Based on our many years worth of experience in the
Common Criteria (CC), we can provide you with
tailored consultancy for nearly every situation.
Developers looking at first time evaluations
In our experience, the first impression of the
Common Criteria can be intimidating and confusing.
Our most common (no pun intended) request is for
help in gearing up towards a near-future Common
Criteria evalution of your product. Often the the way
forward in CC is not so clear, and these steps can
help bring clarity:
Commonly this is combined with:
- A gap-analysis to see what is missing from the
current processes from Common Criteria perspective.
An informal quick scan can be done on-site in about
a day, based on examples of your design/test
documentation and discussions on the processes. This
is the 80% result/20% effort option. A formal scan
is possible but because of the poor effect/cost
ratio it is typically much better to do the quick
scan and have some help in adapting
documentation/processes during the start of the
actual project. This is the place where the project
and technical leaders gain understanding in the
rough way forward.
- A general
introduction in the Common Criteria
and a specific translation to your situation. This
is a 2-3 day workshop with the whole team (2 days in
a lecture format, 3 days in interactive discussion
format). From change management point of view, this
is also often the place where the need for adapted
procedures and the new CC-language is introduced to
- A day with typically some detailed
discussions of particularities of the CC for your
situation and a wrap-up with a sketch of the way
- Help during the start of the project, especially
in scoping the evaluation side (in CC encoded in the
Security Target). A good Security Target (ST) will
save a lot of trouble in the subsequent evaluation,
and sadly writing such a good Security Target still
requires a CC-expert's hand.
- On-demand support at the time of creation of the CC documentation and/or during the evaluation when feedback from the evaluation lab is returned. The need for this varies a lot depending on the situation.
Experienced developers seeking expert help
Even experienced developers often do not have the
in-house capacity or knowledge required for certain
tasks. For those we can offer expert help (for
example in drafting STs, specific documents like ATE
and ADV_ARC evidence, or more strategic help in
guiding a non-standard TOE through the evalution
with the minimum of fuss).
Evaluation labs, certifiers
Of course as an evaluator and as
certifier you want to show mastery of
the Common Criteria, especially to the
developers. But sometimes the daunting
CC is actually hard to understand and
implement efficiently. After many years
of evaluating, training evaluators and
certifiers, we can help you, discretely, to train you and optimize your processes.