Congratulations! You’ve decided to pursue Common Criteria certification (CC certification) for your IT security product. Now what?
The single most important factor that will influence whether your product is certified on schedule is not the product itself; it’s how you manage the CC certification process. So before you embark on attaining a CC certification, you have to determine who on your team will manage the long process. Here are some factors to consider that may help you make the decision.
Knowledge of the CC Certification Process
Being familiar with the Common Criteria process, including how to interface with the testing lab, knowing the questions you’ll be asked, test cases you’ll need to submit, etc. allows your project lead to be proactive and fully prepared to meet requests efficiently and correctly the first time. I can’t stress this enough: the more you know up front will save you time and money down the road, and help you attain certification faster.
Knowledge of Documentation Prep
There is a considerable amount of documentation that must be prepared and submitted to the test lab. Some of these documents have to be completed and approved before others can be submitted; others can be prepared simultaneously. The project lead should know document requirements up front.
Also, how you structure your documentation is really important. The evaluator at the test lab uses a common methodology to work through his or her document checklist. Structuring your documents the right way helps the evaluator move quickly through the list to locate the answers they require to check off the boxes. Again, understanding how to prepare your product documentation will save you time and hassle.
Bandwidth
This is probably the single most important consideration in selecting who manages your CC certification project. All the certification experience in the world won’t make up for having enough time to devote to shepherding the CC certification process. You need to ask yourself (and the person you designate) whether they: A. Have the bandwidth to devote and B. How they work under the stress of multiple deadlines; because no matter how good your plan looks now, another priority (probably several!) will shift their attention away. How they juggle these conflicts will make or break your certification schedule.
Most companies these days run lean and mean; there simply aren’t enough hands on deck to manage the additional demands of CC certification. You may want to consider hiring someone just to take this on. If adding headcount is not an option for you, hiring Corsec is a cost-effective option that will move you through the certification maze faster and with much greater success than if you go it alone. That way your team can focus on projects that bring in revenue.