Corsec’s end-to-end turnkey solution manages the security certifications process so you don’t have to. This efficient and economical approach minimizes operational disruptions, improves financial returns, thwarts delays, and decreases risk.
This approach covers engineering tasks, lab testing, issue advocacy, and government interaction within the six service areas of security certifications:
Prepare for your project with an understanding of each certification, how to meet the requirements, an overview of your competitive landscape, your path to success, and the expected return on investment.
Educate Your Team
Learn the key players, timing, costs, level of effort, benefits, risks, and challenges of security certifications with a Current Product Analysis (matched against your environment, product landscape, objectives, and requirement gaps).
Gain industry insights on your competitor’s security certification efforts from a customized competitive analysis. Develop strategic direction and gain an advantage from real-time intelligence on other product’s security features and functionality.
Develop Your Plan
Receive a customized Statement of Work on how to successfully complete your security certifications, detailing Level of Effort, design engineering changes to address gaps, documentation requirements, product testing, and enterprise lab services.
Design Engineering Services
Uncover necessary product changes early on in your project. Corsec advises you on design changes for your product and enables you to move swiftly through the security certification process. These changes ensure compliance to the ever-evolving standards you are seeking.
Design Changes for FIPS 140-2
- Implementing power-up self-tests, conditional self-tests, FIPS 140-2 error states, status reporting and FIPS-approved modes of operation
- Modifying a product’s operation and design to meet FIPS 140-2 requirements for Finite State Machine, acceptable startup modes and initiation of self-tests and acceptable error states
- Making hardware design modifications to meet physical security requirements
Design Changes for Common Criteria
- Modifying product operation and design to meet Security Functional Requirements (SFRs) listed in the Security Target (ST)
- Assessing and meeting all Protection Profile-dictated requirements for the Target of Evaluation (TOE)
Design Changes for UC APL
- Adjusting product operation and design to meet appropriate Security Technical Implementation Guidelines (STIGs)
- Guiding any product changes to ensure that they meet all Plan of Action & Milestones (POA&Ms)
- Making any adjustments to ensure that a product meets all Unified Capabilities Requirements (UCRs) for its product type
Reinforce the cornerstone of your project with sound documentation. From creation through submission, each document is analyzed by our quality review panel. Defense of your documentation from government and lab questions, comments, and interrogations are handled on your behalf by Corsec’s Documentation Advocacy Team.
- Non-Proprietary Security Policy
- Finite State Machine
- Master Components List
- Software/Firmware module descriptions
- Source code listing within cryptographic boundary
- Module roles and services
- Key management lifecycle
- Algorithm Conformance
- FCC certificates for EMI/EMC
- Security Target Document
- Configuration Management Documents
- Secure Delivery Document
- Flaw Remediation Document
- Development Documents
- Guidance Documents & Supplement
- Testing Documentation
- Diagram of Test Environment
- System Description
- STIG Questionnaire
- IPv6 Letter of Compliance
- SF-328 Form (certificate pertaining to foreign interests)
- Self Assessment Report (SAR) against STIGs
- Coordinate & author Deployment Guide
- Guidance and Management
Product Testing Services
Effortlessly complete product security testing for algorithm testing and implementation (FIPS 140-2), test case development (Common Criteria) and STIG Testing (UC APL). Through Corsec’s patented systems, the burdens and costs associated with proceeding alone are eliminated.
Complete arduous CMVP testing for FIPS 140-2 by utilizing Corsec’s patented ULTIMA system designed to quickly and effortlessly verify, test, and generate results for CAVP-approved algorithms. Algorithm testing can often be fraught with errors and misunderstandings resulting in costly delays that can jeopardize your project.
Test Case Development
Identify and verify the security claims in your Common Criteria evaluation by utilizing Corsec’s detailed test cases that provide in-depth coverage of all security-centric functionality. Corsec’s engineers create test plans for the evaluation lab, including a detailed description of the test environment and any installation and configuration prerequisites. This alleviates the burden on your internal team and provides test plans that are well-written, unambiguous and cover 100% of the necessary functionality with all of the required testing artifacts and verification procedures.
Rapidly fulfill Department of Defense required security testing to achieve listing on the UC APL. Corsec has radically streamlined the Security Technical Implementation Guide (STIG) Testing process and argues before governing bodies which STIGs might be unnecessary for your product, ensuring only productive testing occurs.
Enterprise Lab Services
Alleviate the stress, resource constraints, and process of selecting a Lab and interactions with Schemes/Governments for your security certification project.
End-to-End Expert Guidance
Guaranteed completion of your project with alignment of resources to your timeline and objectives. Corsec is your single, complete, coordinated and risk-free solution to security certifications.
Corsec’s Lab Provider Network Offers:
- Lab Requirement Alignment
- Lab SWOT Analysis with Recommendations
- Corsec Assignments Prioritized With Lab Partnerships
- Staged Release Testing (SRT™) – Align schedules and product development
- Scheme/Country and Lab Agnostic
- Avoidance of Lab Resource Constraints
- Contract Relief – Quotations, charges, and scope creep
- Assured Testing Continuity – Additional support in the event of lab deficiency
Eliminate the management, headaches, risks, and mistakes associated with outsourcing solely to labs. If necessary, Corsec can arrange to distribute your security certification work across multiple laboratories, countries, and schemes.
- Over 60 accredited labs handle FIPS 140-2 and Common Criteria testing, each with their own requirements, knowledge base, and resource constraints
- The U.S. military manages the lab testing process exclusively through their Testing Centers of Excellence for the UC APL
- Labs operating in over 20 countries have different service level agreements, deliverables and expectations, leaving product vendors with varying levels of interaction and customer service
- The instability of some labs has raised concerns about their long-term viability, including a new demerit system
Maintenance & Compliance Services
Keep your security certifications up to date and your product market ready. Each security certification has its own unique requirements for maintenance and renewal. Corsec’s engineering team helps you understand the actions needed for each security certification, specific to your product. Helping you stay on track with little to no disruption to your revenue stream.
Five change scenarios are used to determine if a product requires re-validation, or if documentation alone can address changes. Corsec works with you to determine which scenario mostly closely aligns to your latest product version.
Re-evaluation is dictated through a process called Assurance Continuity. For minor changes, submitting an addendum to the original product security certification, called an “assurance maintenance” is all that is needed. If major changes have occurred, evidence will need to be submitted to a laboratory for re-evaluation.
As your product evolves, a Desktop Review must be completed for each major product version. A high-level assessment determines whether the product listing will simply be updated with the new version identifier, whether minimal testing must be performed on the new version prior to receiving an updated listing, or whether the product need undergo an entirely new evaluation.