NIA - NATO Information Assurance

Cryptographic Products and Cryptographic Mechanisms

Only cryptographic products which are developed and produced in a NATO member Nation and which are evaluated and approved in accordance with the INFOSEC Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms, by the developing nations National Communications Security Authority are eligible to be submitted for inclusion to the NATO Information Assurance Product Catalogue (NIAPC).

Those products subject to an additional release action shall be so noted in the product’s listing. This list of cryptographic products and cryptographic mechanisms should include both those products which are approved for use in NATO and national systems to protect NATO classified information, as well as all products produced by NATO member nations which are evaluated and approved for use by non-NATO nations and International Organizations to protect NATO classified information.

The list of cryptographic products and cryptographic mechanisms shall be updated and maintained by the NIATC on behalf of the NHQC3S based on input provided by the National Communications Security Authority of NATO member nations.

Information Assurance (IA) Security Products

The aim of the list of IA Security Products is to provide security approval authorities (for example, Security Accreditation Authorities), CIS Operating Authorities, CIS planners and implementers, project staffs, and users in NATO Member Nations, NATO civil and military bodies a baseline of information with respect to available evaluated and certified/validated IA security products which can be used as guidance for meeting NATO security requirements in CIS.

Products listed in the NIAPC shall be in receipt of a recognised NATO, national or international evaluation or certification. In instances where this is other than Common Criteria then the product must be in receipt of a finalized national evaluation and approval by a NATO National Communications Security Authority. Where a national or international equivalent is applicable, the appropriate National Security Authority shall make, as part of the submission, a statement with respect to the equivalence of the evaluation to the Common Criteria.

For Common Criteria evaluated and certified products, only products sponsored within a NATO member nation and considered suitable for use within that nation for protection of national information shall be listed in the NIAPC.

The following caveat shall be included as a preface to the IA Security products listed on the NATO Information Assurance Product Catalogue (NIAPC): “Users of the Product, Protection Profile and Package list must understand that choosing a system or product from the list of IT Security products does not guarantee an overall secure system/network. There is no guarantee that such systems or products will have compatibility or interoperability”.

The List of IA Security Products shall be updated and maintained by the NIATC on behalf of the NHQC3S based on input provided by a NATO National Communication Security Authority or a recognized NATO or National Certification/Validation Authorities (i.e. SECAN, EUSEC). See the Update and Maintenance Section for further details on the update and maintenance of the NATO Information Assurance Product Catalogue (NIAPC).

Protection Profiles and Packages

A Protection Profile (PP) defines an implementation-independent set of security requirements and objectives for a category of products or systems, which meet similar consumers’ needs for IA security. A PP is intended to be reusable and to define requirements that are known to be useful and effective in meeting the identified objectives.

A Package is a reusable set of either functional or assurance components (e.g. an Evaluation Assurance Level) combined together to satisfy a set of identified security objectives.

Only evaluated and certified/validated Protection Profiles and Packages, which are developed by NATO or NATO member states and/or sponsored by NATO nations, shall be included in the NIAPC.

The list of Protection profiles shall be updated and maintained by the NIATC based on input provided by the NATO Nation’s National Communication Security Authority.

NIAPC Inclusion Criteria

Attainment of any or all of the following criteria is a minimum requirement for listing in the NIAPC. Attainment of the minimum requirement is necessary but not sufficient for NIAPC listing. It will be possible to attain the minimum requirement and not obtain a listing in the NIAPC. Failure to maintain attainment of the minimum criteria will normally result in loss or suspension of an existing NIAPC listing.

1. Inclusion Criteria for NIAPC Part 7: Products.

    1.1. Cryptographic products are the subject of additional national approval and therefore only cryptographic products that are approved for release by a National Security Authority of a NATO nation shall be listed in the NIAPC.

    1.2. Products listed in the NIAPC shall be in receipt of a recognised NATO, national or international evaluation or certification. In instances where this is other than Common Criteria then a mapping across of the evaluation or certification to the Common Criteria shall be provided by the relevant NATO technical agency or by the relevant National Security Authority.

    1.3. All products in the NIAPC shall be operationally evaluated by one of the NATO technical agencies (e.g. NIATC, NC3A, NAMSA) in order to achieve full evaluation status.

    1.4. Information submitted in support of an application for a listing in NIAPC shall be deemed releasable across NATO.

    1.5. Information submitted in support of a listing in NIAPC shall be deemed releasable across NATO.

    1.6. Only products deemed commercially suitable for NATO market conditions shall be listed in the NIAPC.

    1.7. For Common Criteria evaluated and certified products, only products sponsored within a NATO member nation and which would, additionally, be considered within that nation for protection of national information shall be listed in the NIAPC.

    1.8. In respect of products designated as Security Tools then the NIAPC shall include only those products assessed in accordance with the “IA Technical and Implementation Directive on Use of Security Tools.”

