Cloud Formations: NIAP Cloud Certifications and the Way Forward (A22c)
NIAP is in the process of certifying its first Cloud product using the Mobile Device Management (MDM) Protection Profile (should be completed by ICCC2024). This talk will discuss the challenges of this certification (from a scheme perspective) and how they were handled. NIAP’s way forward on Cloud evaluations will also be discussed. The talk will cover whether for SaaS products, NIAP will decide to update its relevant PPs or develop Cloud Module PPs. The reasons for such a decision will be covered and will be based on an analysis of the existing NIAP PPs that would be useful for Cloud SaaS and the extent to which they need to be modified. For example, the MDM PP does not cover multi-tenancy. Regardless of the decision on the way forward, there will need to be changes to policies to reflect the different nature of Cloud products. For example, policies on remote testing and NIAP’s requirement for CAVP certificates. These changes will be discussed (and are not currently covered by the current CCitC guidance). This talk will be an update of what was presented at ICCC 2023.