Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Collaborative Protection Profiles - cPPs

As part of ongoing development of the Common Criteria, the signatory parties represented in the CCRA-MC have agreed to pursue the development of internationally agreed protection profiles, known as Collaborative Protection Profiles (cPPs).

One prominent example of a cPP is the Collaborative Protection Profile for Network Devices (NDcPP), which is currently available in version 2.2e as of March 27, 2020, and it is applied by the BSI (German Federal Office for Information Security). The associated Supporting Document (SD) defines additional requirements that must be considered for the aforementioned version of the cPP. In addition, there are interpretations referred to as "Network Device Interpretations," which must also be taken into account for the NDcPP. For NDcPP version 2.2e, the "Network Device Interpretations" are numbered as follows: #202200, #202207, #202208, #202209, #202210, #202211, #202212, #202213, #202214, #202215, #202216, #202217, #202218, #202219, #202220, #202221, #202222, #202223, #202224, #202225, and #202228.

The interpretations listed above are going to be provided by the certification body upon request (zertifizierung@bsi.bund.de).

The evaluation activities (EA) defined in the Supporting Document (SD) must be documented in detail. To ensure flexibility, there are two possible ways to document the EAs:

  1. Documentation within the Single Evaluation Reports (SER) according to AIS 14. The EAs should be documented as an "Annex" to the corresponding SER (e.g., EAs for TSS in the ETR-Part ASE, EAs for the user manual/guidance in the ETR-Part AGD, EAs for testing in the ETR-Part ATE and/or AVA, etc.).
  2. Documentation within a separate "NDcPP Evaluation Report." This report follows the same structure as the SD and for each EA, statements/evaluation results of the evaluator are added.

For both approaches, it is required that sections "Assessment" and "Verdict" are provided for each atomic EA. The reason for this is that the EAs contain fine-granular activities, which require an evaluator statement for each of them.

Questions regarding certification based on a cPP can be addressed to the certification body (zertifizierung@bsi.bund.de).

Similar topics

Back to Certified protection profiles (CC)