Common Criteria Certification: What Is It?

Do you need to open the door to sell your product to the U.S. government? That seems like it should be a process that is simple to work through, but think again. Any IT security product that will be used by the U.S. government for national security systems, either to handle classified and even some non-classified information, must have Common Criteria certification.  So how does one start to navigate the labyrinth of certification processes and procedures that lead to Common Criteria certification?

Common Criteria Certification – Step 1

First, understand why you’re undertaking this Herculean effort. Yes, Common Criteria certification is required to sell to the U.S. government, but there are benefits beyond that. The Common Criteria security certification process will help uncover potential problems with your product before you go to market, ultimately making that product more secure. Your certification will also keep you competitive. If others in your market already have a certification, they are that much ahead of you, and can compete not only in the government arena, but have an advantage in commercial markets including the financial sector.

Common Criteria Certification – Step 2

Next, make sure you do your planning. There are many factors to consider when planning for a Common Criteria certification. The certification process can be lengthy—12-18 months if managed properly—but longer if you experience setbacks. Be sure to factor that time into your plan, as well as the staff resources that will be focused on your certification and not on other work during this time. Choosing the right staff to work on your certification is also key—think about including representation on your team from multiple areas including sales, marketing, executive management, QA, and the documentation team.

Common Criteria Certification – Step 3

The decisions don’t stop there, though. Other choices to wrestle with during the planning phase include choosing a testing lab and making a decision on a scheme. These decisions seem simple—a U.S. company would choose a U.S. testing lab and a U.S. scheme, correct? But the answer that seems simplest is not always the best for your evaluation. It might, for instance, make the most sense to choose a scheme outside the U.S. for your product if your company has a large customer base outside the United States. A consultant can help steer you in the right direction to avoid costly and time-consuming stops and starts with the wrong choices.

Common Criteria Certification – Step 4

As is the case with projects of virtually all types, the budget cannot be overlooked for a Common Criteria certification. Be sure to carefully identify the scope of the evaluation, and then take into account costs such as documentation preparation, project management costs, lab fees, government fees, and testing-related travel expenses. Understand which are fixed and which are not so that you can manage potentially escalating costs. And don’t forget about soft costs, including the time of staff focused on the certification who would normally be dedicated to other revenue-generating endeavors.

There’s a lot to consider when you are about to embark on a Common Criteria certification. Ideally, the certification process goes smoothly, quickly and without hiccups to maximize your return on investment—and so you can start selling as soon as possible. But it’s easy to make a misstep with documentation, process or any number of details. A consultant can be helpful in piloting the way through the maze and can actually save you time and money in the end to increase ROI and get you to market faster.

Corsec has completed more than 425 certifications for clients in more than 18 years. If you have questions about your Common Criteria certification, get in touch.