Assuming you’ve determined that you must pursue a next step to keep your security product certification current and applicable, it’s important to understand timing and cost implications so you can allocate your resources and budget accordingly.

Common Criteria

In our last post, we mentioned that if your product has undergone any changes, you must perform Assurance Continuity (the process that helps you determine whether you need Common Criteria recertification or if assurance maintenance is sufficient). If you determine that your product changes are classified as minor, you can move forward with assurance maintenance.

To get started, you or your certification consultant must first update your existing Common Criteria documentation to reflect the changes to your product. Next, you must engage with a lab to re-execute the testing against the new product version and provide the test results to the appropriate scheme. Then, an Impact Analysis Report (IAR) that defines the changes must be produced, either by you, the lab or your certification consultant; and be sent to the scheme.

Expect recertification to cost anywhere from $20,000 up to the full cost of your original certification. It is dependent upon the testing required, the condition of your original documentation and the level of maintenance or re-evaluation involved.

As for timing, assurance maintenance is a relatively quick process that you can expect to take approximately two to three months from start to finish. Recertifications take between six and 12 months, although timing does vary by scheme. You can undergo assurance maintenance as often as you’d like within the two-year window that your Common Criteria certification is valid; after that you have to go through a new certification process.

You can significantly reduce the timeline and maintain costs by working with a highly qualified consultant who manages the entire process for you. Because a qualified consultant will be very familiar with all the testing labs and schemes, they will understand what each looks for in documentation and testing. Consulting engineers can streamline communications with the lab and other entities, which shortens the time it takes to produce complete and proper documentation and anticipate any potential issues before they become problems.

FIPS 140-2

A FIPS 140-2 revalidation can range from $5,000 to the original cost of your validation dependent upon which change category applies to your situation and how well you’ve planned your documentation. Again, a consultant can manage the process so that team members can remain on other revenue generating projects.

If you pursue FIPS revalidation under Scenarios 1, 2 or 4 you’ll be placed in a high-priority queue, and can expect the entire process to be completed in one to two months. Remember, Scenarios 3 and 5 are considered new validations, and the process will take approximately 12 months.

Can you afford not to maintain your validation/certification?

If the thought of assurance maintenance, change categories and re-evaluation makes you uneasy, consider the money you leave on the table every day that you don’t revalidate or recertify. Without up-to-date validation, you can’t maximize the investment in your product, and you could fall significantly short of revenue goals if product changes are made and the validation was not maintained for the newer version.

If your security product validation/certification is out of date and you decide to pursue an evaluation on your own, be prepared for what could be a long and frustrating road ahead. Every day that you spend tied up at the lab, writing documentation or trying to ascertain where bottlenecks are coming from is another day of revenue you won’t see and another day that other revenue-bearing projects don’t get your attention.

Using a consultant for these processes may seem like an additional expense but often makes the most financial sense because internal resources are not taxed and your revalidation or recertification occurs faster and more efficiently than if you attempt to do it yourself. Your consultant helps you develop and manage a maintenance strategy and schedule, determines which requirements apply to your product and product changes, ensures that all lab and scheme requirements are satisfied, prepares and revises all documentation, and manages all communications work with the lab and scheme from day one through to completion.

Keeping your validations and certifications up to date is not only good for your ROI, but it demonstrates your commitment to your customers’ security and the security of your products.

Corsec has assisted with hundreds of recertifications and revalidations over the past 15 years. Contact us to find out how we can help you.

We discussed the details of maximizing your certification investment in our recent webinar. You can watch the whole thing here, but in this two-part blog post series, we’ll give you some of the details.

Technology doesn’t stand still for a nanosecond, and neither do your clients or your competition. Almost as soon as you attain certification, your development team is hard at work making tweaks and preparing for the next release. Sometimes these changes are significant, such as adding features or utilizing newer technology; or maybe they’re minor such as edits to the product documentation or new comments added to the code.

If you’re worried about whether refinements could mean you’ll require a new certification or validation, you’re right to be concerned. The last thing you want is to jeopardize your federal market potential by not having the proper validation or certification for your product. Should you invest the time and effort on revalidation, and how do you know whether it’s wise to do so?

That depends on many factors, which are different for Common Criteria versus FIPS 140-2.

Let’s look at Common Criteria first.

Assurance Continuity is a process that helps you determine whether to go down the path to recertification, whereby you must undergo reevaluation and present evidence to a lab; or if you can perform assurance maintenance, which is an addendum to your existing certification listing and only requires a maintenance report. Assurance Continuity is based on the scope of changes to your product.

