Product/ServiceApplication Form and Guidance
VERSION 1.3.1 /
FIPS 201 EVALUATION PROGRAM

March2, 2015

Office of Government-wide Policy
Office of Technology Strategy
Identity Management Division
Washington, DC 20405

1.Overview

This document provides the guidance and location of forms necessary to complete the application process to have your product or servicecomponent listed on the FIPS 201 Evaluation Program(Program) Approved Products List (APL). Each section seeks relevant information necessary for testing and approval of your offered component.

Please use the included checklist in Section 3 to ensure the completeness of your application before submitting it to GSA for review. Forms required for the completion of your application are in a zip file posted to the Program’swebsite:

After you ensure that all forms are properlycompleted, submit your application package to . The testing team will contact you after your application has been reviewed or if additional information is required. If you have questions during the application process, please contact the testing team .

2.Applicant Information

2.1.Company Information:

Company Name
Address
City
State
Zip Code
Company Website

2.2. Primary Contact Information:

First Name
Last Name
Title
Address
City
State
Zip Code
Phone Number
Email Address

2.3. Secondary Contact Information:

First Name
Last Name
Title
Address
City
State
Zip Code
Phone Number
Email Address

3.Check list

As you complete the application package,please use the Checklist below to ensure that all steps of the application have been properly completed. This will help ensure that your application is processed in a timely manner (i.e., without delaydue to missing or incomplete forms).

Applicant Information (Section 2 above)

Product Informationfor products to be tested (seeSection 5)

Topology Mapping (seeTable 10)

Self-Attestation (Self Attestation form)

Lab Services Agreement (Lab ServicesAgreementform)

Product Series Attestation (see Product Series Attestationform)

4.Product Information Guidance

4.1.Overview

The Program performs end-to-end system testing on products within categories that are part of a submitted end-to-end system. Therefore, you must provide a complete list of the end-to-end equipment you will besending to the Lab for testing. After application processing, the equipment received will be compared against the Application Tablesdefined in Section 5 to ensure all equipment has arrived. You must provide a ship date and tracking number to ensure Lab resources are available to receive your equipment. Do not ship equipment until your Application has been approved.

4.2.Guidance Defining Solution Elements

Products submitted must be part of an approved or provisionally approved topology. A topology defines the categories and the basic architecture of an end-to-end system solution. This form uses the 13.01 topology as guidance/examples.

Vendorsmustselect a topology and a category that best represents the functional characteristics of the products being submitted for testing. In order to make selecting tested solutions easier for procurement officials, the program assigns a unique identifier for each approved end-to-end system. This unique identifier is referred to as an Approved End-to-End system designator. The designator is broken into two parts. The first part before the hyphen represents the topology, and the second part after the hyphen represents the order in which the products were tested and approved. Table 1 shows an example of two end-to-end solutions tested and approved under the 1301 topology.

To further support the effort to make procurement of these solutions easier, the vendor must provide a SKU# that includes each of the products used to complete the end-to-end solution that was tested and approved by the FICAM lab. It is only required that this number be used as a reference. This enables integrators and procurement officials to refer to a single SKU# that includes each product component of the tested solution, without having to refer to each product component individually for any given installation; various quantities of a given component within the SKU may be required. Example SKUs are provided for Software House in Table 2, Brivo in Table 3, and HID in Table 4.

4.3.Example Tables of Approved Solutions

The following example tablesare intended to show how this is applied in practice. The SKU designators are examples. As stated earlier, the vendor is fully responsible for assigning SKUs and the products within the SKUs for an end-to-end system’s categories. The following example tables accurately reflect the components that make up the approved end-to-end solutions defined in 13.01 and 13.01.

Table 1 - Approved System Designators and SKUs for 13.01 Topology

Approved End-to-End System Designator / PACS Infrastructure / Validation System / PIV Reader
13.01 / SoftwareHouse SKU=CC9000-HID / HID
SKU=CB-PAM-SWHSE-pC / HID
SKU=pC
13.01 / Brivo
SKU=App-HID / HID
SKU=CB-PAM-BVO-pC / HID
SKU=pC

Each SKU within a topology’s category mustdefine all necessary product components for the approved End-to-end System Designator. The following tables demonstrate what each SKU would represent within the approved system End-to-end System Designator.The example tables define existing approved end-to-end systems (13.01 and 13.01) for reference.

