Turnkey Solution

Corsec Security Certification Service Wheel 2015

Corsec’s turnkey solution manages the entire security certification effort so you don’t have to. It covers: engineering tasks, lab testing, issue advocacy and government interaction. This efficient and economical approach minimizes operational disruptions, improves financial returns, thwarts delays and decreases risk.

This approach covers all six service areas of the security certification process: Advisory, Design Engineering Consulting, Documentation, Engineering, Enterprise Lab and Maintenance & Compliance.

Turnkey Solution for FIPS 140-2, Common Criteria and UC APL Security Certification and Validation

 

Discuss My Turnkey Solution

 

 

A Closer Look at Corsec’s Services

View Our Advisory Services PDFSecurity Certification Services - FIPS 140-2, Common Criteria, UC APL

Prior to beginning the security certification process, it is imperative that a company has a firm grasp on the level of effort necessary as well as expected return on investment. Corsec’s Advisory Services are designed to equip an organization with the information it needs to successfully achieve security certification. They are comprised of three key areas:

Go-to-Market Readiness
To ensure our partners are prepared to undertake the process, Corsec provides:

An in-depth security certification overview of FIPS 140-2, Common Criteria and UC APL to include:

  • Key Players
  • Benefit, risks and challenges
  • Time
  • Effort and cost

A Client Analysis

  • A complete understanding of the client, their product and objectives
  • Identifies gaps or additional resources needed

Security Certification Competitive Intelligence
Client competitor research is conducted to unearth their current security certifications and ones that are in-process, for two reasons:

  • The results of a competitive analysis can cause a substantial shift in the assumed security certification strategy and direction. The intelligence gathered substantiates the guidance provided.
  • It helps to determine the competitive strategy which will ultimately create an advantage for clients from a feature/functionality and/or security confidence perspective

Technical Assessment
The following are provided:

A formal Compliance Report comprised of:

  • The current state of the client’s product in relation to the security certification they are seeking
  • Any gaps and recommendations to close those gaps
  • A recommended path through the security certification process

A Statement of Work outlining the level of effort needed:

  • Product design consulting
  • Documentation services
  • Specialty engineering services (algorithm testing, test case development, STIG testing)
  • Enterprise lab services (lab testing, government/scheme testing and fees)

View Our Design Engineering PDFSecurity Certification Services - FIPS 140-2, Common Criteria, UC APL

Product design changes may be necessary to meet the requirements of a third-party security certification or security validation. Corsec’s Design Engineering Services complement the firm’s Documentation Services and provide guidance on the best and most efficient design for a client’s product to enable them to move swiftly through the security certification process.

Discover Required Product Changes Early in the Process – Common design changes encountered for each security certification or validation include:

FIPS 140-2

  • Implementing power-up self-tests, conditional self-tests, FIPS 140-2 error states, status reporting and FIPS-approved modes of operation
  • Modifying a product’s operation and design to meet FIPS 140-2 requirements for Finite State Machine, acceptable startup modes and initiation of self-tests and acceptable error states
  • Making hardware design modifications to meet physical security requirements

COMMON CRITERIA

  • Modifying product operation and design to meet Security Functional Requirements (SFRs) listed in the Security Target (ST)
  • Assessing and meeting all Protection Profile-dictated requirements for the Target of Evaluation (TOE)

UC APL

  • Adjusting product operation and design to meet appropriate Security Technical Implementation Guidelines (STIGs)
  • Guiding any product changes to ensure that they meet all Plan of Action & Milestones (POA&Ms)
  • Making any adjustments to ensure that a product meets all Unified Capabilities Requirements (UCRs) for its product type

Leverage Best Practises
Companies who take advantage of Corsec’s expertise ensure that their product’s design can pass security certification successfully and that changes to their upcoming roadmap stay compliant to the ever-evolving standard they are seeking.