Minor changes include editorial changes to the documentation, comments added to the code, changes to the development environment that don’t affect how the product was developed, changing the product name, security target ID or Target of Evaluation (TOE) identifier.

Major changes that necessitate reevaluation for Common Criteria are those that affect security, such as changes to assurance requirements. For example, if your product was certified for EAL 2 and you want to attain EAL 4 (or vice versa), you must undergo a new evaluation. Other major changes would include revising the product’s functional requirements, the use of procedures or processes not assessed in the original evaluation, and making sets of minor changes that together have a major impact upon the security of the product.

If you’re unsure of whether your product requires recertification now or will require reevaluation after changes you’ve planned, don’t take chances; Corsec can help you determine the right course of action.

Unlike Common Criteria, FIPS 140-2 outlines five change scenarios to determine whether your product requires revalidation or whether you can submit a letter of rationale to the lab that basically explains why the changes don’t affect the FIPS security posture of the module. Examples of changes that don’t affect any FIPS-relevant security items are a change to the GUI, or changes to the physical enclosure of the module.

Changes that require FIPS revalidation include changes you make to more than 30 percent of FIPS-relevant security items.

Your Corsec engineer can help you determine if your product meets the 30 percent threshold, and can review each FIPS change scenario with you in detail. We are also able to assess the scope of your changes where Common Criteria Assurance Continuity is concerned. Contact us for details.

In our next post, we’ll discuss the timelines for Common Criteria recertification vs. assurance maintenance, and for FIPS validation vs. revalidation.

We are frequently asked, “How much does certification cost?” This is similar to asking, “How much does a car cost?”  The real answer is, “It depends.”

The first step in understanding how to budget for certification is to fully understand the scope of your project. Certification costs vary widely depending upon that scope. If yours is too broad, you may be needlessly spending money on a certification that will not provide a good return on investment. If your scope is too narrow, you may fail to capitalize on the true value of certification. Going through the process to properly identify the scope of your certification is the most important step to forming a meaningful budget for the project. Perhaps the key aspect in identifying the scope is determining the product or system to be evaluated, or the Target of Evaluation (TOE). Once you’ve decided on a TOE you will need to:

1. Figure out if it’s best to use a Protection Profile (PP) or a custom Security Target (ST)
2. Determine the Evaluation Assurance Level (EAL) being sought if you’re not using a Protection Profile
3. Determine if the product will need to be modified in any way in order to meet requirements and how those modifications fit into the current development plan

You have to go through the process to understand what you are certifying, and why, in order to understand what the budgetary requirements will be. Once you understand the scope of your certification process, you can begin to plan a reasonable budget. To start, make sure you cover all of the costs in your budget. Next, you must understand which parts of the budget are variable, and which parts are fixed. The following is a list of expenses that every good certification budget should include:

1. Documentation preparation

2. Project management costs

3. Development costs for algorithm testing

4. Development costs for product modifications

5. Laboratory fees

6. Government fees

7. Testing-related travel expenses

8. Cost to distribute product to consultants and testing laboratories

Some of these costs will be “fixed price,” while others are not. Understanding how to assess these accurately is crucial to keeping “cost creep” under control. Properly scoped, this budget can be manageable and predictable. Focusing your budget on only one area of expenses, or failing to properly identify the scope your project, can result in a budget that continually expands throughout your certification effort.

Corsec has helped with hundreds of Common Criteria Certifications over the past 15 years. For help getting started with yours, contact us.

Image Source

If you’ve spent at least a few years in this industry, you will know at least part of the answer to the question. You need your product engineering group, a trusted consultant, and a good laboratory on your certification team. These three groups are required to successfully achieve certification.

However, there are five other areas that could make a big difference in your return on investment if added to your IT security certification team.

1) Marketing

Your marketing team understands how your product is positioned in the marketplace. They know what your competitors are advertising, and they understand how you’re represented in the cyber security space. Marketing needs to be involved from the beginning to help chart the proper course for the certification. They should also take an active role throughout the process to position your product during the various phases of certification. It will be up to marketing to make sure the value of your certification is maximized.

2) Sales

Your sales team interfaces directly with your customers and helps translate their requirements into product certification requirements. This group should also be involved at the beginning and throughout the process. If sales does not understand your certification, or does not stay involved, they will not be using the certification, a valuable tool, to help sell your product.  Additionally, there may be other customer requirements that could be addressed during your certification that sales can provide as input to the effort.