Table 2 - Software House SKUs

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
CC9000-HID / CC9000 / C*Cure 9000 Server / 2.20 P1 / 221
ESTAR002-POE1 / iSTAR Edge Controller w/PoE (for CC9000) / 5.2.5 / 222
Software House APS / Power Supply / 2402-0950-01 Rev E0 / 223

Table 3 - Brivo SKUs

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
App-HID / ACS-Aparator BA50 / Brivo Aparato OnSite Appliance / 3.0.6.1 / 301
ACS5000-A / Brivo ACS 5000-A-F series OnSite / 3.0.6.1 / 302
ACS5000-DB / Brivo Two Reader Expansion Daughter Board / 3.0.6.1 / 303
ACS IPDC 2A / Brivo IP Door Controller for Aparato / 3.0.6.1 / 304

Table 4 - HID SKUs

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
CB-PAM-SWHSE-pC / PCRE-2302 / pivCLASS Registration Engine (CCURE 9000) / 1.2.238.0 / 101
PCCM / pivCLASS Certificate Manager / 1.2.238.0 / 102
PCRS / pivCLASS Reader Services / 1.2.238.0 / 103
PCID-UNL / pivCLASS IDPublisher / 1.2.238.0 / 104
91000ABNNN / pivCLASS Authentication Module (for CC9000) / 4.0.0.5.c5 / 105
CB-PAM-BVO-pC / PVCP-D/S-0000 / pivCLASS Registration Engine for MultiPACS / 1.2.238.0 / 106
PVC-MPX-CNSL / pivCLASS MultiPACS Console / 1.2.238.0 / 107
PVC-MPX-CNX-0300 / pivCLASS MultiPACS Connector for Brivo Aparato / 1.2.238.0 / 108
PVC-CM / pivCLASS Certificate Manager / 1.2.238.0 / 102
PVC-FXRDR / pivCLASS Reader Services / 1.2.238.0 / 103
PCID-IDpubUNL / pivCLASS IDPublisher / 1.2.238.0 / 104
91000ABNNN / pivCLASS Authentication Module / 1.2.238.0 / 105
CB-SWHSE-Ver / PCRE-2302 / pivCLASS Registration Engine (CCURE 9000) / 1.2.238.0 / 101
PCCM / pivCLASS Certificate Manager / 1.2.238.0 / 102
PCRS / pivCLASS Reader Services / 1.2.238.0 / 103
PCID-UNL / pivCLASS IDPublisher / 1.2.238.0 / 104
pC / 920PHR / pivCLASS RP40 Contactless Reader / REV. E / 106
923PHR / pivCLASS RPKCL40 Contact/Contactless Reader with PIN / REV. E / 107

4.4.New applications

When filling out a new application, the vendor(s) applying must fully complete the tables representing their complete end-to-end solution. The following tables are presented as an example. In this instance, Veridt readers are being submitted against previously approved end-to-end system components, creating a new solution. New SKUs are required from HID and Veridt (designated with New Submission). A table for Software House SKUs is not required. The Software House SKU CC9000-HID is the previously approved SKU accurately reflects the elements that are being tested with Veridt readers.

Table 5 - New submission against topology 13.01 for an end-to-end system including Veridt readers

Approved end-to-end system designator / PACS Infrastructure / Validation System / PIV Reader
13.01 / SoftwareHouse SKU=CC9000-HID / New Submission:
HID
SKU=CB-SWHSE-Ver / New Submission:
Veridt
SKU=Ver-CB

A new SKU is required for HID to support Veridt as shown in Table 6. The only difference between this SKU and HID’s CB-SWHSE-pC is the removal of the pivCLASS Authentication Module from the SKU.

Table 6 - New HID SKU submission to support Veridt

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
CB-SWHSE-Ver / PCRE-2302 / pivCLASS Registration Engine (CCURE 9000) / 1.2.238.0 / 101
PCCM / pivCLASS Certificate Manager / 1.2.238.0 / 102
PCRS / pivCLASS Reader Services / 1.2.238.0 / 103
PCID-UNL / pivCLASS IDPublisher / 1.2.238.0 / 104

The Veridt components for the PIV Reader submission are shown in Table 7.

Table 7–New Veridt SKU

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
Ver-CB / 900M2000 / EWAC communications module / 1.2.1 / New Submission
900W2030 / MultiMode Stealth Bio / 1.2.1 / New Submission
900W2036 / MultiMode Stealth Dual / 1.2.1 / New Submission

4.5.Common Components

“Common Components” are product components that have been previously approved within an approved topology’s categories. If your submission leverages an approved topology and its components, you must list all SKUs that are required for the entire end-to-end system under test. If you are leveraging CommonComponents within a topology, complete the APL Certificate Number column ineach SKU table to define the Common Components used for your end-to-end system under test. In the Topology Mapping Form, There is a “process” column you do not need to provide the normally detailed process description for existing SKUs. You must reference the APL certificate number (e.g., APL#115) in your process description, showing knowledge of how the whole system works end-to-end. Approved SKUs and component product information can be found on the Approved Products List.

5.Application Tables

The following tables shall be completed by the vendor(s) to fully describe their complete end-to-end system being submitted for testing. Please use Section 4 as a guide.

For any given application, a topology and SKU table is required. Existing SKUs may be used. All new SKUs shall be noted with “New Submission” and the vendor’s SKU.

