U.S. Department of Defense Unified Capabilities Approved Product List (UC
APL) is the
Governments single consolidated list of products that have completed
Interoperability (IO) and Information Assurance (IA) certification.
The complete list of products on the UC APL is available at this
(UC APL is a list maintained by the Defense Information Systems Agency (DISA) that defines what products are authorized to be deployed by the U.S. Department of Defense.
DISA provides Enterprise Acquisition Services (EAS) for purchasing
telecommunications and information technology (IT) products and services from
the worldwide commercial sector to meet Department of Defense (DoD) and
authorized non-defense customers' needs.
The Department of Defense must draw from this list when they build their networks.
mandate that products be approved by DISA is contained in Department of Defense Instruction (DODI 8100.04), signed December 9, 2010 by Teresa
Takai, the Department of Defense Chief Information Officer.
DoDI 8100.04 section 4.a defines Unified Capabilities (UC) “as (any single or combination of information media (voice, video, and/or data), whether converged, or
non-converged) on DoD networks.” Section 4.b states, “Products that provide or support UC, acquired or operated by the DoD Components, shall be certified for interoperability and information assurance (IA) as set forth
in this Instruction.”
products have undergone a rigorous, two-part assessment in order to be added to the APL.
The first assessment is focused on information
Products must prove that they are designed and built in a way that complies with the Department of Defense
security functional requirements and security best practices. The security functional requirements come from a 2,000 page public document called the Unified
And the security best practices guides are called Security Technical
Implementation Guides (STIG)s.
Products usually have to demonstrate other third party security certifications that might include ISO
15408 Common Criteria Certification and National Institute of Standards and Technology Federal
Information Processing Standards 140-2, “Security requirements for Cryptographic Modules.”
government conducts a variety of penetration and other security focused tests to ensure that a product is secure enough to be deployed within government
The second part of testing is called Interoperability testing. While it includes significant
interoperability testing with other vendors, it also includes functional testing to ensure the devices meet the needs of the Department of Defense.
network devices, this can be things like support of IPv6, rigorous high availability and the ability to prioritize and process different types of
traffic like mission critical voice, video, chat and priority data.
All testing is against requirements that are based on open standards from bodies
like the Internet Engineering Task Force (IETF®) or
Institute of Electrical and Electronics
Testing is a full time effort that lasts for weeks and sometimes
months. The labs that conduct this testing house millions of dollars of specialized test equipment and test infrastructure from many different vendors.
The cost of this testing is tens and sometimes hundreds of
thousands of dollars per certification event.
If you are an
organization that cares about security functionality and that products you purchase are able to meet demanding requirements for high availability,
performance, etc., but you don’t have the money or perhaps time to conduct a detailed test of your own, you should look at the U.S. Department of Defense’s
Unified Capability Approved Product List.