3) Executive Management

No matter what path you take through certification, it is costly and time consuming. Your executive management team must be on board and understand what they can achieve through certification. There will be times during a certification that corporate attention will be focused elsewhere. It is important for your executive management team to be behind the effort so that they can help refocus that attention when necessary.

4) Quality Assurance

Most certifications require functional testing as part of the effort. Your testing or quality assurance team can be a valuable source of information and support during this process. This team typically has expertise in setting up test environments and executing test plans on your product. This is exactly the type of skill that will be valuable to keep your certification moving forward efficiently.

5) Documentation Team

Security certifications require a lot of documentation. Typically, these documents are produced by consultants for your company. However, much of the information required can be found in existing documentation. Additionally, your documentation team can be responsible for maintaining your documentation through subsequent versions of your product, improving your future return on investment.

Think through all the facets of a certification to determine the best players for your certification team. Corsec has completed hundreds of certifications. Contact us for advice on the best path to take and how to staff your team.

Image Source

Maintaining your security validation isn’t something your company can let slide – not when your competitors offer up-to-date validated and certified products. Don’t you want to compete with your most recent release?  The cost and effort of revalidating or recertifying is only a fraction of what your initial validation may have cost. But how do you get started?

On Tuesday, May 21, 2013 at 11:45 EST, Corsec will host a webinar on “Maximizing Your Certification Investment.” Corsec COO Amy Nicewick and Lead Engineer Darryl Johnson will discuss topics including:

• How to determine if you’re eligible for assurance continuity and what process is required.
• How long does the process take before a certificate addendum is issued?
• How many assurance continuities can a company do before a recertification is required?
• What are the 5 FIPS validation change scenarios?
• When should you begin your revalidation or recertification?
• Which lab and scheme should you use; do you have to use the lab used during the original or previous validation?
• How often should you revalidate or recertify your product?
• Which revalidation category works best for your product?

How can Corsec help with your recertification or revalidation efforts? Recertification and revalidation can help you augment the value of your product. Join us to learn how to maximize your certification ROI.

Register today. 

A) Is it the consultant?
B) Is it in the testing laboratory?
C) Is it the scope of the process?

I’ll let you in on an insider secret—the correct answer is “none of the above.” You won’t lose big in validations, or in any direct expense related to them. The biggest losses are what you don’t earn because you failed to use the validation to sell more product. ­

Ask yourself this: Why did you get a validation? In essence, this question is asking you about your return on investment. What is your purpose for getting the validation in the first place? The answers may vary, but somewhere along the line the notion of increasing or protecting sales has to be a part of the equation.

Now, what if I told you to forget about that question? The answer no longer matters. If you have already completed or started an evaluation, you need to change the question. Here is what you should be asking yourself now: What can I do with this validation? Validations can be very valuable. They can be used to market and sell your product, to help position it with customers who would not have otherwise considered it. You can increase revenue beyond your initial return on investment calculations when you add incremental sales of product requiring validation.

Let’s look at some concrete ways you can use your validation as a sales tool:

• Make sure you have a page on your website that explains your validations
• Train your marketing staff to understand your validation and utilize it in your marketing activities
• Train your sales staff to understand your validation and utilize it when they talk with prospects
• Make sure your product literature properly references your validation
• Make sure government RFPs that SHOULD require validations DO require them

Bonus thought: Use Google to search for a validation (say FIPS 140-2) and your company name.  Does any page on your own website come up in the search results?

Corsec has helped with more than 300 validations and certifications over the past 15 years. For help getting started with your next validation, contact us.

Wondering how you can optimize the benefits of your validation? Join us Tuesday, May 21st for our webinar, “Maximizing Your Certification Investment.”

Image Source

I can’t overemphasize how important it is to choose the appropriate testing lab and scheme for your particular product and requirements. So don’t jump into the process blindly. Before you choose a lab for your certification process, here are some important considerations to keep in mind and questions you should ask.

1. Don’t choose your lab based only upon price.

Testing labs are not a commodity—far from it. In addition to cost, you should ask about the lab’s track record for project completion. They may or may not be equipped to circumvent delays that can occur if you miss milestones or if your documentation is lacking.

It’s also a good idea to speak with someone who has experience with the labs that you’re considering. We have worked with all the major testing labs and schemes, but not everyone has. Make sure you investigate.

