NIAP 3.0 vs. NIAP 4.0: What's the Difference?

 Oct 12, 2021   |    Black Box

Online criminals pose a danger to national security. These criminals may hack economic institutions, government websites, or power infrastructures as a way of stealing sensitive data or extorting money, or advancing an ideological agenda.1

Cybercrime is growing at about 15 percent year over year, and will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015.2

How Can You Mitigate Security Risks to Your Public- or Private-Sector Network?

To ensure that they introduce no additional risk when deployed in the national security sector, Secure KVM switches are evaluated according to a NIAP Protection Profile (PP). This comprehensive profile describes security requirements for a Peripheral Sharing Switch (PSS) that connects a common set of peripherals to one or more attached computers. Businesses in the private sector may choose to conform to these standards as well.

What Does NIAP Include?

The NIAP PP for secure desktop KVM sets forth a baseline set of requirements to mitigate well-defined and well-described threats. Stringent conditions and test scopes for secure KVM switches include: type, usage, and authorization of connected peripherals (monitor, keyboard, mouse, and other USB devices); data flow and anti-tamper rules; audio/data/channel isolation; CAC settings; and video protocol authorization and handling.

Established as the official current protection profile in 2015, NIAP PP PSD V3.0 was superseded in 2020 by NIAP PP PSD V4.0. While NIAP 4.0 builds on the requirements outlined in NIAP 3.0, there are some notable differences between the two protection profiles for Secure KVM.

How Do the Differences between NIAP PP PSD V3.0 and NIAP PP PSD V4.0 Affect Your Network?

  1. You only need to claim relevant peripheral types.
    NIAP PP 3.0 mandates one single protection profile for all switch types, but NIAP PP 4.0 applies a base-protection profile with individual modules for peripheral types.

  2. Guidelines for allowed/prohibited devices are less vague.
    Because NIAP PP 3.0 is ambiguous about types of devices that are or aren’t permitted, NIAP PP 4.0 now states more explicitly what allowed/prohibited device types may be used (e.g. matrix devices are no longer allowed).

  3. In V3.0, isolation requirements must be integrated with security target (ST).
    In V4.0, isolation materials may be a security target addendum or a separate document.

  4. Fewer “if-then” steps.
    V3.0 mandates tests with large numbers of conditional steps based on product functionality, but V4.0 aligns granular requirements specifically with test activities to identify which specific tests were done.

  5. Different security targets.
    Instead of testing all models of a product family on a single security target as in V3.0, different security targets are vital for different supported peripherals in V4.0 (for example, CAC and non-CAC models are different configurations).

  6. A specific list of allowed and rejected sub-protocols.
    Rather than testing a generic list of video protocols, V4.0 specifies a list of allowed and rejected sub-protocols based on the supported video protocols (DP, DVI, HDMI, USB-C, and VGA).

  7. Optional tamper response.
    Tamper response is optional in V4.0 (it is mandatory in V3.0), because some devices may have swappable cards for different peripheral types (in which case tamper seals are sufficient).

  8. V4.0 permits audio in devices.
    V3.0 prohibits audio in (microphone) capability, while V4.0 permits audio in (but only if the device does not support any other peripheral types, for example, a microphone cannot coexist with speakers).

  9. Banned PS/2 ports.
    PS/2 ports are allowed in V3.0 and are banned in V4.0.

  10. V.4.0 allows the use of multiviewers.
    Although V3.0 does not specify multi-viewer requirements, V.4.0 allows the use of multiviewers (however, they must use OSD to identify the active video channel[s]).

While NIAP PP 3.0 compliant devices are still on the market and provide excellent protection from cyber threats, the updated NIAP PP 4.0 addresses specific details about your particular network to help you better mitigate the risks of a cyberattack. Both NIAP 3.0 and 4.0 protection profiles guard your sensitive data against sophisticated, or not-so-sophisticated hacker. Complying with NIAP standards can prevent your network from becoming part of the projected 15% increase in cyber hacks now and beyond 2025.

To learn more about Secure KVM, download the free white paper, “Meeting Cybersecurity Threats with Secure KVM Switches.”

References

1 https://safetymanagement.eku.edu/blog/threats-to-national-security/
2 https://www.embroker.com/blog/cyber-attack-statistics/