In the IT security industry, research and development teams continually race to introduce new products, while at the same time, project teams improve upon existing offerings—all scrambling to ensure that the latest versions meet security functional and assurance requirements. The goal is to bring the strongest and most secure products to market.
If you’re in the business of producing IT security products, you should know that attaining Common Criteria certification is critical to your business for some very good reasons, for example:
It opens the door to the government market. All IT security products purchased by the U.S. government for national security systems are required to have Common Criteria certification. Many government agencies, especially the DoD, write Common Criteria certification into their RFPs.
Certification helps you stay competitive. You must have common criteria certification if you want to compete against established players who have already been evaluated. This is true not only when selling into the government sector, but also for commercial clients like banks and financial institutions.
Common Criteria helps you improve on the security of your product. Think of the Common Criteria evaluation as the litmus test of your team’s success in developing the product’s security against the appropriate Protection Profile. The Common Criteria certification process may uncover hidden vulnerabilities before you go to market, saving you from having to make costly corrections in the field.
The road to Common Criteria success
When you’re ready to pursue certification, an IT security consultant can make the entire process easier and more cost effective. Make sure your partner has a process that they can describe in detail to guide you through certification to ensure that everything goes smoothly—setbacks can cost not only time but also money. Corsec has put together seven important milestones you must meet to ensure a smooth certification process—does your prospective partner have something similar? They should be able to spell out the steps for you so you are very clear on the plan before you begin. Adhering to this plan can help you ramp up and get underway quickly, and will ensure that you stick to your budget and shorten your evaluation time. Corsec’s process includes these steps:
Begin with an education about the Common Criteria process and an understanding of the sequence of events so that you can schedule time and resources accordingly. Corsec provides customers with a custom compliance report including a blueprint for successful certification—make sure that your partner offers documentation that gives you an understanding of what the process will entail and cost before you actually get started.
With a certification plan in place, you’ll then determine which Protection Profiles you will be validated against, so you can make certain your product meets the requirements specified in the appropriate Protection Profile or Profiles.
Preparation of documentation is a big part of certification. First, you’ll develop a Security Targetthat provides information about how your product or system meets requirements. A Security Target contains a statement of the requirements to which a specific product or system under evaluation must conform, written to be implementation dependent. A Security Target can be authored to conform to a specific Protection Profile or it can simply state the security functional requirements that your product offers and the assurance levels for the evaluation.
Once that’s done, your team must produce all assurance documentation necessary for submission to the testing lab. It is vital that you have clear, complete documentation, as this is one area where many Common Criteria certifications grind to a halt. Having someone on your team who’s experienced in this type of documentation prep will save you time and costly delays.
The next step is to submit your product and associated documentation to an accredited testing laboratory. The choice you make regarding the lab you’ll work with is really important because different testing labs have different experience levels with particular standards and schemes, different styles of communicating with customers, and different pricing models. Your consulting partner’s relationships will be critical here. Assuming you’ve chosen a good partner to work with, the last step in the process should be “receive certification!”
While Common Criteria certification isn’t a simple process, it’s much easier with an experienced consultant to guide you. Corsec has completed hundreds of certifications for clients. Find out how we can help you.