SECURE KVM ACCESS

Secure KVM for classified, multi-network operations. One operator, many networks, no path between them. NIAP Protection Profile 4.0 certified, from Adder, Raritan and G&D.

eNOVA supplies and integrates NIAP-certified secure KVM in Singapore, so one operator can work across networks of different classifications from a single keyboard, monitor and mouse, with hardware-enforced isolation. Built for government, defence and enterprise.

Certified KVM fromADDERRaritanG&D
High-security operations centre with operators monitoring classified systems
NIAP PP 4.0
Peripheral Sharing Device standard
Air-gap
Hardware-enforced isolation
CAC-ready
Smart-card authentication
Local
Singapore supply & integration

Secure KVM is certified to the NIAP Protection Profile for Peripheral Sharing Devices v4.0. A model is only certified while listed on NIAP's Product Compliant List.

WHAT IS SECURE KVM

What is a secure KVM switch?

A secure KVM switch lets one operator drive several computers from a single keyboard, monitor and mouse, where those computers sit on networks of different security classifications, with no data path of any kind between them. The operator switches focus; the switch guarantees that switching never creates a bridge.

An ordinary KVM is unsafe for this. It shares internal memory, buffers keystrokes, and passes USB and display data live between ports, any of which can leak data or be used to bridge an air gap. A secure KVM replaces all of that with hardware-enforced, per-port isolation, so the air gap survives even though one person and one set of peripherals serve every network.

How a secure KVM enforces isolation A classified (red) network and an unclassified (black) network both connect to a secure KVM that keeps them isolated, with no data path between them, while one operator switches between them on a single console. Classified network RED Unclassified network BLACK SECURE KVM NIAP PP 4.0 no data path between networks One operator one network at a time

"Red/black" denotes classified versus unclassified networks. Model basis: NIAP Protection Profile for Peripheral Sharing Devices v4.0. Original eNOVA diagram.

CLEAR THE CONFUSION

It is "NIAP PP 4.0", not "EAL4".

The most common secure-KVM mistake

A frequent request is for an "EAL4 secure KVM". For peripheral sharing devices, that is now out of date. NIAP moved away from numeric EAL ratings to Protection-Profile "exact conformance", so a current secure KVM is certified to the PSD Protection Profile v4.0 and carries no EAL number. Only legacy devices ever carried "EAL2" or "EAL4+".

What matters today is simple: the exact model is listed, against PSD PP v4.0, on NIAP's Product Compliant List. That is what eNOVA specifies to, and what your accreditor will check.

THE STANDARDS, FROM THE AUTHORITIES

The certifications that actually matter.

Secure KVM lives or dies on certification. Here is who sets the bar, and what each standard means.

US scheme · NIST + NSA
NIAP / CCEVS

The US National Information Assurance Partnership runs the scheme that evaluates secure peripheral devices and publishes the compliant-product list.

niap-ccevs.org
Protection Profile
PSD PP v4.0

The Protection Profile for Peripheral Sharing Devices, v4.0 (2019), is the standard secure KVMs are evaluated against, with modules for keyboard/mouse, video, audio and CAC.

PSD PP v4.0
PCL
Product Compliant List

A product is only legitimately NIAP-certified while it is listed on the PCL. Lapsed evaluations move to an archived list.

niap-ccevs.org/products
ISO/IEC 15408
Common Criteria / EAL

The international security-evaluation standard and its EAL 1-7 assurance levels. Mutual recognition covers Protection Profiles and up to EAL2.

commoncriteriaportal.org
NSA emanations security
TEMPEST

The NSA standard and programme protecting against compromising electromagnetic emanations, stray signals that could disclose what a device is processing.

nsa.gov
NIST CMVP
FIPS 140-3

Validates the cryptographic module inside encrypted KVM-over-IP. Effective 2019, it supersedes FIPS 140-2 and references ISO/IEC 19790.

csrc.nist.gov

Sources: NIAP/CCEVS, the Common Criteria portal, NSA and NIST. EAL levels apply to legacy Common Criteria evaluations; current PSDs use Protection-Profile conformance, not EAL.

WHAT THE STANDARD MANDATES

How a secure KVM enforces isolation.

The PSD Protection Profile requires hardware controls, not policy. A compliant switch must do all of this.

Unidirectional data flow

Optical data diodes force signals one way, so data cannot travel back between computers.

No shared memory

Separate isolated processors per port; user data is never buffered or shared between machines.

HID-only USB

Only keyboards and mice are allowed; mass storage is blocked, defeating BadUSB and data theft.

Anti-tamper self-disable

Tamper-evident seals plus active anti-tamper that permanently disables the unit if it is opened.

