NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-4(7) — NIAP-approved Protection Profiles
Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.
Supplemental Guidance
See [NIAP CCEVS](#795aff72-3e6c-4b6b-a80a-b14d84b7f544) for additional information on NIAP. See [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) for additional information on FIPS-validated cryptographic modules.
Practitioner Notes
NIAP (National Information Assurance Partnership) Protection Profiles define security requirements for specific product categories. Using NIAP-evaluated products ensures they meet a recognized security standard.
Example 1: When procuring security products for a DoD environment, check the NIAP Product Compliant List at niap-ccevs.org. Only products with current NIAP evaluations against the relevant Protection Profile should be considered. Include NIAP evaluation as a mandatory requirement in your procurement specifications.
Example 2: For mobile device management, require products evaluated against the NIAP MDM Protection Profile. For firewalls, require the Network Device or Stateful Traffic Filter Firewall Protection Profile. Document which Protection Profile applies to each product category in your acquisition procedures.