Welcome to the Acumen Security Blog

It’s Been a Busy Month

It seems that Acumen Security is not the only one who has been busy over the last month. NIAP has been quietly completing and publishing many new and updated scheme documents and completing evaluations.  Let’s take a quick look at what NIAP has completed over the last month or so,

Three scheme publication have been updated:

Two new policy letters have been posted:

Three new Protection Profiles have been published:

A new DOD Annex for a PP has been published:

This is quite a bit of stuff to complete over a six week period. I am most excited about the new PPs and the DOD Annex that have been published. For a long while, one of the critiques that were lobbed at NIAP was that they were only supporting PP-based product evaluations and there were not many PPs to evaluate against. There are now a total of twenty-one NIAP-approved Protection Profiles and Extended Packages and they continue to add more. Already, many of the technology types that would traditionally be validated are covered by these PPs and EPs. I am very interested to see what the list looks like six months or a year from now. Ongoing efforts, such as, the Apps on OS PP working group, seem to continue to fill the pipe line with more content.

One blemish in what has been a great push by NIAP to further CC would be international participation. It would be great to see more international participation in creation of PPs as well as products evaluated against NIAP PPs in international schemes.

And NIAP isn’t only publishing documentation, no less than four evaluations completed and five new evaluations kicked off in April and May thus far. In short, NIAP is refining its processes, supporting more technology types by publishing new PPs, AND executing on product evaluations.

Well done!

Our Philosophy on Certifications

Hi everyone! Thanks for checking out our blog.  Today I thought it would be nice to share some of the philosophies on which Acumen Security is built. These philosophies came from our unique experiences on both sides of the table both as a certification lab and as a vender of certified products.

We’re the experts so you don’t have to be!

You don’t need to understand all the nuances and history. You don’t care what requirements looked like five years or why this document was written like this or that. You care about understanding what you need to do to get that checkbox and get your product out into the hands of government customers.  Ambiguity is the enemy of efficiency when it comes to certification. We believe it is our responsibility to you as the customer to take the ambiguity out of certification. Now if you want to know all the history of FIPS or CC we can give you that too. We’ve both been in the industry for well over ten years and have either collaborated with or competed against just about everyone in the industry.  But we’re guessing you have more important things to do like building world class products!

We will only ask you to do the bare minimum required (although we’ll make sure our recommendations make sense)!

Whether it’s functionality in a product, the dreaded word ‘evidence,’ or even the initial decision to get a product certified, we’re only going to ask you to do what is absolutely necessary.  If you believe a full product certification is necessary, but you already incorporate a FIPS certified software module, we’re going to suggest you consider skipping the FIPS certification and concentrate on things that are more productive for you, not necessarily for us. On the flip-side, if you have a product that meets current certification requirements but may not meet fast-approaching requirements (think key size transitions, new functional requirements, etc.), we will suggest that you start the process of roadmapping those features or even delaying the certification so that the effort is more meaningful long term. We’ve planned many certification and feature roadmaps in our years in the industry, we’ll help you do the same. In the end, we are going to do our best to make product certification as easy and meaningful as possible for you.

We will be proactive!

Does this sound familiar to you? You are finalizing the last bit of a certification when you get an email from an evaluator/tester saying that they have found a non-compliance.  This can be devastating (and costly) to engineering, release ops, program management, and most importantly your customers that you have promised to deliver certified products. We at Acumen Security understand this pain intimately.  To avoid this, we perform thorough assessments early in our engagement.  This is not just limited to your product. If a certification requirement does not necessarily make sense for your product, we will work with the certifying agency to ensure we have buy-in for your system up front rather than in the end when failure to get buy-in could mean a six month delay for your certification. We’ll set-up and test your product upfront to ensure that we’re ready to go when you’re ready to ship. In short, we’ll do everything we can to ensure the quickest and least surprising certification possible.

And finally, we’re partners!

In the end, we’re on this journey together.  At Acumen Security we absolutely understand that we couldn’t be here without you.  We strive to provide you a level of service and value that will allow us to not only partner with you on this certification but also the next and the next after that.  Acumen succeeds when you succeed in meeting your certification related procurement needs in the most effective and efficient way possible.  Certifications don’t have to be complicated, let us help show you the way!

Well, did these philosophies resonate with you? Let us know if you agree or disagree, give us a call or drop us a note. We are always up for a good discussion! Also, follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.