Once you have spent the time and money to pursue a security validation, you’re all done, right? Well, not exactly. However, the good news is that it isn’t hard or expensive to maintain your validation.
For most security validations, the validation applies to a specific version of hardware and software. At the beginning of your evaluation you must choose which versions of your product you are taking through the validation process. This does not mean just identifying the model numbers being evaluated, but specifically which versions of your product will go through evaluations. This choice limits the applicability of your validation. Additionally, as you continue to make improvements to your product, your validation becomes stale.
If you wish to keep your validation relevant to the product versions you are currently shipping, you need to maintain those validations. Most security validation programs have some form of maintenance process that you can go through. The process may be known by various names depending on the program and the level of security-relevant changes in your product. For example, the Common Criteria defines the concept of Assurance Continuity to help you maintain your Common Criteria validation.
So, your validation applies to a specific version and you can update that with a maintenance process. But, why bother? We hear frequently from our customers that they are successfully selling their product to government customers with out-of-date certifications. A product vendor can validate version 2.0, and make sales of version 2.1 based upon the out-of-date security validation. Why go through the cost and hassle of a revalidation effort when you don’t have to? I’d like to turn that question around:
Why wouldn’t you maintain your security validations?
There are too many good reasons to maintain rather than just ignoring the issue.
- Assuming you understood the ROI of doing your security validation in the first place, why wouldn’t you want to protect that investment? Revalidation efforts can cost from 10 to 25 percent of the original cost of doing a full security validation.
- Your competition knows what versions you have had validated. Assuming their validations are current, won’t they spend time educating government purchasers of your out-of-date validations?
- You are selling products that rely on security validations. You have made a commitment to the marketplace that you are complying with these standards. Show your corporate commitment to maintain that compliance between versions.
Maintaining your validation can be done for low cost and low effort. The upside to maintaining your validation is that you can extend your ROI to new versions of your product, demonstrate your commitment to security to your customers, and ensure your corporate integrity by selling exactly what you have promised to your customers. Keeping your certifications up to date has a lot of upside for very little cost. Why wouldn’t you?
For help with the process of maintaining your security validation, click here.