View Our Documentation Services PDF Security Certification Services - FIPS 140-2, Common Criteria, UC APL

Corsec’s Documentation Services are the cornerstone of a successful security certification effort. They encompass documentation creation and submission, as well as clarification, defense and advocacy. All of these are completed within a system of assured quality that includes client engagement, Corsec’s peer-to-peer global quality panel review and issue advocacy with the lab and the scheme. Corsec’s documentation services include the following:

FIPS 140-2

  • Non-Proprietary Security Policy
  • Finite State Machine
  • Master Components List
  • Software/Firmware module descriptions
  • Source code listing for all software and firmware within cryptographic boundary
  • Description of module roles and services
  • Description of key management lifecycle
  • Algorithm Conformance certificates
  • FCC certificates for EMI/EMC compliance

COMMON CRITERIA

  • Security Target Document
    • Conformance Claims
    • Extended Components Introduction
    • ST Introduction
    • Security Objectives
    • Security Requirements
    • Security Problem Definition
    • TOE Summary Specification
  • Configuration Management Documents
    • CM Capabilities
    • CM Scope
  • Secure Delivery Document
  • Flaw Remediation Document
  • Development Documents
    • Security Architecture
    • Functional Specification
    • TOE Design
  • Guidance Documents
    • Guidance Supplement
  • Testing Documentation
    • Coverage
    • Functional Tests

UC APL

  • Diagram of Test Environment
  • System Description
  • STIG Questionnaire
  • IPv6 Letter of Compliance
  • SF-328 Form (certificate pertaining to foreign interests)
  • Self Assessment Report (SAR) against current STIGs
  • Coordinate and author Deployment Guide
  • Guidance and Management

Corsec creates the requisite documentation from its understanding of an organization’s product today and the product documentation available. The firm suggests a security certification direction that is backed by the recommendations and expertise of a peer-to-peer technical review panel. Finally, Corsec addresses questions, comments and interrogations from the lab and the government and advocates particular positions and issues on behalf of clients.

View Our Engineering Services PDFSecurity Certification Services - FIPS 140-2, Common Criteria, UC APL

A complete validation usually includes algorithm testing and implementation (FIPS 140-2), test case development (Common Criteria) and STIG Testing (UC APL). These services are beyond the traditional domain of documentation and security certification consulting. Companies choosing to perform these tasks themselves, quickly realize the totality of the burden and costs associated with proceeding alone. Corsec’s Engineering Services cover the following:

Algorithm Testing

The Challenge
As part of the FIPS 140-2 validation process, vendors are required to include CAVP-approved algorithms as part of their submission to the CMVP. This process requires algorithm development, testing and implementation.

The Corsec Solution
Algorithm testing can often be fraught with errors and misunderstandings, resulting in costly delays that can jeopardize a project. Corsec’s Algorithm Testing service effortlessly streamlines the algorithm testing portion of the FIPS 140-2 validation cycle. We deploy our patent-pending Ultima™ algorithm testing solution, which includes:

  • Automated importation of lab-provided request files and parsing of all test parameters
  • Test parameters correctly formatted for the form specified by the vendor’s implementation
  • Preparation of data objects and performance of test-specific initialization
  • Remote networked communications with the modules tested
  • Execution of the algorithm as specified by the implementation
  • Results from the implementation
  • Resulting data formatted per lab requirements
  • Results written in preferred format for validation

Test Case Development

The Challenge
The Common Criteria security certification process requires companies to prove claims in their evaluation documentation through a set of well-written, detailed test cases that provide in-depth coverage of all security-centric functionality. Companies must then produce test plans for the evaluation lab, including a detailed description of the test environment and any installation and configuration prerequisites. These plans must correspond to the evaluation design documentation and provide adequate coverage of each of the defined user interfaces.

The Corsec Solution
Often companies attempt to create Common Criteria-approved test cases internally, stumbling through the process and causing lengthy tie-ups of over-taxed engineering teams. Corsec’s engineers can develop and execute these test cases on a client’s behalf, alleviating the burden on internal teams and providing test plans that are well-written, unambiguous and cover 100% of the necessary functionality with all of the required testing artifacts (screenshots, log files, etc.) and verification procedures.

STIG Testing

The Challenge
The Defense Information Systems Agency (DISA) establishes configuration standards for products intended to be part of a Department of Defense (DoD) network. These standards are captured in a Security Technical Implementation Guide (STIG). The DoD currently supports dozens of STIGs, each one pertinent to a specific product category. In order to achieve listing on the UC APL, a product must adhere to the STIGs relevant to its product type and product vendors are not allowed to decide which STIGs to adhere to – that is determined by DISA. Each STIG that is imposed on a product can require a significant investment in time and resources, product changes and enhancements, in addition to the detailed effort spent proving adherence to each.

