Menu

Compliance

Operating in compliance with national and international information security and engineering standards.

abstract shapes

U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL)

Certification of NetApp products to the DoDIN APL enables U.S. defense agencies to use them with confidence and provides valuable assurances to customers supporting the defense industrial base.

About the DoDIN APL

The U.S. Department of Defense Information Network Approved Products List (DoDIN APL) represents the master list of products that have completed cybersecurity and interoperability certification and are approved for deployment within the DoD’s technology infrastructure. Departments and agencies within the DoD that want to deploy products that will be connected to the DoDIN may need to purchase products on this list to meet procurement requirements.

The U.S. Defense Information Systems Agency (DISA) manages the rigorous selection process, which is used to test, validate, and certify products to meet the required security and interoperability specifications. A sponsoring DoD agency works with the vendor who submits documentation that includes a system description and component list; a response to a DoD Security Technical Implementation Guide (STIG) questionnaire, which defines the required cybersecurity configuration standards; and a letter of compliance. After document review, DISA determines which STIGs to apply and audits the product at one of its testing facilities. When the DISA evaluator determines that the DoD STIG requirements have been met, the product receives its certification for placement on the APL. The certification is good for three years before recertification is required.

NetApp and DoDIN APL

Continuing a certification tradition dating back to 2005 when NetApp ONTAP was first certified, NetApp systems were most recently certified in December 2019 by DISA and placed on the DoDIN APL. NetApp has long been involved in this DoD certification process—our contributions led to the development of requirements for data storage controllers in the predecessor of the DoDIN APL, the Unified Capabilities Approved Products List (UC APL).

For the current certification, NetApp submitted the required documentation to DISA including a letter of compliance, our attestation that we meet requirements (such as IPv6) that DoD would not test, and a Self Assessment Report. In its Joint Interoperability Test Center (JITC), DISA tested the products’ cybersecurity against the STIGS it determined to be applicable. Based on that audit, DISA determined that in-scope NetApp products satisfied the requirements and place them on the APL. This enables U.S. defense agencies to choose these compliant NetApp products and services with confidence, assured of their stringent security processes.

NetApp In-Scope Products

The following hardware platforms, software versions, and virtual platforms are covered under the DoDIN APL.

Hardware platforms

  • FAS2520, FAS2552, FAS2554, FAS2620, FAS2650, FAS2720, FAS2750, FAS8020, FAS8040, FAS8060, FAS8080 EX, FAS8200, FAS8300, FAS8700, and FAS9000
  • AFF A200, AFF A220, AFF A300, AFF A400, AFF A700, AFF A700s, AFF A800, AFF 8020, AFF8040, AFF8060, and AFF8080 EX

Software versions

Not all software versions run on all hardware platforms. If you have a NetApp Support account, refer to Hardware Universe for compatibility listings.

  • ONTAP 9.7
  • ONTAP 9.6
  • ONTAP 9.3
  • ONTAP 9.1

Virtual platforms

  • ONTAP Select 9.7
  • ONTAP Select 9.6
Audits, Reports, and Certificates

Certifications. Each certification is good for three years, at which point NetApp will recertify and reaccredit the products. Each of the links in the products listed below points to the DISA DoDIN APL Approval Memo, where you’ll find a link to the detailed components and configuration.


Cybersecurity Assessment Package (CAP). To request a copy, send email to the Approved Products Certification Office (APCO). The CAP can be sent only to U.S. government civilians or U.S. uniformed military personnel. The request m

ust be received from a .mil or .gov email address and be sent with a digital PKI signature attached.

abstract shapes