But the Rules are Changing!

According to the ancient Greek philosopher Heraclitus, “There is nothing permanent except change.” As anyone following security certifications lately can tell you, there is a lot of truth in this statement. We have entered another period of profound change in security certifications. Putting these changes in the proper context is essential if you wish to position your product or company properly in the marketplace.

Many of the changes that are going on programmatically are just not relevant to the macro decisions that product vendors need to make for certification. While these changes might impact these decisions slightly, the main business drivers for certification do not change very quickly. As certification insiders, we tend to focus on the new and interesting things in our industry. If you are waiting for the change to stop before making a decision on certification, you will be waiting a long time indeed. In fact, many of your competitors will have leapfrogged you by completing their certifications while you are paralyzed with inaction.

The Common Criteria community is currently undergoing significant change. There are new Protection Profiles, new Technical Communities, new guidance from several schemes on what types of evaluations are acceptable, new requirements for entropy for certain evaluations. These changes are causing a lot of confusion. However, these “changes” are being made more rapidly than most product purchasers even understand them. Furthermore, some of these changes have been announced, rescinded, and a new change announced all in less time than a product could have gone through the certification process! However, through all of this, product vendors are successfully achieving certification of their products and meeting their customers’ needs.

The Cryptographic Module Validation Program, also known as FIPS 140-2, is also undergoing change. The new FIPS 140-3 standard is still in development. Recent implementation guidance can seem to change the rules for many product types.  Navigating a path through these changes can be difficult at times. However, product purchasers still require validated products, and product vendors who navigate this process are rewarded with more opportunities to sell their products.

The DoDIN APL process has probably undergone the least amount of change from a programmatic standpoint as far as my customers are concerned, but the most significant change from a sales applicability standpoint. More and more procurements are requiring products to be listed on the DoDIN APL. Understanding this and being aware of the trends for purchasing requirements is important in making a business decision around pursuing a product listing on the DoDIN APL.

After more than 15 years in the certification business, I have seen several periods of change similar to the one we are in now. As another great philosopher, Yogi Berra, once said “It’s déjà vu all over again.” Businesses that embrace change and navigate it skillfully have historically done well in this marketplace. Businesses that are paralyzed by change are often still waiting for the change to settle down while their competitors are successfully selling their already validated products.

Change is constant. Let Corsec help you through the today’s changes in the certification industry so that you can realize the true revenue potential in your products. Find out how we can help.

Leave a Comment