The Corsec Solution
Corsec’s STIG Testing service can radically streamline this process. With our knowledge of STIGs and our experience with the overall UC APL evaluation, we are able to argue before governing bodies which STIGs are unnecessary for an organization’s product, ensuring only productive testing activities. We can then perform the testing needed to state that the product meets the balance of the STIGs imposed on it.

View Our Enterprise Lab Services PDFSecurity Certification Services - FIPS 140-2, Common Criteria, UC APL

A successful security certification or validation hinges on selecting and working with testing laboratories to confirm a product meets applicable standards. The process is often cumbersome, confusing and time-consuming. Further complicating matters is the sheer volume of labs, each with their own unique requirements.

  • Currently, more than 60 accredited labs handle FIPS 140-2 and Common Criteria testing
  • The U.S. military manages the lab testing process for UC APL exclusively through their Testing Centers of Excellence
  • Labs operating in over 20 countries have different service level agreements, deliverables and expectations, leaving product vendors with varying levels of interaction and customer service
  • The instability of some labs has raised concerns about their long-term viability

The Corsec Solution
Over the last 17 years, product vendors have approached Corsec for a single, complete, coordinated and risk-free solution to their testing requirements. Corsec’s Enterprise Lab Services are government- and scheme-agnostic and offer customers access to a host of vetted labs globally through the Corsec Lab Provider Network. These services enable Corsec to assist product vendors with:

  • Selecting the appropriate scheme/country where their product should be evaluated
  • Matching customer requirements (ITAR, etc.) with suitable labs
  • Understanding the pros and cons of different options and then recommending a path forward

Benefits
By engaging Corsec’s Enterprise Lab Services, customers eliminate the management, headache and risk of mistakes often associated with outsourcing solely to labs. If necessary, Corsec can arrange to distribute a client’s security certification work across multiple laboratories, countries and schemes. Other benefits include:

  • The client’s validation process moves along quickly, unimpeded by bottlenecks that can result from working with a single, overbooked lab
  • Corsec’s influence within our Lab Provider Network helps create first-priority resource assignment
  • Customers avoid the complexities of quotation, contracting, charge, or scope creep
  • Customers can leverage Corsec’s Staged Release Testing (SRT™) service, which allows customers to interweave their security certification with product development schedules
  • Corsec assumes the risk of testing continuity. If disaster prevents a laboratory from completing the security certification process, we will pay to engage a second lab to make up for lost time and to complete the work

View Our Maintenance & Compliance Services PDFSecurity Certification Services - FIPS 140-2, Common Criteria, UC APL

Technology is ever-changing. A product that has been certified or validated will likely need to go through the process again. Corsec’s Certification Maintenance Service helps organizations determine whether or not it is necessary to pursue a full reevaluation.

The Big Difference: Major and Minor Reevaluations

Each security certification has its own unique requirements for maintenance and renewal. Corsec’s engineering team helps clients understand the specific actions they will need to take for each security certification they pursue, specific to each product.

FIPS 140-2 – The FIPS 140-2 validation process lists five change scenarios that are used to determine if a product requires revalidation, or if documentation alone can address changes. Corsec helps clients determine which scenario mostly closely aligns to the latest product version.

COMMON CRITERIA – Common Criteria determines if reevaluation will be necessary through a process called Assurance Continuity. If minor changes have occurred, a vendor can perform an “assurance maintenance,” and submit a report that is attached as an addendum to the original product security certification. If major changes have occurred, evidence will need to be submitted to a laboratory for reevaluation.

UC APL – In order to maintain a UC APL listing as a product evolves, product vendors must complete a Desktop Review for each major product version. In such a review, a high-level assessment determines whether the product listing will simply be updated with the new version identifier, whether minimal testing must be performed on the new version prior to receiving an updated listing, or whether the product must undergo an entirely new evaluation.

Keep Products Market-Ready

Corsec helps ensure that clients continue to benefit from their initial security certification efforts. If you have questions on the requirements for your product’s recertification or revalidation, we can help determine the best path forward with little to no disruption to your revenue stream.


 

Call Corsec +1 703 267 6050