2.  What’s included in the fee?

Make certain you understand what you will get for the price. Always negotiate a fixed price that includes testing, reports and the site visit, so costs don’t escalate once you’ve set your budget. Some labs have minimums, hourly fees, and variable price structures; and if your project shifts into overtime your cost overruns can really add up.

We always recommend that you obtain quotes from two to three labs before making your decision.

3. How many people will be assigned to your project?

The more cooks in the kitchen, the slower they cook. Ask for a dedicated resource who will thoroughly understand the ins and outs of your project, can keep everything on track, and will communicate status, deliverables, and responsibilities.

4. Do they answer questions and communicate well with your team during the vetting process?

If you don’t feel comfortable with the level of information you’re receiving now, it will only become more challenging once you’re in the thick of the validation. Feel free to ask for examples of the type of communications you will be receiving once the evaluation begins. If you don’t receive prompt, courteous attention, move on.

5. Will they provide a client list?

A lab should be able to give you the names of other companies they’ve helped. If they won’t, keep looking. You want experience and a track record of success.

6. Do they have experience with a particular standard or scheme?

Even if the lab is based in the United States, they may not have the required level of knowledge regarding a particular standard. The same goes for experience with a particular scheme, which are government run and country-specific.  Some labs work in more than one scheme, but may be more familiar with one than the others. Make sure the lab you choose has experience working with your preferred scheme.

7. Get knowledgeable help

If you’re pursuing a FIPS 140-2 validation, take note that testing labs are not permitted to consult on any project that they are testing for certification. If you’re looking for advice on required decisions during the process, a consultant is your best choice, as your lab won’t be able to offer opinions.

A consultant will also be able to help you to vet and select the best lab, act as your advocate, and provide unbiased advice.

Incorporate these points and questions into your research when selecting a lab for your next security validation. It’s well worth the effort.

Corsec has assisted in more than 300 certifications and validations over the past 15 years. Need help negotiating the process? Find out how we can help with your next IT security validation.

Image Source

Companies that achieve a listing on the UC APL are able to sell products throughout the entire DoD, and that can mean significant revenue enhancement. The thing is, navigating the many requirements involved in completing the DoD approvals is complex and can be expensive if not done right. Some businesses may abandon their goal after experiencing setbacks that push timelines further into the future and tie up resources for long periods of time (as in months or years).

Our webinar covered everything you need to know about UC APL, including the testing process, documentation, guidelines, rules and costs, types of UC APL assessments, and how to steer clear of common problems your competition may not be so lucky to avoid.

Following are some key tips taken from the webinar that can get you started on the path to the DoD UC APL list. To view the whole webinar, click here.

What is the DoD UC APL?

Exactly what is the DoD UC APL? It’s a consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. UC APL is run by the Unified Capabilities Certification Office (UCCO), which is part of Defense Information Systems Agency (DISA). UCCO does not do the actual testing; that’s performed by the Joint Interoperability Test Command (JITC), Network Engineering Assessment Facility (NEAF), the Technology Integration Center (TIC), the Air Force Information Operations Center (AFIOC), and other Testing Centers of Excellence.

The Army, Navy and other branches of the armed forces can only purchase and deploy systems on the DoD network that are on this list. If a certified product meets their needs, the military may make the purchase. If it’s determined that no compliant product is available, they must sponsor a non-compliant product for UC APL testing and listing.

Conversely, a company can approach the DoD and ask if they would purchase a particular product if it were UC APL certified. If they deem your product valuable enough, they will agree to sponsor its testing and listing.

The web of guidelines and requirements

As you’d expect, the guidelines and rules for UC APL are extensive and cumbersome, and they put a burden on all parties involved including you, the vendor. There are timeframes you must follow and many potential pitfalls along the way that are spelled out in the guidelines—fall into any of them and you could get kicked back to square one. Then you will be required to start the listing process all over again.

There are also UCR functional requirements, performance objectives and technical specifications, 2,586 pages of them in UCR 2008, and many more in the new UCR 2103!  Your job is to determine which ones apply to your product, and prepare documentation for submittal, covering the System Under Test. You also must complete a Self Assessment Report (SAR) activity along with Security Technical Implementation Guidelines (STIG) testing.

A potentially long road

How long does all this take? That depends largely upon how efficient and prepared you are in navigating all the steps and deliverables along the way. It can take up to two years or more, although Corsec helps our customers attain UC APL certification in a year or less. Our UC APL Complete Certification package takes you through the entire process and removes the burden of documentation, scheduling, follow-up, and communication with labs and government entities.