    1.9. No AMSG 720 or AMSG 788 Emission Security Product will be included in the NIAPC without SECAN approval.

    1.10. Only cryptographic key fill devices developed and produced in a NATO member nation and which are evaluated and approved according to the “IA Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms” and the “IA Technical and Implementation Directive for Emissions Security” are eligible for inclusion in the NIAPC.

    1.11. Only cryptographic products which are developed and produced in a NATO member nation, and which are evaluated, approved (according to the “IA Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms”) and controlled by a NATO member’s National Communications Security Authority shall be included in the NIAPC.

2. Inclusion Criteria for NIAPC Part 8: Protection Profiles and Packages.

     2.1. Only evaluated and certified/validated Protection Profiles and Packages, or Protection Profiles and Packages currently undergoing evaluation and certification/validation, which are developed by NATO and/or sponsored by NATO nations, shall be included in the NIAPC.

NIAPC Application Process

1. Approval for inclusion in NIAPC is at the sole discretion of the NIACG.
2. Inclusion of a product in the NIAPC does not in any way guarantee that any orders whatsoever will be placed for the products or services offered. Inclusion of a product or service in the NIAPC is by no way a guarantee of business.
3. Application for a listing in the NIAPC is done at the sole discretion and sole expense of the applicant and is to be considered as an at risk activity.

4. The NIAPC application process will, normally, entail consideration of the following elements.
4.1. The certification status of the product.
4.2. The likely value of the product to NATO as an organisation.
4.3. The terms and conditions of sale offered by the company.
4.4. The terms and conditions of any end user licence agreement offered by the vendor.
4.5. The value for money offered by the vendor.
4.6. The provenance and capability of the vendor.
4.7. Issues around release of the product to the NATO market arising from national considerations such as the production and release of cryptographic key material or national law on the export of dual use goods.
4.8. The general suitability of the product for the NATO market.
4.9. The availability of similar capability through NATO research and development programmes.
4.10. NATO customer demand.

5. The NIAPC application process will normally proceed as follows.
5.1. The prospective applicant will usually be offered an opportunity to present at a NATO IA Event prior to submitting and application.
5.2. The prospective applicant will prepare an NIAPC Application Document Pack (as detailed below). The NIAPC Application Document Pack will be obtained from the NIAPC Secretariat following a written request from the prospective applicant.
5.3. Each NIAPC application will be allocated a unique serial number by the NIAPC Secretariat. This number will be shown on all documents related to the application and will be shown in the Catalogue itself as part of the listing.
5.4. The prospective applicant will send the completed NIAPC Application Document Pack to the NIAPC Secretariat.
5.5. The NIAPC Secretariat will review the completed Application Document Pack and will check to ensure that all relevant sections have been completed correctly and that all supporting documentation has been provided by the applicant.
5.6. In instances where the NIAPC Secretariat identifies technical deficiencies in the application, then the application will be returned with guidance regarding remedial action required.
5.7. The NIAPC Secretariat will transmit technically compliant applications to the relevant technical agency for addition of the NIACG Evaluation Report.
5.8. The NATO technical agency providing the NIACG Evaluation Report will route all communication with the applicant through the NIAPC Secretariat.
5.9. The NATO technical agency will return the application with the NIACG Evaluation Report to the NIAPC Secretariat.
5.10. The NIACG will review the application and will either.
5.10.1. Endorse the application and recommend inclusion in the NIAPC.
5.10.2. Decline to endorse the application and require additional information from the applicant.
5.10.3. Decline to endorse the application and recommend rejection from inclusion in the NIAPC.
5.11. In the event of the NIACG endorsing an application the NIAPC Secretariat shall transmit the application with the NIACG recommendation for inclusion to the NIAPC.
5.12. In the event of the NIACG declining to endorse an application the NIAPC Secretariat shall transmit the application with the NIACG recommendation for non inclusion to the NICG.
5.13. In the event of The NIACG requiring more information form the applicant the NIAPC Secretariat shall inform the applicant of this in writing and shall, in writing, offer specific and comprehensive guidance regarding the additional information or clarification required.
5.14. In cases where the NIACG approval for inclusion in the NIAPC is forthcoming then the NIACG shall also decide on which of the NIAPC Traffic Light Indicators to allocate to the product. For further information on the NIAPC Traffic Light Indicators see chapter 8 below,
5.15. The NIACG decision on NIAPC inclusion is final.
5.16. The NIACG decision on NIAPC Traffic Light Indicator allocation is final.
5.17. The NIACG shall instruct the NIAPC Secretariat to notify the application of the outcome of the application.
5.18. The NIAPC Secretariat shall so notify all applicants in writing.
5.19. The NIAPC Secretariat has no authority to accept or reject applications.
5.20. Each stage of the NIAPC application process will be recorded by the NIAPC Secretariat who shall maintain a comprehensive audit trail of each application and full and complete copies of all documents and correspondence relating to an application. The NIAPC records shall include records of meetings and telephone conversations regarding NIAPC applications.

Vendor Information

Application Forms