Fixed firmware

Non-reprogrammable firmware, so the switch cannot be altered in transit or in service.

Secure EDID

Display data is read once and emulated, never passed live between computers.

Isolated CAC port

The smart-card reader channel is isolated, so authentication never bridges the networks.

Secured power

Isolated power so the supply cannot become a covert path between connected computers.

Requirements summarised from the NIAP PSD Protection Profile v4.0.

TWO KINDS OF SECURE

Isolation or encryption? Both have a place.

"Secure KVM" covers two different architectures. The right one depends on whether your operators sit at the machines or reach them over a network.

Air-gap isolation
Secure desktop KVM

For one desk touching multiple classified networks with no path between them. The security is the physical isolation, certified to NIAP PSD PP 4.0.

  • Adder Secure and Raritan Secure Switch
  • No network and no cryptography involved
  • Multiple classifications at the operator desk
  • Certified to NIAP PSD Protection Profile 4.0
or
Encrypted KVM-over-IP
Secure remote / matrix KVM

For secure access over a network, where the signal is protected by validated encryption. The security is the cryptography plus system assurance.

  • G&D SecureCert KVM-over-IP
  • FIPS 140-3 validated cryptographic module
  • Remote and matrix access across sites
  • Encrypted in transit, Common Criteria EAL2+

Architectures per Adder, Raritan and G&D. Isolation prevents any path; encryption protects the path.

CERTIFIED PLATFORMS

Secure KVM we supply and integrate.

Three certified platforms, matched to your threat model and the way your operators work.

ADDER®ADDERView Secure · NIAP PSD PP 4.0

Adder's current ADDERView Secure range is certified to NIAP Protection Profile 4.0 for Peripheral Sharing Devices, in single, dual and 4K models, with optional CAC via the AS-4CR secure card reader. The legacy analogue range additionally carries Common Criteria EAL4+ and a TEMPEST-qualified design.

NIAP PP 4.0CAC via AS-4CRTAA (AVS-4128)Legacy: EAL4+ & TEMPEST
  • AVS-2114 / 2214: 4-port single and dual-head, DVI
  • AVS-4114 / 4214: 4-port 4K, DisplayPort and HDMI
  • AVS-1124 secure multi-viewer; AVS-4128 Flexi-Switch (TAA)
  • Secure Free-Flow: cursor-glide switching with a Ctrl safeguard
Adder ADDERView Secure KVM range, NIAP Protection Profile 4.0 certified
ADDERView Secure range · NIAP PP 4.0
Adder AVS-2114 secure KVM switch
AVS-2114
Adder AVS-4114 4K secure KVM switch
AVS-4114 (4K)
Adder AVS-1124 secure multi-viewer KVM
AVS-1124 viewer
RaritanRaritan Secure Switch · NIAP PSD PP 4.0
Raritan Secure Switch RSS4-108-DP with CAC and eight isolated servers
Raritan Secure Switch RSS4-108-DP · 8 isolated servers with CAC

Raritan's Secure Switch 4.0 family is certified to NIAP Protection Profile 4.0 and listed on the Product Compliant List with CAC support. It spans 2, 4 and 8-port models, single or dual-head, with DisplayPort and HDMI up to 4K, and chassis-intrusion detection that disables the unit if it is opened.

NIAP PP 4.0PCL listed (VID 11323)CAC support
  • RSS4 in 2, 4 and 8-port, single or dual-head
  • HDMI to 4K60, DisplayPort to 4K30; digital only
  • Isolated CAC / smart-card reader port
  • HID-only USB, chassis-intrusion self-disable
G&DSecureCert · encrypted KVM-over-IP

For secure access over a network rather than at the desk, G&D SecureCert brings its KVM-over-IP matrix into compliance with three standards at once. The security here is validated encryption rather than air-gap isolation, so it complements the desktop secure switches above.

FIPS 140-3 (module #5005)Common Criteria EAL2+DoDIN APL
  • ControlCenter-IP and VisionXS-IP KVM-over-IP
  • FIPS 140-3 validated cryptographic module (cert #5005)
  • Common Criteria EAL2+ (entry to mid assurance)
  • Listed on the US DoDIN Approved Products List
G&D ControlCenter-IP KVM-over-IP matrix with SecureCert
G&D ControlCenter-IP · SecureCert KVM-over-IP

Models and certifications per adder.com, raritan.com and gdsys.com, cross-checked against NIAP and NIST. Current Adder and Raritan secure switches are NIAP PP 4.0 (no EAL number); Adder's EAL4+ and TEMPEST apply only to its legacy analogue range. G&D SecureCert validates a FIPS 140-3 cryptographic module (CMVP cert #5005), with Common Criteria EAL2+ and a DoDIN APL listing.

