Navigate

CCI-000634

CCI-000634 Definition

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation includes information as it relates to commercially provided IA or IA enabled IT products.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000634.

Control	Description
SA-4(7)	The organization: (a): Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and (b): Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.

Control

Description

SA-4(7)

The organization:

(a): Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and

(b): Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.