If all this seems overwhelming and you’re not sure where to start, Corsec can help. The best place to begin is to schedule a UC APL Workshop with your team, where we’ll tell you everything you need to know about certification and discuss an action plan to get you there. Then you can decide whether to go it alone or to partner with us to streamline the process.

If you have a product that could be sold to the DoD and you’re not UC APL certified, then you’re leaving money on the table. Talk to our UP ACL experts to get started today.

There were a few specific things that kept coming up in these discussions—three factors we could identify that predicted success or failure in security validation projects.

As we mentioned in our last post, there are many things to consider when starting a security validation, but in specific, we identified ROI, organizational involvement, and planning for change as three of the most crucial areas that can either make or break a validation project.

Money is important. That is a little like saying “the grass is green” or “the sun rises in the East.” Everyone knows money is important. However, it is not the “cost” side of validations that impacts success, it is the “income” side. Don’t misunderstand. The cost side of validations is important. You wouldn’t begin a validation if the costs were not in line with what you could justify spending. However, real success comes from the return on investment you can get from a validation. Many product companies begin a validation and fail to educate their marketing and sales staff as to what it means. They don’t put out press releases highlighting their validations. Their website doesn’t have a clear indication of the validations they have worked so hard to achieve. They have not planned a recertification strategy to make sure their product validation stays fresh. Every single thing I just mentioned costs very little compared to the initial expense of a security validation. However, they all contribute significantly to the ROI that can be recognized for the validation effort.

Involvement throughout the organization is another factor we have identified that is critical to the success of a project. Many product companies view security validations as being the responsibility of the engineering team. While it is true that the lion’s share of work will fall on engineering as they work through validation issues, this does not mean the rest of the organization has nothing to contribute. Making sure each stakeholder is aware of the project, understands what decisions are being made and what tradeoffs are considered, and is aware of when critical events will occur is important. Organizations that make sure all stakeholders are involved reduce project failure and maximize project success.

Plan for change. Security is a dynamic industry and we learn more and more each year about how to design and build secure products. In an industry like this, change is inevitable. However, when looking to embark on a validation process that can last up to 18 months, dealing with change can be a daunting prospect. It is critical to understand the areas that are likely to change, and plan accordingly. This requires you to make sure that your company, or your security consultant, understands what is currently going on with regards to security validation standards and testing methodologies. You need to plan well from the beginning to make sure that your product design includes the ability to change so that when something occurs that you did not predict, you can deal with it quickly and efficiently.

There are certainly lots of other factors that contribute to the success or failure of a validation effort. But keep these three key points in mind as you prepare—they stand out above the rest. I can’t wait to see what the next 15 years will bring for our industry and for Corsec!

How can our experience help with your company’s security validation? Contact us to find out.

Image Source

• Understand what your ROI looks like. Do you understand why you are getting a security validation? What could your sales team do if they had a validated product in their arsenal? Understanding your potential ROI will be be critical when you start making decisions later in the process.
• Get the support of major stakeholders. If your sales team is asking for validation, is the engineering team on board? What would it take to get them on board if they are not?
• Identify the budget. Security validations are not inexpensive. Making sure you have appropriate budget is important for success.
• Find out when your next major release cycle will be. Chances are, changes are going to need to be made to your product. Understanding when those changes could fit into a product release will be key.

What decisions should be deferred?

• The “level” of validation you should pursue. You need to understand a lot about the path through certification before you can make this decision. It is good to have an idea of what is required to meet your ROI goals, but typically there are many options for product vendors to consider before making this decision.
• Which testing laboratory to use. The choice of a testing laboratory should be made based on experience, availability, cost, and several other factors. Making this choice before you understand how to make these tradeoffs unnecessarily limits your options.
• Which scheme/country to choose. Many security validations are done in multiple countries. There are reasons to have your validation work done in one over another. You need to understand these reasons and how they apply to your product and goals before you make this choice.
• A validation boundary. Deciding what to validate, which seems like it should be a very obvious choice, is almost never obvious. After 15 years, I begin every new engagement with a customer asking them to stay open minded as to their validation boundary until we explore the technical and business issues surrounding a validation. This decision is best delayed as long as possible.

Starting a validation requires a lot of considerations and research. But it doesn’t require you to have all the answers up front. Learn as much as you can without closing off any avenues too soon. The more you know, the better your decisions will be at the appropriate time in your process. Learn how Corsec can help you with the considerations and decisions required in your security validation process. Click here for more information.