All about FIPS 140-3, Common Criteria / NIAP Certifications, and DoDIN APL Listing

• Contents
• Endace Product Security Certifications
• What is FIPS?
• What FIPS standards apply to EndaceProbes?
• What is FIPS 140-3?
• Why is FIPS 140-3 important?
• What is Common Criteria?
• What Common Criteria standard applies to EndaceProbes?
• Why is Common Criteria Important?
• What is NIAP?
• What is the DoDIN APL?
• What Endace Products are Listed on the DoDIN APL?
• Why is being on the DoDIN APL important?

Endace Product Security Certifications

EndaceProbes are deployed on critical and highly sensitive networks. It is therefore crucial for customers to be assured of the high-security in EndaceProbes’ ground-up design. A key part of this assurance is EndaceProbes rigorous testing against stringent, independent product security standards.

Here we outline those standards and why selecting products that are compliant with them is important.

What is FIPS?

FIPS (Federal Information Processing Standards) is a set of standards developed by the US National Institute of Standards and Technology (NIST) to define required standards for the security and interoperability of technology used by US Federal Government agencies. NIST is part of the US Department of Commerce.

What FIPS standards apply to EndaceProbes?

EndaceProbes are tested against FIPS 140-3, and use a cryptographic module developed to comply with the standard. EndaceProbe uses this module to securely encrypt all communications.

This module has been tested on a wide range of hardware and operating system combinations – including EndaceProbes - and is certified by NIST under certificate number 4718 (Certified EndaceProbe platforms are listed in this certificate).

What is FIPS 140-3?

FIPS 140-3 relates to the security of cryptography used in technology products. There are two parts to this certification:

• Cryptographic Algorithm Validation Program (CAVP)
• Cryptographic Module Validation Program (CMVP).

CAVP certifies that approved (FIPS approved and NIST recommended) cryptographic algorithms are correctly implemented.

CMVP tests cryptographic modules – including the approved algorithms used – against a stringent set of cryptographic and security criteria. Modules that pass these tests are then certified and given an official certificate number.

Why is FIPS 140-3 important?

FIPS 140-3 certification provides independent verification that certified products meet NIST’s best-practice for strong encryption of sensitive information. This is important for all organizations, commercial enterprises, governments, and public agencies globally because it helps to reassure that encrypted information cannot be easily cracked.

For U.S. Federal Government agencies, FIPS 140-3 certification (or the earlier FIPS 140-2 certification) is mandatory for any products deployed that use cryptography.

FIPS 140-3 replaces the earlier FIPS 140-2 standard which will be classified as a historical standard in September 2026.

What is Common Criteria?

Common Criteria (CC) is a set of stringent security standards – or protection profiles – for evaluating the security of information technology products across a wide range of categories that is recognized by 36 nations. The goal of the CC is to provide organizations with confidence in the security of IT products they intend to acquire.  

The CC is the driving force for the widest available mutual recognition of secure IT products. CC sets high standards for cybersecurity of IT products and is a widely accepted global standard for cybersecurity.

To be listed as compliant with CC standards, products must be tested by a laboratory licensed by the CC organization. A vendor must specify what protection profile the product is to be tested against. Tests evaluate product security very deeply, testing many areas of security and often requiring the test lab to inspect source code to verify compliance.

Once a product has passed certification testing, the test report is submitted to a certification body (CB) who are responsible for issuing CC certificates that meet high and consistent standards. CBs are government or defense agencies of one of the 18 authorizing nations of the CC scheme. Once a product has been certified by a CB, that certification is automatically recognized by all (currently 36 countries) CC member organizations, including NIAP (see below).

What Common Criteria standard applies to EndaceProbes?

EndaceProbes are tested against the “Collaborative Protection Profile for Network Devices” – referred to as the abbreviated NDcPP v2.2e .

• The criteria for NDcPP v2.2e certification is listed here.
• The official certificate for EndaceProbe NDcPP v2.2e certification can be found here.
• The full testing report for certified EndaceProbes can be found here.

Why is Common Criteria Important?

Common Criteria represents the most widely accepted global set of standards for product security. Certification can only be awarded by authorized, licensed testing labs.

Products certified as meeting Common Criteria standards undergo rigorous testing against a comprehensive set of requirements. For example, the list of requirements for NDcPP v2.2e compliance spans over 140 pages. These requirements are publicly available, enabling potential customers to see exactly what criteria are tested. A full report of test results for each certified product is published on the Common Criteria Portal (https://www.commoncriteriaportal.org/) for reference by any organization considering the purchase of a certified product.

The list of nations that recognize CC can be found here.

What is NIAP?

NIAP (National Information Assurance Partnership) is a U.S. program jointly administered by the U.S National Security Agency (NSA) and the U.S. National Institute of Standards and Technology (NIST). NIAP is the U.S. representative member of Common Criteria.

NIAP manages the U.S. Common Criteria Evaluation and Validation Scheme (CCEVS) which provides U.S.-based testing of products against Common Criteria standards. NIAP certified products are automatically accepted by Common Criteria members as certified to Common Criteria standards. Similarly, products certified by Common Criteria licensed labs outside the US are accepted by NIAP as certified.

What is the DoDIN APL?

The DoDIN APL is an Approved Product List, administered by the U.S. Department of Defense. It lists products that have been tested and approved for deployment on U.S. Department of Defense networks.

Approved products are subjected to rigorous testing by DISA (Defense Information Systems Agency), a division of the U.S. Department of Defense.

For a product to be included on the DoDIN APL, it must:

• Be sponsored for inclusion in the DoDIN APL by a U.S. Department of Defense agency.
• Be certified as compliant with relevant security standards including FIPS 140-3 and Common Criteria / NIAP.
• Pass rigorous security and interoperability testing conducted at a designated U.S. Defense Department testing facility.
• Have a Military Unique Deployment Guide that instructs how to deploy and configure the product for secure operation.

What Endace Products are Listed on the DoDIN APL?

Current EndaceProbe models are listed on the DoDIN APL and can be found by searching for “Endace” on the DoDIN APL product listing page.

Why is being on the DoDIN APL important?

For any U.S. Department of Defense agency, an APL-listed product can be procured and deployed on defense networks without requiring exemptions or additional testing. These products have already been thoroughly tested and approved, making budget approval, procurement and deployment of APL-listed products a much more streamlined and efficient process.

For organizations outside of the U.S. Department of Defense, a DoDIN APL listing provides additional assurance that the product has been extensively tested and meets the stringent military-grade security requirements of the U.S. DoD.