As we heard from many of you during and after the webinar, efficiency during the DoDIN APL listing process is a common concern for those who want to have their products added to the DoDIN APL, a requirement for anyone wishing to sell to the Department of Defense (DoD). In today’s post, we’ll share some nuggets from our webinar about the best ways to build efficiencies into your own DoDIN APL process during the planning stages. For more information, watch the entire webinar on demand.

Why is efficient planning so important?
There’s so much planning and decision making involved both in performing the Self Assessment Reviews (SARs) and during the actual testing phase itself. Efficient planning is important because it helps you save time, costs and resources, and helps you reach your ultimate goal of getting your product listed.

1. Reducing Costs Through Similarity Arguments

2. Solid planning

3. Choose the most efficient product category

4. Obtain Testing Center Buy-in Early

5. Have Well-Prepared Documentation

6. Engage in Conversation

7. Find an alternate sponsor

Corsec often helps our clients identify a potential alternate sponsor, and we usually recommend that they look at someone in the DoD to be a technical sponsor. There are people in the DoD who have sponsored many DoDIN APL listings; they are effective because they know DoD personnel and can operate within the Department in a politically correct manner.

We’ve seen organizations that have been stuck for a year or more in the DoDIN APL testing process. Execution can be a big stumbling point because there tends to be an enormous inertia factor involved in testing due to red tape, lack of communication and poor planning. Knowing how to push the process forward and avoiding the retiring of your tracking number is so important.

Although there are many potential traps inherent in DoDIN APL testing, the process itself is predictable. The more you plan, the more efficient your testing experience will be, and the more successful your outcome.

Corsec has helped many organizations navigate DoDIN APL testing, improve efficiencies, and save time, resources, and money. For more detail, review our entire “Planning for Efficient DoDIN APL Listing” webinar. Then let us know how we can help you.

The post DoDIN APL Planning Leads to Smooth Sailing – Webinar Recap appeared first on Corsec Security, Inc.®.

We discussed the details of maximizing your certification investment in our recent webinar. You can watch the whole thing here, but in this two-part blog post series, we’ll give you some of the details.

Technology doesn’t stand still for a nanosecond, and neither do your clients or your competition. Almost as soon as you attain certification, your development team is hard at work making tweaks and preparing for the next release. Sometimes these changes are significant, such as adding features or utilizing newer technology; or maybe they’re minor such as edits to the product documentation or new comments added to the code.

If you’re worried about whether refinements could mean you’ll require a new certification or validation, you’re right to be concerned. The last thing you want is to jeopardize your federal market potential by not having the proper validation or certification for your product. Should you invest the time and effort on revalidation, and how do you know whether it’s wise to do so?

That depends on many factors, which are different for Common Criteria versus FIPS 140-2.

Let’s look at Common Criteria first.

Assurance Continuity is a process that helps you determine whether to go down the path to recertification, whereby you must undergo reevaluation and present evidence to a lab; or if you can perform assurance maintenance, which is an addendum to your existing certification listing and only requires a maintenance report. Assurance Continuity is based on the scope of changes to your product.

Minor changes include editorial changes to the documentation, comments added to the code, changes to the development environment that don’t affect how the product was developed, changing the product name, security target ID or Target of Evaluation (TOE) identifier.

Major changes that necessitate reevaluation for Common Criteria are those that affect security, such as changes to assurance requirements. For example, if your product was certified for EAL 2 and you want to attain EAL 4 (or vice versa), you must undergo a new evaluation. Other major changes would include revising the product’s functional requirements, the use of procedures or processes not assessed in the original evaluation, and making sets of minor changes that together have a major impact upon the security of the product.

If you’re unsure of whether your product requires recertification now or will require reevaluation after changes you’ve planned, don’t take chances; Corsec can help you determine the right course of action.

Unlike Common Criteria, FIPS 140-2 outlines five change scenarios to determine whether your product requires revalidation or whether you can submit a letter of rationale to the lab that basically explains why the changes don’t affect the FIPS security posture of the module. Examples of changes that don’t affect any FIPS-relevant security items are a change to the GUI, or changes to the physical enclosure of the module.

Changes that require FIPS revalidation include changes you make to more than 30 percent of FIPS-relevant security items.

Your Corsec engineer can help you determine if your product meets the 30 percent threshold, and can review each FIPS change scenario with you in detail. We are also able to assess the scope of your changes where Common Criteria Assurance Continuity is concerned. Contact us for details.

