Department of Defense Information Network Approved Products List Certification

11 Aug 2020

Understanding the Process

The Department of Defense Information Network (DoDIN) Approved Products List (APL) was established to identify products that have undergone security and interoperability testing in order to ensure they can be acquired and deployed by Military Departments and DoD agencies as part of their communications network. This process is managed by the Defense Information Systems Agency's (DISA) Approved Products Certification Office (APCO).

FIPS 140-2, Common Criteria and DoDIN APL form the trifecta of security certifications that are generally required to sell across the US Federal Government agencies. As has been covered on this blog previously, FIPS 140-2 is broadly required across the US Federal Government (and increasingly by State and Local Governments), Common Criteria is generally required for National Security agencies and DoDIN APL is specific to the Department of Defense. 

FIPS 140-2 is a NIST standard for the use of cryptography and a prerequisite for a DoDIN APL listing and Common Criteria, an internationally accepted security standard based on product technology, is required for several product categories. 

The DoDIN APL testing is broadly divided into two categories:

1. Cybersecurity (CS) or Information Assurance (IA) testing: As part of this testing you would exhibit that the product can be securely configured, based on DoD provided Security Technical Implementation Guides (STIGs). 
2. Interoperability (IO) testing: This testing ensures that the product interoperates correctly when placed within the DoD network.

The end-to-end process of certification can take 13-15 months and usually starts with an initial assessment in which product category and applicable STIGs are determined. This is followed by a self-assessment to determine if the product meets all STIG requirements. Assuming all gaps identified (and there will be gaps!) during the self-assessment are manageable, and there is a path forward identified in closing these gaps, we can move to the Initial Contact Meeting (ICM) with APCO. At this point the official engagement begins from APCO's point of view. Post ICM, a test date at DISA testing center is determined.

Unlike FIPS and Common Criteria, this certification doesn't have commercial laboratories. Testing is performed at DoD operated labs. At the lab, CS/IA and IO testing is performed and the outcome of which is a provisional listing and a Plan of Action and Mitigation (POA&M). These POA&Ms reflect the issues identified during the testing phase and usually are required to be addressed within a year. 

That is DoDIN APL in a nutshell; we'll be discussing the process in greater detail in future blogs so stay tuned.  Learn more about our services.