Certification of NetApp products to the DoDIN APL means that U.S. defense agencies can use them with confidence and provides valuable assurances to customers supporting the defense industrial base.
U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL)
About the DoDIN APL
The U.S. Department of Defense Information Network Approved Products List (DoDIN APL) is the master list of products that have completed cybersecurity and interoperability certification and are approved for deployment in the DoD’s technology infrastructure. Departments and agencies in the DoD may need to purchase products on this list to meet procurement requirements for products that will be connected to the DoDIN.
The U.S. Defense Information Systems Agency (DISA) manages the rigorous selection process, which is used to test, validate, and certify products to meet the required security and interoperability specifications. A sponsoring DoD agency works with the vendor who submits documentation that includes a system description and a component list; a response to a DoD Security Technical Implementation Guide (STIG) questionnaire, which defines the required cybersecurity configuration standards; and a letter of compliance. After document review, DISA determines which STIGs to apply and audits the product at one of its testing facilities. When the DISA evaluator determines that the DoD STIG requirements have been met, the product receives its certification for placement on the DoDIN APL. The certification is good for 3 years before recertification is required.
NetApp and the DoDIN APL
Continuing a tradition dating back to 2005 when NetApp ONTAP was first certified, NetApp systems were most recently certified in December 2019 by DISA and placed on the DoDIN APL. NetApp has long been involved in this DoD certification process—our contributions led to the development of requirements for data storage controllers in the predecessor of the DoDIN APL, the Unified Capabilities Approved Products List (UC APL).
For the current certification, NetApp submitted the required documentation to DISA, including a letter of compliance, our attestation that we meet requirements (such as IPv6) that DoD does not test, and a Self-Assessment Report. In its Joint Interoperability Test Center (JITC), DISA tested the products’ cybersecurity against the STIGS it determined to be applicable. Based on that audit, DISA determined that in-scope NetApp products satisfy the requirements and placed them on the APL. This means that U.S. defense agencies can choose these compliant NetApp products and services with confidence, assured of their stringent security processes.
NetApp in-scope products
The following hardware platforms, software versions, and virtual platforms are covered under the DoDIN APL.
Hardware platforms
- Fabric Attached Storage: FAS500f, FAS2520, FAS2552, FAS2554, FAS2620, FAS2650, FAS2720, FAS2750, FAS8020, FAS8040, FAS8060, FAS8080 EX, FAS8200, FAS8300, FAS8700, and FAS9000
- All Flash FAS: AFF A200, AFF A220, AFF A250, AFF A300, AFF A320, AFF A400, AFF A700, AFF A700s, AFF A800, AFF C190, AFF8020, AFF8040, AFF8060, and AFF8080 EX
Software platforms
Not all software versions run on all hardware platforms. If you have a NetApp Support account, refer to Hardware Universe for compatibility listings.
- ONTAP 9.8, 9.7, 9.6, 9.3, and 9.1
Virtual platforms
- ONTAP Select 9.8, 9.7, and 9.6
Audits, reports, and certificates
Certifications
Each certification is good for 3 years, at which point NetApp will recertify and reaccredit the products. Each of the links below points to the DISA DoDIN APL Approval Memo, where you’ll find a link to the detailed components and configuration.
* NetApp is no longer supporting this product or continuing its certification for DoDIN APL. Customers who require this certification should contact their account representative to ensure this product meets their compliance requirements.Cybersecurity Assessment Package (CAP)
To request a copy, send email to the Approved Products Certification Office. The CAP can be sent only to U.S. government civilians or U.S. uniformed military personnel. The request must be received from a .mil or .gov email address and be sent with a digital PKI signature attached.
