APLITS

The Approved Products List Integrated Tracking System (APLITS) is utilized by participants actively involved in the Department of Defense Information Network (DoDIN) Approved Products List (APL) Testing Process.

The DoDIN APL is publicly accessible without an APLITS account here: https://aplits.disa.mil/apl

Contact the Approved Products Certification Office (APCO):
disa.meade.peo-transport.list.approved-products-certification-of@mail.mil
Email APCO

APLITS Access

APLITS access is available to Government/Military personnel that possess a DoD CAC and to Vendors with an External Certification Authority (ECA) token. Vendors can obtain an ECA (Medium Token Assurance or Medium Hardware Assurance Certificate) from the following companies:

IdenTrust, Inc

Operational Research Consultants, Inc.

For questions regarding APLITS access, contact the APCO at disa.meade.peo-transport.list.approved-products-certification-of@mail.mil.

DoDIN APL Documents

Click to Expand

The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that have completed Cybersecurity (CS) and Interoperability (IO) certification. The DoDIN APL process is used to test and certify products that affect communication and collaboration across the DoDIN and is an acquisition decision support tool for DoD organizations interested in procuring equipment to add to the DISN to support their mission. The DoDI 8100.04 policy and Unified Capabilities Requirements (UCR) 2013 Change 2 define the scope of the DoDIN APL. The DoDIN APL Process Guide provides guidance on the step-by-step process from submission to placement on the DoDIN APL. The Approved Products Certification Office (APCO) acts as the staff element for DISA to manage the DoDIN APL Process. The APCO provides process guidance, coordination, information, and support to Vendors and government Sponsors throughout the entire process, from the registration phase to the attainment of DoDIN APL approval.
NO. The DoDIN APL is publicly accessible at https://aplits.disa.mil/apl
Please contact the Approved Products Certification Office (APCO) at disa.meade.ie.list.approved-products-certification-office@mail.mil with the Tracking Number(TN) and description of the product you are requesting information for. Note that only government civilian and/or uniformed military personnel may receive the Cybersecurity Assessment Package (CAP).
The scope of the DoDIN APL is determined by the Unified Capabilities Requirements (UCR) document. Solutions which do not fall into an applicable category are not eligible for listing on the DoDIN APL.
Software that does not support Unified Capabilities (UC) is not applicable for placement on the DoDIN APL. You may want to review the National Information Assurance Partnership (NIAP) site or contact their help desk below for more information on approved software.
NIAP Website: https://www.niap-ccevs.org/Product/NIAP
Team Email: niap@niap-ccevs.org
KVMs and Peripheral devices do not fit within the scope of the DoDIN APL testing process. The National Information Assurance Partnership (NIAP) team manages a list of compliant Peripheral devices at https://www.niap-ccevs.org/Product/
Please refer to the DoDIN APL Process Guide.
If a previously approved product has expired and is no longer listed on the DoDIN APL, it will be listed on the DoDIN APL Removal List. Only products currently listed on the DoDIN APL can be purchased in accordance with the DoDI 8100.04.
However, continuing to use previously purchased products that were once on the DoDIN APL is acceptable, so long as: applicable STIGs/SRGs are applied, all Cybercom IAVAs/IAVMs are adhered to, and the Vendor still offers support.
No. You must receive approval from the Connection Approval Office prior to connecting to the DSN.
Any DoD Component user of the DISN with acquisition or management-level responsibilities of equipment can Sponsor a product for testing. However, the "Vendor" or company who makes the product is the entity responsible for submitting any products for DoDIN APL testing. Refer to the DoDIN APL Process Guide for additional information on roles and responsibilities.
It is up to the Vendor to work with the Sponsor to examine all components of the solution desired to be tested, and compare against the list of available STIGs/SRGs to see which apply and which do not. It is strongly advised that any applicable STIGs/SRGs that are available for any components of your solution be applied prior to applying for testing. Non-compliance with available STIGs/SRGs will result in increased vulnerabilities discovered and reported at the end of testing.
The latest STIGs/SRGs are available at the DoD Cyber Exchange site. https://public.cyber.mil
In the case of certain items within a STIG/SRG rendering a device inoperable, try to pinpoint exactly which item of the STIG/SRG is causing the problem. You then have two choices; you can either try to make changes to your product so that it will work with that item in the STIG/SRG, or you can document a mitigation procedure for that item and submit to the Cybersecurity test team with your product prior to testing. In the case of the latter, the vulnerability and mitigation will be reflected in the Cybersecurity Assessment Report for the product.
Common Criteria certification is a standard that came into effect on July 1, 2002 with the passing of the NSTISSP #11.
It mandated that departments and agencies within the Executive Branch, for use on National Security Systems, only acquire Cybersecurity and Cybersecurity-enabled information technology products that are certified as meeting common criteria security standards. For a list of common criteria certified products go to the Common Criteria website.
Federal Information Processing Standard (FIPS) are the standards and guidelines for information processing developed by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce as requirements for the federal government for Cybersecurity and Interoperability. All products providing cryptographic-based security per applicable Federal Law and STIG/SRG requirements must be certified to FIPS 140-2 standards per the Cryptographic Module Validation Program (CMVP).
For more information visit the NIST website.
DoDIN APL approved products have completed cybersecurity testing as defined in: DoD Instruction 8100.4, DoD Unified Capabilities (UC), 9 December 2010; CJCSI 6215.01C, Policy for DoD Voice networks with Real Time Services, 9 November 2007; and DoD Unified Capabilities Requirements 2013 (UCR 2013), Change 2, September 2017. This testing does not constitute Risk Management Framework (RMF) Authorization, as required and defined in the Department of Defense Instruction (DoDI) 8510.01 and DoDI 8500.2. However, DoDIN APL testing results may be re-used for assessment purposes at the Authorizing Official's discretion.
The DoDIN APL is an acquisition decision support tool for DoD organizations interested in procuring equipment to add to the DISN to support their mission. DoDIN APL approval does not constitute Risk Management Framework (RMF) Authorization, as required and defined in the Department of Defense Instruction (DoDI) 8510.01 and DoDI 8500.2. DoDIN APL testing results may be re-used for assessment purposes at the Authorizing Official's discretion. However, users should follow their CC/S/A/FA, organization, or local program's processes when fielding a DoDIN APL approved product on their network.

Related Links



DISA | APLITS

APLITS is managed by the APCO | disa.meade.peo-transport.list.approved-products-certification-of@mail.mil