UCCO Banner


Approved Products List (APL)

Frequently Asked Questions

Do I need an APLITS account to view the DoDIN APL?

NO. The DoDIN APL is publicly accessible at https://aplits.disa.mil/apl

How do I acquire additional information about a solution on the DoDIN APL?

Please contact the Approved Products Certification Office (APCO) at disa.meade.ie.list.approved-products-certification-office@mail.mil with the Tracking Number (TN) and description of the product you are requesting information for. Note that only government civilian and/or uniformed military personnel may receive the Cybersecurity Assessment Package (CAP).

Why can’t I find the type of device I need?

The scope of the DoDIN APL is determined by the Unified Capabilities Requirements (UCR) document. Solutions which do not fall into an applicable category are not eligible for listing on the DoDIN APL.

Where are software, programs, etc. listed on the DoDIN APL for my military/government laptop?

Software that does not support Unified Capabilities (UC) is not applicable for placement on the DoDIN APL. You may want to review the National Information Assurance Partnership (NIAP) site or contact their help desk below for more information on approved software.

NIAP website: https://www.niap-ccevs.org/Product/

NIAP Team Email: niap@niap-ccevs.org

Where can I find a list of approved KVMs and Peripheral devices?

KVMs and Peripheral devices do not fit within the scope of the DoIDN APL testing process. The National Information Assurance Partnership (NIAP) team manages a list of compliant Peripheral devices at https://www.niap-ccevs.org/Product/

Where can I find a list of approved Red/Black Peripheral products?

A list of approved Red/Black Peripheral products are listed here: https://disa.mil/services/network-services/video/~/media/files/disa/services/dvs/red_black_peripherals.xls

Equipment not on the list maybe added through one of the following methods:

1) Successful evaluation by an NSA Certified Tempest Lab and providing Certification Letter to DVS

2) Evaluation by the DISA Certified Tempest Technical Authority (CTTA). Send equipment and completed Assessment Request Form to: DISA NS5- For shipping instructions, contact: dvscap@disa.mil Commercial (703) 882-0839, DSN (312) 381-0839

What are the steps I need to follow for submitting a product for DoDIN APL testing?

Please refer to the DoDIN APL Process Guide.

How do I know if a product has been removed from the DoDIN APL?

If a previously approved product has expired and is no longer listed on the DoDIN APL, it will be listed on the DoDIN APL Removal List. Only products currently listed on the DoDIN APL can be purchased in accordance with the DoDI 8100.04. However, continuing to use previously purchased products that were once on the DoDIN APL is acceptable, so long as: applicable STIGs/SRGs are applied, all Cybercom IAVAs/IAVMs are adhered to, and the Vendor still offers support.

Can I connect to the DSN prior to receiving approval to connect (ATC)?

No. You must receive approval from the Connection Approval Office prior to connecting to the DSN.

Who can Sponsor a product for DoDIN APL testing and what are the responsibilities of a Sponsor?

Any DoD Component user of the DISN with acquisition or management-level responsibilities of equipment can Sponsor a product for testing. However, the "Vendor" or company who makes the product is the entity responsible for submitting any products for DoDIN APL testing. Refer to the DoDIN APL Process Guide for additional information on roles and responsibilities.

Why do I need a Sponsor for my product to be tested?

The requirement for a Sponsor was established for the first time in the DoDI 8100.04. With the signing of the DoDI, it became a violation of Department of Defense Policy for either Interoperability or Cybersecurity testing to occur without the product having a government Sponsor.

How do I know what STIGs/SRGs to apply to my products?

It is up to the Vendor to work with the Sponsor to examine all components of the solution desired to be tested, and compare against the list of available STIGs/SRGs to see which apply and which do not. It is strongly advised that any applicable STIGs/SRGs that are available for any components of your solution be applied prior to applying for testing. Non-compliance with available STIGs/SRGs will result in increased vulnerabilities discovered and reported at the end of testing.

Where can I access the latest STIGs?

The latest STIGs/SRGs are available at the Information Assurance Support Environment (IASE) site.

What if applying every item of the STIG/SRG breaks my product?

In the case of certain items within a STIG/SRG rendering a device inoperable, try to pinpoint exactly which item of the STIG/SRG is causing the problem. You then have two choices; you can either try to make changes to your product so that it will work with that item in the STIG/SRG, or you can document a mitigation procedure for that item and submit to the Cybersecurity test team with your product prior to testing. In the case of the latter, the vulnerability and mitigation will be reflected in the Cybersecurity Assessment Report for the product.

What is Common Criteria Certification?

Common Criteria certification is a standard that came into effect on July 1, 2002 with the passing of the NSTISSP #11. It mandated that departments and agencies within the Executive Branch, for use on National Security Systems, only acquire Cybersecurity and Cybersecurity-enabled information technology products that are certified as meeting common criteria security standards.

In an effort to not repeat testing, for device types that common criteria certified devices exist such as firewalls and operating systems we prefer that common criteria certified devices are used. It is strongly recommended for a solution to use common criteria certified components when they are available. For more information, go to http://iase.disa.mil/common.

How do I know if a product is common criteria certified?

For a list of common criteria certified products go to the Common Criteria website.

What is FIPS and how does it apply to the DoDIN APL testing process?

Federal Information Processing Standard (FIPS) are the standards and guidelines for information processing developed by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce as requirements for the federal government for Cybersecurity and Interoperability. All products providing cryptographic-based security per applicable Federal Law and STIG/SRG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP). For more information visit the NIST website.