WHO NEEDS SECURE KVM

Where isolation is non-negotiable.

Anywhere one operator must touch multiple classifications without bridging them.

Government & public sector

Multiple classifications handled at one desk, without bridging the networks.

Defence & military

Command posts and operations centres working across segregated networks.

Intelligence & SCIFs

Sensitive compartmented work with hardware-enforced separation.

Critical infrastructure

OT and IT networks kept apart at the operator position.

Finance & trading

Segregated trading and corporate networks on a single operator desk.

Healthcare

Clinical and administrative systems separated at the point of use.

Use cases per Adder, Raritan and G&D and the NIAP PSD Protection Profile threat model.

STANDARDS GLOSSARY

The acronyms, in one line each.

NIAP
US National Information Assurance Partnership (NIST + NSA); runs the US Common Criteria scheme.
PSD PP
Protection Profile for Peripheral Sharing Devices; the secure-KVM standard, current version 4.0.
PCL
Product Compliant List; NIAP's list of products currently holding certification.
Common Criteria
ISO/IEC 15408, the international security-evaluation standard.
EAL
Evaluation Assurance Level (1-7); legacy numeric rating, superseded by PP conformance for PSDs.
TEMPEST
NSA standard against compromising electromagnetic emanations.
FIPS 140-3
NIST standard for validating cryptographic modules, run by the CMVP.
DoDIN APL
US Department of Defense Information Network Approved Products List.
CAC
Common Access Card; smart-card authentication on an isolated reader port.
Red / black
Classified (red) versus unclassified or encrypted (black) networks kept separate.
YOUR SINGAPORE SECURE-KVM PARTNER

Specified correctly, supported locally.

Secure KVM is a specify-it-right purchase: the wrong device fails accreditation. eNOVA matches the certified platform to your security model and supports it in Singapore.

01
Specify to the standard

We confirm the exact model's NIAP PCL listing and fit it to your classification model.

02
Supply & integrate

Local supply of NIAP-certified secure KVM, CAC readers and accessories.

03
Brief & assure

Documentation to support your security accreditation and audit.

04
Support

Local support and spares for government, defence and enterprise.

COMMON QUESTIONS

Common questions about secure KVM.

What is a secure KVM switch?
A secure KVM switch lets one operator work across multiple computers on different security networks from one keyboard, monitor and mouse, with hardware-enforced isolation so no data can pass between the networks. Certified secure KVMs meet the NIAP Protection Profile for Peripheral Sharing Devices, version 4.0.
What is NIAP certification?
Certification under the US National Information Assurance Partnership, a partnership of NIST and the NSA, that a product has been independently evaluated against an approved Protection Profile. It is only valid while the product is listed on NIAP's Product Compliant List.
What is the PSD Protection Profile (PP 4.0)?
The Protection Profile for Peripheral Sharing Devices, version 4.0 (2019), is the security standard secure KVMs are evaluated against. It defines mandatory isolation, anti-tamper, restricted-USB and data-flow requirements, extended by PP-Modules for keyboard and mouse, video, audio and CAC authentication.
What is the difference between EAL and NIAP PP certification?
EAL (1 to 7) is a numeric assurance level from older Common Criteria evaluations. NIAP now uses Protection-Profile "exact conformance" instead, so a modern secure KVM is certified to "PSD PP v4.0" and carries no EAL number. Only legacy devices were rated "EAL2" or "EAL4+". Ask for PP 4.0 on the Product Compliant List, not an EAL level.
What is TEMPEST?
TEMPEST is the NSA standard and programme for protecting against compromising electromagnetic emanations, stray signals that could let an eavesdropper reconstruct what a device is processing. A TEMPEST-qualified device is engineered and tested to suppress those emanations; among these brands it applies to Adder's legacy analogue secure range.
What is a CAC-enabled secure KVM?
A secure KVM with an isolated smart-card or Common Access Card reader port, so an operator can authenticate to each connected computer without the card channel ever bridging the networks. On Adder it is added via the AS-4CR reader; Raritan Secure Switch models support CAC directly.
Where can I get NIAP-certified secure KVM in Singapore?
eNOVA supplies and integrates NIAP PSD PP 4.0-certified secure KVM in Singapore, including Adder Secure and Raritan Secure Switch for desktop isolation, and G&D SecureCert for encrypted KVM-over-IP, serving government, defence and enterprise. Contact eNOVA to specify and supply.

Specifying secure KVM in Singapore?

Talk to eNOVA about NIAP-certified secure KVM from Adder, Raritan and G&D, matched to your security model and accreditation.