Developers looking at first time evaluations

Our most common (no pun intended) request is for help in gearing up towards a near-future Common Criteria evalution of your product. Often the the way forward in CC is not so clear, and these steps can help bring clarity:

1. A gap-analysis to see what is missing from the current processes from Common Criteria perspective. An informal quick scan can be done on-site in about a day, based on examples of your design/test documentation and discussions on the processes. This is the 80% result/20% effort option. A formal scan is possible but because of the poor effect/cost ratio it is typically much better to do the quick scan and have some help in adapting documentation/processes during the start of the actual project. This is the place where the project and technical leaders gain understanding in the rough way forward.
2. A general introduction in the Common Criteria and a specific translation to your situation. This is a 2-3 day workshop with the whole team (2 days in a lecture format, 3 days in interactive discussion format). From change management point of view, this is also often the place where the need for adapted procedures and the new CC-language is introduced to the team.
3. A day with typically some detailed discussions of particularities of the CC for your situation and a wrap-up with a sketch of the way forward.

• Help during the start of the project, especially in scoping the evaluation side (in CC encoded in the Security Target). A good Security Target (ST) will save a lot of trouble in the subsequent evaluation, and sadly writing such a good Security Target still requires a CC-expert's hand.
• On-demand support at the time of creation of the CC documentation and/or during the evaluation when feedback from the evaluation lab is returned. The need for this varies a lot depending on the situation.

Experienced developers seeking expert help

Evaluation labs, certifiers