Budgeting for Common Criteria, FIPS 140-2, and the DoDIN APL can be confusing and overwhelming, but with the right information and resources, you will start to uncover the path thats right for you.
Understanding how to create your certification budget, and taking the necessary steps to follow through with that budget, can reduce your costs and simplify the certification process. We are frequently asked, “How much does certification cost?” This is similar to asking, “How much does a car cost?” The real answer is, “It depends.”
The first step in understanding how to budget for certification is to fully understand the scope of your project. Certification costs vary widely depending upon that scope. If yours is too broad, you may be needlessly spending money on a certification that will not provide a good return on investment. If your scope is too narrow, you may fail to capitalize on the true value of certification. Going through the process to properly identify the scope of your certification is the most important step to forming a meaningful budget for the project. Perhaps the key aspect in identifying the scope is determining the product or system to be evaluated. Once you’ve decided on a boundary or Target of the Evaluation (TOE) you will need to:
- Determine the path and options available to you. For FIPS 140-2, you have the option of 4 validation levels. For Common Criteria, you may chose to certify under a Protection Profile (PP) or an Evaluation Assurance Level (EAL). These options can be done in numerous countries around the globe. When listing on the the APL, you need to determine which STIGs apply to your product.
- Determine if the product will need to be modified in any way in order to meet requirements and how those modifications fit into the current development plan.
You have to go through the process to understand what you are certifying, and why, in order to understand what the budgetary requirements will be. Once you understand the scope of your certification process, you can begin to plan a reasonable budget. To start, make sure you cover all of the costs in your budget. Next, you must understand which parts of the budget are variable, and which parts are fixed. The following is a list of expenses that every good certification budget should include:
1. Documentation preparation
2. Project management costs
3. Development costs for algorithm testing/test case development/STIG testing/entropy supplement, etc.
4. Development costs for product modifications
5. Laboratory fees
6. Government fees
7. Testing-related travel expenses
8. Cost to distribute product to consultants and testing laboratories
Some of these costs will be “fixed price,” while others are not. Understanding how to assess these accurately is crucial to keeping “cost creep” under control. Properly scoped, this budget can be manageable and predictable. Focusing your budget on only one area of expenses, or failing to properly identify the scope your project, can result in a budget that continually expands throughout your certification effort.
For help getting started with yours, contact Corsec.