Do SABI/TSABI approved COTS IA/IA-enabled IT products qualify as “validated” under NSTISSP #11?
Generally not. However, much of the information that is created in the context of preparing a product for use in a SABI/TSABI environment will contribute greatly to a NIAP COTS testing activity and vice versa. As noted in Policy Information and Guidance Question 15, if the COTS product has already been procured and fielded, it need not retroactively go through a NIAP testing activity. However, if a COTS IA/IA-enabled IT product resides on the SABI/TSABI list and is being purchased after July 1, 2002, it is subject to NSTISSP #11 COTS IA testing.
Related Questions
- What guidance is available regarding "the appropriate combinations and implementation of GOTS, COTS IA and IA-enabled products"?
- I have a number of COTS products in an already fielded and accredited system. How does NSTISSP #11 apply to me?
- Do SABI/TSABI approved COTS IA/IA-enabled IT products qualify as "validated" under NSTISSP #11?