IT Product Security Certification

Security testing and evaluation can be complex and daunting. A successful outcome depends on making good choices throughout development: identifying applicable security requirements, specifying secure behavior, integrating security practices into product development, and negotiating certification processes.

ASL experience in designing and evaluating security products to conform to Common Criteria and FIPS 140-2 Cryptographic standards can be crucial to successfully preparing a product for certification. This includes consulting to CC Testing Labs for the performance of CC evaluations and consulting to product vendors for readying their products for CC and FIPS 140 evaluation.

Technologies in which we have particular expertise are

  • General purpose operating systems,
  • Real-time and embedded operating systems,
  • Special purpose hardware,
  • Multi-level security (MLS, MILS, etc.).

ASL can help make product certification work for you.

Product Design: Designing for high assurance • Implementing systems that are multi-level secure • Data handling requirements at multiple security levels • Maintaining assurance over a product's life

Training: Common Criteria orientation • The role of Security Targets and Protection Profiles • CC jargon • Preparing a CC evaluation strategy • What to expect from a CC testing lab • What a CC testing lab will expect from a vendor • Minimizing the time and cost of an evaluation

Evaluation Management: Selecting an assurance level • Protection Profile conformance • Choosing a CC testing lab • Establishing an appropriate Target of Evaluation (TOE) • Assessing product readiness for evaluation (see sidebar) • Optimzing US and non-US government security compliance • Coordinating cryptographic and CC component certifications

CC Evaluation: Common Criteria evaluation • Extensive high assurance experience (EAL5 to EAL7) • Operating System (OS) and Real Time OS (RTOS) experience • MLS and MILS product evaluations • Covert channel and formal policy analysis

FIPS 140-2 Certification: Certification consulting to product vendors • Training • Evidence preparation • Management of certifications


A Common Criteria certification is required of IT products in some government markets, both in the US and around the world. In the US today, the Defense department is the primary consumer of CC certified products, but the Department of Homeland Security is expected to adopt similar requirements in the near future and other industries are beginning to recognize the value of a precise description of a product's security attributes and the well-defined sets of assurances that the CC provides.

ASL provides high assurance and operating system expertise to CC Testing Labs and helps product vendors prepare and document their products for successful CC evaluation.


Home   Testing   Engineering   Research   About ASL   Contact Us

© Copyright 2003-10, Ashton Security Laboratories, LLC