If you have been through the certification or validation process for your security product, I don’t need to tell you that it’s a substantial investment in time, resources and cost. Or that it’s worth that investment when you consider the benefits you’ll realize from your ability to sell into the lucrative government market.
We discussed the details of maximizing your certification investment in our recent webinar. You can watch the whole thing here, but in this two-part blog post series, we’ll give you some of the details.
Technology doesn’t stand still for a nanosecond, and neither do your clients or your competition. Almost as soon as you attain certification, your development team is hard at work making tweaks and preparing for the next release. Sometimes these changes are significant, such as adding features or utilizing newer technology; or maybe they’re minor such as edits to the product documentation or new comments added to the code.
If you’re worried about whether refinements could mean you’ll require a new certification or validation, you’re right to be concerned. The last thing you want is to jeopardize your federal market potential by not having the proper validation or certification for your product. Should you invest the time and effort on revalidation, and how do you know whether it’s wise to do so?
That depends on many factors, which are different for Common Criteria versus FIPS 140-2.
Let’s look at Common Criteria first.
Assurance Continuity is a process that helps you determine whether to go down the path to recertification, whereby you must undergo reevaluation and present evidence to a lab; or if you can perform assurance maintenance, which is an addendum to your existing certification listing and only requires a maintenance report. Assurance Continuity is based on the scope of changes to your product.
Minor changes include editorial changes to the documentation, comments added to the code, changes to the development environment that don’t affect how the product was developed, changing the product name, security target ID or Target of Evaluation (TOE) identifier.
Major changes that necessitate reevaluation for Common Criteria are those that affect security, such as changes to assurance requirements. For example, if your product was certified for EAL 2 and you want to attain EAL 4 (or vice versa), you must undergo a new evaluation. Other major changes would include revising the product’s functional requirements, the use of procedures or processes not assessed in the original evaluation, and making sets of minor changes that together have a major impact upon the security of the product.
If you’re unsure of whether your product requires recertification now or will require reevaluation after changes you’ve planned, don’t take chances; Corsec can help you determine the right course of action.
Unlike Common Criteria, FIPS 140-2 outlines five change scenarios to determine whether your product requires revalidation or whether you can submit a letter of rationale to the lab that basically explains why the changes don’t affect the FIPS security posture of the module. Examples of changes that don’t affect any FIPS-relevant security items are a change to the GUI, or changes to the physical enclosure of the module.
Changes that require FIPS revalidation include changes you make to more than 30 percent of FIPS-relevant security items.
Your Corsec engineer can help you determine if your product meets the 30 percent threshold, and can review each FIPS change scenario with you in detail. We are also able to assess the scope of your changes where Common Criteria Assurance Continuity is concerned. Contact us for details.
Assuming you’ve determined that you must pursue a next step to keep your security product certification current and applicable, it’s important to understand timing and cost implications so you can allocate your resources and budget accordingly.
If your product has undergone any changes, you must perform Assurance Continuity (the process that helps you determine whether you need Common Criteria recertification or if assurance maintenance is sufficient). If you determine that your product changes are classified as minor, you can move forward with assurance maintenance.
To get started, you or your certification consultant must first update your existing Common Criteria documentation to reflect the changes to your product. Next, you must engage with a lab to re-execute the testing against the new product version and provide the test results to the appropriate scheme. Then, an Impact Analysis Report (IAR) that defines the changes must be produced, either by you, the lab or your certification consultant; and be sent to the scheme.
You can significantly reduce the timeline and maintain costs by working with a highly qualified consultant who manages the entire process for you. Because a qualified consultant will be very familiar with all the testing labs and schemes, they will understand what each looks for in documentation and testing. Consulting engineers can streamline communications with the lab and other entities, which shortens the time it takes to produce complete and proper documentation and anticipate any potential issues before they become problems.
A FIPS 140-2 revalidation can range from $5,000 to the original cost of your validation dependent upon which change category applies to your situation and how well you’ve planned your documentation. Again, a consultant can manage the process so that team members can remain on other revenue generating projects.
Can you afford not to maintain your validation/certification?
If the thought of assurance maintenance, change categories and re-evaluation makes you uneasy, consider the money you leave on the table every day that you don’t revalidate or recertify. Without up-to-date validation, you can’t maximize the investment in your product, and you could fall significantly short of revenue goals if product changes are made and the validation was not maintained for the newer version.
If your security product validation/certification is out of date and you decide to pursue an evaluation on your own, be prepared for what could be a long and frustrating road ahead. Every day that you spend tied up at the lab, writing documentation or trying to ascertain where bottlenecks are coming from is another day of revenue you won’t see and another day that other revenue-bearing projects don’t get your attention.
Using a consultant for these processes may seem like an additional expense but often makes the most financial sense because internal resources are not taxed and your revalidation or recertification occurs faster and more efficiently than if you attempt to do it yourself. Your consultant helps you develop and manage a maintenance strategy and schedule, determines which requirements apply to your product and product changes, ensures that all lab and scheme requirements are satisfied, prepares and revises all documentation, and manages all communications work with the lab and scheme from day one through to completion.
Keeping your validations and certifications up to date is not only good for your ROI, but it demonstrates your commitment to your customers’ security and the security of your products.
Corsec has assisted with hundreds of recertifications and revalidations over the past 15 years. Contact us to find out how we can help you.