Assuming you’ve determined that you must pursue a next step to keep your security product certification current and applicable, it’s important to understand timing and cost implications so you can allocate your resources and budget accordingly.

Common Criteria

If your product has undergone any changes, you must perform Assurance Continuity (the process that helps you determine whether you need Common Criteria recertification or if assurance maintenance is sufficient). If you determine that your product changes are classified as minor, you can move forward with assurance maintenance.

To get started, you or your certification consultant must first update your existing Common Criteria documentation to reflect the changes to your product. Next, you must engage with a lab to re-execute the testing against the new product version and provide the test results to the appropriate scheme. Then, an Impact Analysis Report (IAR) that defines the changes must be produced, either by you, the lab or your certification consultant; and be sent to the scheme.

You can significantly reduce the timeline and maintain costs by working with a highly qualified consultant who manages the entire process for you. Because a qualified consultant will be very familiar with all the testing labs and schemes, they will understand what each looks for in documentation and testing. Consulting engineers can streamline communications with the lab and other entities, which shortens the time it takes to produce complete and proper documentation and anticipate any potential issues before they become problems.

FIPS 140-2

A FIPS 140-2 revalidation can range from $5,000 to the original cost of your validation dependent upon which change category applies to your situation and how well you’ve planned your documentation. Again, a consultant can manage the process so that team members can remain on other revenue generating projects.

Can you afford not to maintain your validation/certification?

If the thought of assurance maintenance, change categories and re-evaluation makes you uneasy, consider the money you leave on the table every day that you don’t revalidate or recertify. Without up-to-date validation, you can’t maximize the investment in your product, and you could fall significantly short of revenue goals if product changes are made and the validation was not maintained for the newer version.

If your security product validation/certification is out of date and you decide to pursue an evaluation on your own, be prepared for what could be a long and frustrating road ahead. Every day that you spend tied up at the lab, writing documentation or trying to ascertain where bottlenecks are coming from is another day of revenue you won’t see and another day that other revenue-bearing projects don’t get your attention.

Using a consultant for these processes may seem like an additional expense but often makes the most financial sense because internal resources are not taxed and your revalidation or recertification occurs faster and more efficiently than if you attempt to do it yourself. Your consultant helps you develop and manage a maintenance strategy and schedule, determines which requirements apply to your product and product changes, ensures that all lab and scheme requirements are satisfied, prepares and revises all documentation, and manages all communications work with the lab and scheme from day one through to completion.

Keeping your validations and certifications up to date is not only good for your ROI, but it demonstrates your commitment to your customers’ security and the security of your products.

Corsec has assisted with hundreds of recertifications and revalidations over the past 15 years. Contact us to find out how we can help you.

The post Webinar Recap: Revalidation – When Is the Right Time? appeared first on Corsec Security, Inc.®.

The process for being added to the DoDIN APL is complex, with no fewer than 36 distinct steps to complete. There’s the preparation, documentation, and the testing; then you have to coordinate all of your testing activities and logistics, both with UCCO and with government sponsors.

The process can drag on if you don’t meet DoD deadlines for processing, testing, and mitigations. It’s possible to waste many months (or even years!) on unsuccessful approval efforts if you don’t have the right information and the best resources managing everything. There are also defined, stiff penalties for missing deadlines or steps.

How can you move through DoDIN APL testing efficiently?

If you’re wondering whether you should pursue DoDIN APL testing for your products and how you can avoid a drawn-out approval process, mark your calendar for next Wednesday, March 20th at 11:45am (EST) for our webinar, DoDIN APL Solutions: Dealing with UCCO, STIGS, JITC, The TIC, Army, and DoD Requirements.

Presented by John Morris, Corsec president and co-founder, our webinar will offer the full scope of what you need to know about DoDIN APL. John will review the testing process, documentation, guidelines, rules and costs, as well as the types of DoDIN APL assessments. He’ll also cover the common pitfalls that many organizations encounter during the process, and will show you how to avoid them.

You can download this webinar here.

If you want immediate information about how Corsec’s DoDIN APL services streamline every aspect of your DoDIN APL certification, call us at (703) 267-6050 or email jnelson@corsec.com

The post Webinar: Moving Through DoDIN APL Testing Efficiently appeared first on Corsec Security, Inc.®.