or other official NTA product accreditation. The NTA determines which TEMPEST products from a certified vendor are available to NATO.
This does not mean NTA management of vendors at the product level, but simply oversight at the product level. While the vendors are responsible for following their processes, the NTA is responsible for determining the requirements, and ensuring the vendor’s processes meet those requirements.
The NTA shall perform at least biennial audits of certified vendors to ensure continued compliance with national processes. The NTA shall develop vendor suspension/termination processes to address vendor compliance failures. The vendor shall submit a certification report to the NTA that demonstrates the evaluation facility is compliant with the technical requirements specified in reference d. Each NTA is encouraged to fully document their Certified Vendor Program and share these processes with other interested parties such as a NTA. SECAN can facilitate this exchange of information.
Vendors shall have an up to date NATO SECRET facility clearance. Additionally, nations agree to limit sales of Level A and Level B products to NATO, NATO member Nations and selected Allies for government use only. The NTA shall ensure this requirement is adhered to by vendors.
The NTA shall verify that the evaluation facilities used to qualify products are certified, at a minimum, based upon submitted Certification Reports demonstrating the compliance of the facility to the technical requirements specified in SDIP 27/1. To ensure quality the QA process should meet the requirements of an internationally recognized standard, such as ISO 17025, or a national equivalent as agreed by the NTA. Following initial certification, at least biennial audits shall be conducted by the NTA to ensure the required documentation is being archived and the quality control processes are correctly executed. The NTA shall also verify that the personnel performing qualification testing and developing documentation have the appropriate experience, training, and credentials.
Each NTA is encouraged to archive vendor qualification documentation as well as product test reports and configuration management documentation for products sold to NATO. SECAN or their authorized representative shall provide technical oversight of national Certified Vendor programs to ensure the NTA has access to the training and testing resources needed to support product conformance.
In order for a TEMPEST certified vendor to be listed on the NIAPC, the responsible NTA must forward a certificate of compliance to SECAN and the NCI Agency Cyber Security Service Line. This certification must include the name, location(s) and contact information for the certified vendor. This certification must also include contact information for the responsible NTA. This information will be included with the listing.
The responsible NTA shall forward vendor developed documentation that addresses the NIAPC Certified Vendor Questionnaire included as Appendix A. Proprietary information in this documentation shall be identified as such, and shall be treated accordingly by the NCI Agency Cyber Security Service Line. This documentation only needs to be updated if there is significant change to the information provided, such as contact details, ownership, or location(s) change.