The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification.

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.

The National Information Assurance Partnership (NIAP) is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by the National Security Agency (NSA), and was originally a joint effort between NSA and the National Institute of Standards and Technology (NIST).

Common Criteria certification is the only standard that evaluates the NIST Special Pub 800-88 (Strong Media Sanitization e.g. Cryptoerase) and NIST Special Pub 800-57(Security Requirements). Combined with FIPS-140v2L2 certification this ensures that data is both encrypted and when encryption keys are erased validations that erasure.

TAA (Trade Agreements Act: 19 U.S.C. § 2501–2581) fosters fair and open international trade between nations, requiring that products are produced or undergo “substantial transformation” within the United States or designated country. While TAA compliance is often thought of in relation to storage systems, it also applies to individual components, such as hard drives and SSDs.

Four types of designated countries having reciprocal trade agreements with the US:

• Canada, Mexico and Australia
• Countries participating in the World Trade Organization’s Government Procurement agreement, including Japan and many European countries
• Caribbean Basin countries, such as Costa Rica, Haiti and Jamaica
• Countries designated as “least developed,” such as Afghanistan, Bangladesh, Laos and Ethiopia1

Non-TAA countries include:

• People’s Republic of China, Iran, North Korea, Russia, Cuba and India (This presents a significant issue for some electronics manufacturers.)

TAA countries are Approved and Recorded in the Federal Register

Seagate’s TAA-compliant solutions for enterprise and notebook hard drives are the only solutions approved and recorded in the Federal Register. This eliminates the requirement for waivers for TAA storage and meets the encryption requirements set by the US Government for both US Government entities and contractors.

Any supplier having a GSA Schedule or other US Government contract, such as DOD and IDIQs, must ensure their products comply with TAA standards. Non-compliance could lead to bid award cancellation, significant fines and potential exclusion from Federal contracting. Additionally, TAA cannot be ignored if order values are below the dollar threshold, which is currently $203,000 for goods and services. GSA states,

Since the estimated dollar value of each Schedule exceeds the established TAA threshold, TAA is applicable to all Schedules. In accordance with TAA, only U.S.-made or designated country end products shall be offered and sold under Schedule contracts. Based on this ruling, that means all products offered under GSA Schedule https://www.gsa.gov/buying-selling/purchasing-programs/gsa-schedules/schedule-buyers

Yes, Seagate has enclosures from 2U12 to the highest density enclosure on the market 4U106. A complete list of Seagate’s enclosures can be found here. https://www.seagate.com/enterprise-storage/systems/exos/?utm_source=eol&utm_medium=redirect&utm_campaign=modular-enclosures

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide certification program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud based products and services for Federal Agencies implementing a private cloud or any Cloud Service Provider (CSP) that will be hosting a Federal Agency’s data. FedRAMP enables Federal Agencies and CSP’s to rapidly adapt from old, unsecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT. For more information, please see: www.fedramp.gov

FedRAMP has created and manages an extensive core set of security processes and controls (>300) to ensure effective, repeatable cloud security for the government. The Federal Agency or CSP must provide detailed documentation on how they are going to comply with each FedRAMP control as part of their overall System Security Plan (SSP). The SSP must pass an extensive FedRAMP audit to become FedRAMP Authorized.

Leveraging Seagate’s Common Criteria (CC) Certification, Seagate was able to provide FedRAMP control documentation for all the controls associated specifically with Seagate’s HDD’s, SSD’s and enclosures in official FedRAMP templates. The Seagate supplied and certified FedRAMP security control documentation will pass any FedRAMP audit and can be used by any Federal Agency or CSP as part of their own FedRAMP SSP.

Seagate’s FedRAMP Security Control documentation saves a CSP or Federal Agency significant time and money as they implement their FedRAMP SSP and obtain FedRAMP Authorization for their cloud infrastructure.

Seagate’s FedRAMP documentation contains Seagate specific information for the following FedRAMP controls:

Media Protection Controls

• MP-1 - Media Protection Policy and Procedures
• MP-2 - Media Access
• MP-3 – Media Labeling
• MP-4 – Media Storage
• MP-5 – Media Transport / Control Enhancement
• MP-6 - Media Sanitization and Disposal / Control Enhancement
• MP-7 – Media Use / Control Enhancement

Access Enforcement

• AU-2 – Audit Events
• AU-8 – Time Stamps
• AU-12 – Audit Generation
• SC-28 - Protection of Information at Rest