Your Creative Solutions Services Products Blog Research and other fun About YCS Contact information


Creating a market demand for CC without government involvement?

(Also appeared in shorter form as an answer on

With the economy slowing down and evaluation labs starting up especially in places like Singapore, it is natural to ask how to create a market demand without government involvement.

The short and a tad oversimplified answer is that the only semi-sure way to create a CC market demand is due to a powerful accreditor absolutely requiring CC.

Very often this is the government for wanting secure products for own use (US requiring it for federal and DOD use for example) or for showing that they care about the safety of the voters' privacy (ePassport and eVoting evaluations come to mind). But it can also be a powerful non-government organization like the major credit card companies pushing security requirements as acceptance requirement, and the smartcard software developers as a result pushing it to their hardware developers. They came together and decided (in discussion and consensus with all parties involved) to use CC as the main method (making PP-0002, now PP-0035). This was politically and business wise a hugely courageous step to go for co-operation instead of competition, but in the end cost and efficiency driven. (More on the consensus building in my ICCC10 summary).

No hard requirements, no evaluations

Without such a hard requirement from a marketforce, CC will not (and should not in my opinion) be adopted, as it simply is an expense (evaluation costs and most importantly the internal costs) without tangible reward. The original question was from an evaluator at a CC-lab, he should also know the direct and indirect costs of evaluations for his customers. That same money can also be used for marketing and a good manager at the customer will ask that question. When I was senior evaluator, I always brought that question up myself if it hadn't already been considered by the customer. Better early in the process then aborting the evaluation halfway because the finance department starts asking that question and there is no reasonable answer.

Pitching the idea

The pitch to the market to adapt CC is rudely summarized:
  1. Starting point: Accreditor seriously wants assurance on security of certain products (for their own risk management or PR reasons). The accreditor is willing to not buy products if they do not have the testing required, even if this means that there will (temporarily) not be any products and/or if they will be more expensive (and they will be: evaluation costs are spread over the products).
  2. Any serious assurance will require third party testing, hence you need evaluation labs and oversight. Starting up and running such a scheme is expensive. But look! There is already an ISO-standard/internationally accepted/established/ready to use/industry standard methodology: the CC.
  3. With help the accreditor makes a PP and requires evaluations against them. Compliance check by the accreditor is extremely simple: show the certificate. All hard oversight problems are "outsourced" to the CCRA-schemes.
  4. The claimed value for the developers is easier because fixed and clear requirements (developers in the classified data domain or privacy protection will recognize the value of this), they can go to the commercial CC community for support in how to pass the evaluation, and they can re-use the CC certification elsewhere (and spread the costs). Unfortunately this is a long term result and only true when the PP is widely accepted (and preferably not too overly onerous in the requirements).

Spontanious combustion

Some markets have a latent security evaluation need, i.e. a significant set of the customers would buy the product if it had a security brand, over another product that does not have that brand. The CC has that brand-power, so sometimes a developer will use a CC evaluation to gain that marketing advantage. If it has a sufficiently enough value, the competitors will follow eventually (with the first adopter having the headstart as advantage, at the cost of the original risk taking). Sometimes this is anticipated by market leading developers and they work together in developing the PP, which also can trigger the market to completely go for the CC. The printer/copier workgroup IEEE P2600 is going for this route I gather. The Trusted Computing Group with the TPM is also going in that route (probably based on the positive experience of the smartcard developers in that group). In my humble opinion, this is by far the best situation but a highly political and sensitive process.


In any case, keep in mind that a successful PP is mostly defined by the consensus in the market (or failing that brute market force of the accreditor requiring the PP). A PP written without connection to the market is going to fail to create the market AND sour the market significantly for any future attempt to introduce CC there. Please don't do that.

My ICCC10 summary, especially the consensus parts

More blog entries