- What is the DoD UC APL?
- What agency/entity is responsible for certifying my product and securing my spot on the UC APL?
- What is required to get my product on the UC APL?
- My product was on the Army IA APL. Does my listing automatically roll over to the UC APL?
- How long will it take to get listed on the UC APL?
- I have both FIPS 140-2 and Common Criteria on my product. What else do I need to meet the requirements?
- How do I maintain my UC APL listing through product updates and version changes?
- What is a STIG and how is it involved in the process?
- Can Interoperability (IO) and Information Assurance (IA) testing be performed simultaneously with one another?
- How can Corsec help me?
- Do I need a government sponsor? What is a sponsor? Who can qualify as a sponsor? What if I cannot find a sponsor?
Department of Defense Unified Capabilities Approved Products List (DoD UC APL) is a list of IT security products which have completed both Information Assurance (IA) and Interoperability (IO) testing and certification. The DoD UC APL was created under DoDI 8100.04 and UCR 2008, Change 2, in order to consolidate multiple lists and requirements to make it more accessible for DoD agencies to purchase products and system components to meet their network needs.
The Unified Capabilities Certification Office (UCCO) acts as the staff element for the NS2, Capabilities Center to manage the Department of Defense (DoD) Unified Capabilities (UC) Approved Products List (APL) Process. The UCCO provides process guidance, coordination, information and support to vendors and government sponsors throughout the entire process, from the registration phase to the attainment of DoD UC APL status.
Why do I need to be on the DoD’s Unified Capabilities – Approved Products List (UC APL)?
By inclusion on the DoD’s Unified Capabilities – Approved Products List (UC APL), any DoD agency may give preferable purchase consideration to your product. By law, DoD agencies must give preference to IT network security products that are on this list. If there are no products on this list which meet the agencies’ requirements, the agency must then consider sponsoring a vendor to take their product through the UC APL certification process.
To include your product on the UC APL, your product must go through a certification process whereby it must meet specific criteria for that type of product. Products must complete both Information Assurance (IA) and Interoperability (IO) testing as well as documentation requirements. IA and IO testing are performed by DoD laboratories such as the Joint Interoperability Test Command (JITC) to ensure that the product has the capability to function seamlessly on a government network. IA testing requires certification and validation against primarily FIPS 140-2, Common Criteria, and IPv6 among other standards. It also requires compliance to specified Security Technical Information Guides (STIGs). Each individual validation process has its own specific procedures and documentation requirements in order to check the box on that requirement.
As of October 2010, if you previously achieved a product listing on the Army IA APL, your product may be “fast-tracked” through the UC APL process, as many UC APL requirements are similar to those of the former Army IA APL. A final decision will be made by the Unified Capabilities Command Office (UCCO) as to any additional requirements that may be needed for a complete UC APL listing.
The process can be lengthy if you do not meet DoD deadlines for process, testing, and mitigations. Some vendors spend many months or even years on unsuccessful approval efforts.
Once a product has a Tracking Number (TN) and is submitted to an approved DoD Testing Laboratory, testing usually completes in a few months. However, you should be aware that products containing crypto function must receive any required FIPS 140-2 validations prior to DoD testing. Similarly, products that require Common Criteria evaluation must have completed this process within 180 days of their UC APL certificate readiness.
I have both FIPS 140-2 and Common Criteria on my product. What else do I need to meet the requirements?
FIPS 140-2 and Common Criteria cover only a part of the requirements for listing on the UC APL. To complete the Information Assurance (IA) side, you will need to meet IPv6 requirements, and comply with all appropriate Security Technical Information Guides (STIGs). You will undergo IA testing with the DoD which verifies that these requirements have been met and assesses the security readiness of the product in a DoD environment. The other part of the process involves Interoperability (IO) testing, where your product undergoes JITC testing to ensure interoperability.
As with most security standards, your product listing on the UC APL is version-specific and requires maintenance in order to reflect version updates. A Desktop Review can be performed on a newer version of your product, which typically results in a quick review and product listing update if changes are not significant. A Desktop Review usually involves either no testing with a listing update, minimal testing before an update, or a finding that a new evaluation must be done in entirety. The findings will depend on how significant the updates and version changes are.
A STIG, Security Technical Implementation Guide, is a document developed by DISA that provides configuration standards for guidelines for Department of Defense IA and IA-enabled devices/systems on a network. STIGs are generally accompanied by a STIG Security Checklist which provides instructions and procedures to manually verify that a product is compliant with a particular STIG. The DoD currently supports approximately three dozen unique STIGs, each one relevant to a specific product category.
Can Interoperability (IO) and Information Assurance (IA) testing be performed simultaneously with one another?
Yes, IO and IA testing can run simultaneously when resources permit. IO and IA testing are performed by DoD designated Testing Centers of Excellence.
Corsec offers a comprehensive solution to achieve placement on the DoD UC APL. Our methodology centers on the issue identification and gap assessment between your product and federal requirements. Corsec removes the strain from your team by managing every aspect of the project, including extensive documentation processing, communications with UCCO and the testing lab, and managing schedules and deadlines along the way. Corsec clients can obtain their UC APL listing faster, more efficiently and at a lower cost than if they go it alone.
Do I need a government sponsor? What is a sponsor? Who can qualify as a sponsor? What if I cannot find a sponsor?
It’s a specific requirement that a vendor have a DoD Sponsor in order to undergo UC APL testing and listing. It’s also the first thing that the UCCO will verify before assigning you a Tracking Number and allowing you to proceed in the UC APL testing process. However, a Sponsor is not some arcane and mystical thing, and is not really that difficult to obtain. A Sponsor is essentially someone (anyone, really) within the DoD who feels that it is worth testing a product and placing it on the UC APL because they believe they would have a need to purchase or deploy these products. Thus, any existing customer or potential customer can act as a Sponsor, and Corsec routinely works with clients to identify potential sponsors, discuss the responsibilities of being a Sponsor, and sign them up to be a Sponsor for our clients. Where our clients don’t have a Sponsor, we can actually provide one for them, or identify a technical resource who would make a good Sponsor or alternate Sponsor, especially if they have prior experience Sponsoring these or similar products.