What is the DoD’s Information Network Approved Products List (DoDIN APL) and why is it important to you? You’ve probably heard that it has to do with the Department of Defense — absolutely true and certainly very important. But there are other reasons that you should be concerned about getting your product onto the DoDIN APL.
The Department of Defense (DoD) agencies certainly can be a huge market for IT security products. The fact is that the DoD cannot buy any product or component if it is not listed on the DoDIN APL. Maintained by the Defense Information Systems Agency (DISA), the DoD must draw from the DoDIN APL when they build their networks. But equally important for vendors is the fact that once you are on the DoDIN APL, you have indicated that your product has met rigorous testing and security standards, making you more marketable in the private sector, as well.
As an overview, there are two assessment parts to the DoDIN APL process. The first is information assurance (IA), or in layman’s terms, security. Testing must prove that your product is built so that it complies with the DoD requirements and best practices. The security functional requirements come from a robust 2,000-page public document called the Unified Capabilities Requirements, and the security best practices guides are called Security Technical Implementation Guides (STIGs). The second part of the assessment is called interoperability (IO) testing. This is a full-time testing operation that can take weeks or months can carries quite a price tag (see below). So, consider that a vendor’s product that has successfully maneuvered through both of these assessment phases and has made it onto the DoDIN APL would be seen as quite desirable not only by the DoD, but by any company seeking products or components that have proven security qualities.
So, now that you see the benefits of being listed on the DoDIN APL, what does it take to successfully get onto that list? Actually, quite a bit. Here’s what you need to know to get started.
Like any certification, do not jump in without adequate planning. There is quite a bit of detail to consider including who from your organization should be involved, what documentation is necessary and understanding how to prepare it, what product category to choose to make the process most efficient, and more. The right planning makes a difference. We’ve seen organizations get stuck for a year or more in the DoDIN APL testing process, so make sure you have a plan in place to deal with red tape and any hurdles that may appear.
The process to getting onto the DoDIN APL is both long and expensive. Expect the entire certification to cost between $100,000-$300,000. It’s a substantial investment, but remember, the ROI can be significant from both the government and private sector. Some things to consider as part of the budgeting process:
- Remember that a Common Criteria certification and very likely a FIPS 140-2 validation are going to be required of your product before it will be accepted onto the DoDIN APL. You should figure the costs (and time to complete them) for these evaluations into your budget.
- Don’t underestimate the time and resources that staff will be spending on documentation and managing issues with the testing lab instead of other, revenue-generating projects.
- Testing lab fees can be substantial and you are not able to “bargain shop” for the best price. You are assigned a lab and must pay the regulated fees that they charge.
- Allow for a buffer in case things go wrong. Any setbacks make costs go up.
Often vendors give up or never begin the DoDIN APL process because it can seem daunting. A consultant can be helpful for a complicated system like the DoDIN APL, helping to shepherd you through the process. Working with someone who has navigated the DoDIN APL process numerous times, knows the requirements, is familiar with the testing labs, and can avoid red tape can be a huge advantage. You can save both time and money by reducing the chance of hiccups and setbacks. For more on the ins and outs of the DoDIN APL, check out our DoDIN APL page.
Corsec has more than 18 years of experience with successful FIPS, Common Criteria, and DoDIN APL evaluations. Contact us to find out how we can help you.