Table 8 – Topology and end-to-end system SKUs

Topology Designator / Category 1 / Category 2 / Category 3 / Category 4 / Category n
Topology number / Vendor
SKU= / Vendor
SKU= / Vendor
SKU= / Vendor
SKU= / Vendor
SKU=

For each new SKU in the end-to-end system for this application, an SKU table is required that fully defines the part numbers, product description, and hardware/firmware/software version #s. If the component already has an APL certificate, please list it. If not, state “New Submission” in the table.

Table 9 – New SKU Table

SKU / MFG Part # / Product Description / Hardware /
Firmware / Software Version # / APL Certificate Number
Vendor assigned SKU

6.Topology Mapping

6.1.Overview

An approved topology’s Topology MappingFormprovides the Program’s mapping of functional requirements identified in the Functional Requirements and Test Cases (FRTC) document to that topology’s categories. Note that the columns for Category(ies), Components and Process are intentionally left blank in the table and must be completed by you when submitting a solution to the Program for evaluation.

If you are submitting your component as a part of a pre-approvedtopologyplease see the “Approved Topology Mappings” folder to select the functional requirements topology mapping document that best fits your product or service submission. If there is no pre-approved topology that supports the solution you aresubmitting, you must provide a topology application that correctly reflects your solution. Your topology application must go through thetopologyadoption process before proceeding further with your application. To apply with a new topology, please email.

6.2.Guidance

“Mapping” is the process of taking the functional requirements defined in the FRTC and allocating them into an approved topology’s categories, and then indicating the specific components within the end-to-endsolution that perform the operations for that requirement.

As stated in Section 4.1, a reader manufacturer is submitting a new PIV Reader to be added to an existing approved set of Common Components for the Validation System and PACS Infrastructure. Two examples are provided in Table 10. The first example shows Common Components that address the requirement in its entirety. In this case, the Process column should indicate “Not Applicable” or “N/A”. The second example shows the new PIV Reader and its interaction with the Validation System and the PACS Infrastructure.

Table 10- Example Mapping Table

Test / Requirement / Category(ies) / Component(s) / Process
2.1 / Signature Verification
2.1.1 / Verify product's ability to validate signatures in the certificates found in the certification path for a PIV credential / PACS Infrastructure, Validation System / Validation Engine (APL#116), PACS Application (APL#222) / N/A
7.6 / Validation at Time of Access
7.6.4 / Shall support PIV Authentication Key + PIN (PKI-AUTH) / PACS Infrastructure, Validation System, PIV Reader / PIV Reader, Secure Controller (APL#115), Validation Engine (APL#116), Controller Board (APL#221), PACS Application (APL#222) / The user inserts their card into the PIV Reader. The Validation System uses the PIV Reader to prompt for a PIN and perform challenge/response with the card. If the Validation System determines success, it presents the credential number to the PACS Infrastructure for authorization. Upon authorization, the door successfully unlocks.

The first example provided inTable 10, the 2.1.1 test for signature verification,is performed at time of registration, not at time of access. The Components column lists the approved Common Components for PACS Infrastructure and Validation System for this test. The PACS Infrastructure provides the registration workstation. The Validation System is doing the Public Key Infrastructure (PKI) signature verification for the end entity, and the Validation System’s Path Discovery and Validation (PDVal) engine is evaluating signatures and caching status for the Certification Authority (CA) certificate path. As the PIV Reader is not involved, the Process column reflects “N/A”.

The second example provided inTable 10, the 7.6.4 test for validation at time of access, incorporates the entire system. The Components column lists the PIV Reader and all Common Components involved in the transaction. The process column is properly filled out to provide sufficient information on which category is doing what during the transaction.

7.Self-Attestation

7.1.Overview

The Self Attestation formasserts that the offering you are submitting for Programconformance evaluation completely satisfies requirements stated in the FRTC document.

7.2.Guidance

You must ensure that each component of your submittalis clearly identified in the tables listed in the Self Attestation form. If a component in your topology is already certified as a component of another approved topology, please ensure the APL# for that particular component is included with your submission.

8.Lab Services Agreement

8.1.Overview

The Lab Services Agreement form is an agreement between you the Applicant and the Lab. The Agreement outlines services the Lab will provide and the role that each party will play during the evaluation and testing process.

8.2.Guidance

You must read the Agreement completely and agree to its terms and conditions. Please ensure that you complete, sign, and date Section 1.5 of the Agreement.

9.Product Series Attestation

9.1.Overview

The Program has defined a set of criteria that supports product series testing. This eliminates redundant testing, allowing multiple products to be certified simultaneously. The criteria for product series are defined in the FIPS 201 Evaluation Program Product Series Self Attestation Form.

9.2.Guidance

Please complete a FIPS 201 Evaluation Program Product Series Self Attestation Form for each component that is part of a product series.

Application documents can be found at: