Menu

Compliance

Operating in compliance with national and international information security and engineering standards.

cloud above blue disc

Common criteria

Operating in compliance with national and international information security and engineering standards

The Common Criteria for Information Technology Security Evaluation provides an internationally accepted, consistent means by which to evaluate the security capabilities of information technology products. NetApp has achieved Common Criteria certification for its storage software and hardware products.

About common criteria

The Common Criteria for Information Technology Security Evaluation is an internationally recognized set of technical standards (ISO/IEC 15408-1:2009) for evaluating the security capabilities of information technology products. Dozens of countries, including the United States and Canada, have signed the Common Criteria Recognition Arrangement (CCRA), officially recognizing Common Criteria certificates as the global standard. Each country has its own organization that oversees and implements Common Criteria certification. In the United States, it is the National Information Assurance Partnership (NIAP); in Canada, it is the Canadian Centre for Cyber Security (CCCS).

There are two paths to Common Criteria certification: Evaluation Assurance Levels (EAL) and Protection Profiles (PP). Each is achieved through an accredited third-party commercial testing laboratory, which tests products against standardized security requirements.

Evaluation Assurance Levels are ratings, with seven levels of increasing stringency, based on how the product satisfies various functional and assurance security requirements. The CCRA has agreed that EAL1 and EAL2 evaluations are to be recognized by all participating countries, regardless of where the evaluation was completed.

While EAL evaluations are no longer performed in the US and are not listed on the NIAP Product Compliant List, EAL certifications may still be used in U. S. public sector procurement. However, EALs are still performed in other countries that are CCRA signatories and are listed on the Common Criteria website.

A Protection Profile is a set of Common Criteria technical standards or configurations developed for specific technology types, such as mobile devices or firewalls. The Protection Profile specifies security criteria for that type of product, against which the product is evaluated for conformance.

There are two types of Protection Profiles: Country-specific Protection Profile (PP) requirements, for which there is no guarantee of mutual recognition; and Collaborative Protection Profiles (cPP), recognized by all participating CCRA countries. As of March 2020, the Common Criteria Collaborative Protection Profiles listed versions of four basic cPPs: Stateful Traffic Filter Firewalls, Full Disk Encryption – Encryption Engine, Full Disk Encryption – Authorization Acquisition, and Network Device.

When a certifying body awards a Common Criteria certificate, it asserts that the product meets the security requirements that the company specified in the related security target. (A security target is a set of requirements that specifies the scope of the evaluation.) Purchasers of certified products must review the security target to understand the assumptions made as part of the evaluation, the product's intended environment, and the security functionality that was assessed.

NetApp and common criteria

Continuing a certification tradition dating back to 2005 when NetApp Data ONTAP was first certified, NetApp has achieved Common Criteria certification for its storage software and hardware products. The independent accredited testing laboratories—Lightship Security in Canada and Epoche & Espri S.L.U. in Spain—audited NetApp products for compliance with Common Criteria. Their reports were certified by the Centro Criptológico Nacional (National Cryptologic Center) in Spain for SolidFire Element OS 8 and for all the other NetApp products by the Canadian Centre for Cyber Security (CCCS). Our government and government contractor customers can rely on NetApp’s Common Criteria certification for their purchasing requirements.

NetApp in-scope products
  • ONTAP 9.1, 9.3 and 9.5
  • ONTAP Select 9.1, 9.3 and 9.5
  • Data ONTAP 7-Mode 8.2.1 and 8.2.2
  • SolidFire Element OS 8 and 10.3
  • E-Series and EF Series SANtricity OS 11.50.
Audits, reports, and certificates

Common Criteria certification applies only to configurations and versions specified by the certified security target. An Assurance Continuity process allows minor product changes to be evaluated and then documented on the original certificate, which covers version updates noted in the NetApp products listed below.


ONTAP

ONTAP was certified in Canada, and the CCCS issued a Common Criteria Certification Report for each product:

Note: Customers who have a support contract for our legacy products will continue to have access to patches even after the certification has expired.


SolidFire


E-Series

This NetApp hardware was certified in Canada against the Network Device cPP, and the CCCS issued a Common Criteria Certification Report for SANtricity, running on E-Series or EF-Series hardware, that was reciprocated by NIAP.

E-Series and EF-Series SANtricity OS 11.50 NDcPP (NDcPP US)

Frequently asked questions

Why is ONTAP not on the NIAP PCL?

Historically, NetApp has achieved EAL certifications and NIAP no longer lists those. They are listed on the Common Criteria web portal.

Side by side image