If you have been through the certification or validation process for your security product, I don\u2019t need to tell you that it\u2019s a substantial investment in time, resources and cost. Or that it\u2019s worth that investment when you\u00a0consider the benefits<\/a> you\u2019ll realize from your ability to sell into the lucrative government market.<\/p>\n We discussed the details of maximizing your certification investment in our recent webinar. You can watch the whole thing here<\/a>, but in this two-part blog post series, we\u2019ll give you some of the details.<\/p>\n Technology doesn\u2019t stand still for a nanosecond, and neither do your clients or your competition. Almost as soon as you attain certification, your development team is hard at work making tweaks and preparing for the next release. Sometimes these changes are significant, such as adding features or utilizing newer technology; or maybe they\u2019re minor such as edits to the product documentation or new comments added to the code.<\/span><\/p>\n If you\u2019re worried about whether refinements could mean you\u2019ll require a new certification or validation, you\u2019re right to be concerned. The last thing you want is to jeopardize your federal market potential by not having the proper validation or certification for your product. Should you invest the time and effort on revalidation, and how do you know whether it\u2019s wise to do so?<\/p>\n That depends on many factors, which are different for Common Criteria versus FIPS 140-2.<\/p>\n Let\u2019s look at Common Criteria first.<\/strong><\/p>\n Assurance Continuity is a process that helps you determine whether to go down the path to recertification, whereby you must undergo reevaluation and present evidence to a lab; or if you can perform assurance maintenance, which is an addendum to your existing certification listing and only requires a maintenance report. Assurance Continuity is based on the scope of changes to your product.<\/p>\n Minor changes include editorial changes to the documentation, comments added to the code, changes to the development environment that don\u2019t affect how the product was developed, changing the product name, security target ID or Target of Evaluation (TOE) identifier.<\/p>\n Major changes that necessitate reevaluation for Common Criteria are those that affect security, such as changes to assurance requirements. For example, if your product was certified for EAL 2 and you want to attain EAL 4 (or vice versa), you must undergo a new evaluation. Other major changes would include revising the product\u2019s functional requirements, the use of procedures or processes not assessed in the original evaluation, and making sets of minor changes that together have a major impact upon the security of the product.<\/p>\n If you\u2019re unsure of whether your product requires recertification now or will require reevaluation after changes you\u2019ve planned, don\u2019t take chances; Corsec can help you determine the right course of action.<\/p>\n Unlike Common Criteria, FIPS 140-2<\/strong> outlines five change scenarios to determine whether your product requires revalidation or whether you can submit a letter of rationale to the lab that basically explains why the changes don\u2019t affect the FIPS security posture of the module. Examples of changes that don\u2019t affect any FIPS-relevant security items are a change to the GUI, or changes to the physical enclosure of the module.<\/p>\n Changes that require FIPS revalidation include changes you make to more than 30 percent of FIPS-relevant security items.<\/p>\n Your Corsec engineer can help you determine if your product meets the 30 percent threshold, and can review each FIPS change scenario with you in detail. We are also able to assess the scope of your changes where Common Criteria Assurance Continuity is concerned. Contact us<\/a> for details.<\/p>\n Assuming you\u2019ve determined that you must pursue a next step to keep your security product certification current and applicable, it\u2019s important to understand timing and cost implications so you can allocate your resources and budget accordingly.<\/span><\/p>\n Common Criteria<\/strong><\/p>\n If your product has undergone any changes, you must perform Assurance Continuity (the process that helps you determine whether you need Common Criteria<\/a>\u00a0recertification or if assurance maintenance is sufficient). If you determine that your product changes are classified as minor, you can move forward with assurance maintenance.<\/p>\n To get started, you or your certification consultant must first update your existing Common Criteria documentation to reflect the changes to your product. Next, you must engage with a lab to re-execute the testing against the new product version and provide the test results to the appropriate scheme. Then, an Impact Analysis Report (IAR) that defines the changes must be produced, either by you, the lab or your certification consultant; and be sent to the scheme.<\/p>\n You can significantly reduce the timeline and maintain costs by working with a highly qualified consultant who manages the entire process for you. Because a qualified consultant will be very familiar with all the testing labs and schemes, they will understand what each looks for in documentation and testing. Consulting engineers can streamline communications with the lab and other entities, which shortens the time it takes to produce complete and proper documentation and anticipate any potential issues before they become problems.<\/p>\n FIPS 140-2<\/strong><\/p>\n A FIPS 140-2<\/a> revalidation can range from $5,000 to the original cost of your validation dependent upon which change category applies to your situation and how well you\u2019ve planned your documentation. Again, a consultant can manage the process so that team members can remain on other revenue generating projects.<\/p>\n Can you afford not<\/i> to maintain your validation\/certification?<\/p>\n If the thought of assurance maintenance, change categories and re-evaluation makes you uneasy, consider the money you leave on the table every day that you don\u2019t <\/i>revalidate or recertify. Without\u00a0up-to-date validation<\/a>, you can\u2019t maximize the investment in your product<\/a>, and you could fall significantly short of revenue goals if product changes are made and the validation was not maintained for the newer version.<\/p>\n If your security product validation\/certification is out of date and you decide to pursue an evaluation on your own, be prepared for what could be a long and frustrating road ahead. Every day that you spend tied up at the lab, writing documentation or trying to ascertain where bottlenecks are coming from is another day of revenue you won\u2019t see and another day that other revenue-bearing projects don\u2019t get your attention.<\/p>\n Using a consultant for these processes may seem like an additional expense but often makes the most financial sense because internal resources are not taxed and your revalidation or recertification occurs faster and more efficiently than if you attempt to do it yourself. Your consultant helps you develop and manage a maintenance strategy and schedule, determines which requirements apply to your product and product changes, ensures that all lab and scheme requirements are satisfied, prepares and revises all documentation, and manages all communications work with the lab and scheme from day one through to completion.<\/p>\n Keeping your validations and certifications up to date is not only good for your ROI, but it demonstrates your commitment to your customers\u2019 security and the security of your products.<\/p>\n