Communicating With The Government Through The Common Criteria Vendors’ Forum

Perhaps one of the best kept secrets in the security realm is the Common Criteria (also known as ISO 15408) security evaluation standard. Unless you do business with or work for the government, you may not have heard about the Common Criteria. And those outside of government that have heard about it don’t use it. A major reason for this is that the Common Criteria was developed by the government for the government, which is a shame because a lot of thought and good work went into the development of this standard.

I won’t go into the history of the Common Criteria here. If you are interested, just do a search on the Internet for “Common Criteria” and you will find dozens of references that provide greater background, including, the official website. For my purposes, suffice it to say that the things the developers of the Common Criteria thought were important don’t seem to resonate with many others.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Optimizing Managed Service Delivery With Secure Application Acceleration
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The security community lacks standard metrics to measure improvement or assess and compare product security claims. The Common Criteria is perhaps the closest thing we have to such a standard. It is an international standard recognized by over 2 dozen countries. It is also quite comprehensive covering topics such as secure development and delivery processes as well as many product functional characteristics.

With the global recognition, Common Criteria evaluations are a requirement by some governments (including the United States) as a condition for product procurement and a recommendation or “nice to have” for others. As a procurement requirement, this places a responsibility (burden) upon the provider to submit their product to an evaluation against the customer requirements. With most commercial entities, a business case demonstrating a sufficient return on investment (ROI) is developed highlighting how investing the time and effort to meet the Common Criteria requirements and evaluation costs will be offset by increased revenues. This business case becomes less convincing when the target market is small, that is when the number of customers demanding Common Criteria evaluations is limited.

In order to develop a stronger ROI, it becomes appealing to consider how the Common Criteria evaluations can be recognized by a broader set of customers. That is, how can the Common Criteria become more relevant and valued by the mass market? One way is to influence the standard and its implementation.

In 2003 and 2004, the Cyber Security Industry Alliance (now part of TechAmerica formerly known as ITAA) hosted two Common Criteria Users’ Forums to gather vendors, evaluators, government and customers to discuss issues with the Common Criteria standard and the policies around it. Through these discussions, it became clear that the commercial-off-the-shelf (COTS) product vendor community had a unique perspective and created an informal organization known as the Common Criteria Vendors’ Forum (CCVF) to discuss issues, produce proposals and act as the “Voice of Industry” in matters concerning the development and use of the Common Criteria.

Gaining the ear of the government officials charged with developing and maintaining the Common Criteria standard and developing and implementing the policies for its use has taken time. Nonetheless, the Common Criteria Vendors’ Forum has managed to gain some level of recognition as a vehicle to communicate between vendors and the government. The CCVF members have participated in annual meetings with the Common Criteria Development Board (CCDB) to review activities and develop plans. CCVF has also provided input to CCDB working groups assigned to develop enhancements for future revisions of the Common Criteria standard.

The CCVF was formed because the vendors wanted a voice. If your company wants to add to the “voice of industry”, consider joining the CCVF. There are no fees for membership; you just have to represent a commercial product vendor who is dealing with the Common Criteria. Check out our website at

Wesley Higaki

About Wesley Higaki

As the director of the Software Assurance, Wes Higaki coordinated the efforts by Symantec Corporation to certify its products to provide customers additional assurance through independent third-party evaluations. He oversaw all of Symantec's Common Criteria and FIPS-140 certifications. He also manages ICSA and Checkmark testing. Higaki has led a working group through the National Cyber Security Partnership to develop plans to improve the Common Criteria by working with industry and Government. He has been instrumental in assembling the Common Criteria Users’ Forums – an effort to bring Government, customers (commercial and Government), vendors and evaluation labs together to improve the Common Criteria. Higaki has over 25 years of technical and managerial experience in the software industry. He has been with Symantec since the December 2000 acquisition of Axent Technologies where he was an engineering director. Prior to Axent, Wes worked for over 20 years in R&D at Hewlett-Packard Company including 7 years at Hewlett-Packard Laboratories. Higaki received a Bachelor of Science degree in mathematics from the University of California, Davis and a Master of Science degree in computer science from the University of Santa Clara.

One Response to Communicating With The Government Through The Common Criteria Vendors’ Forum

  1. Wesley Higaki
    Wesley higaki September 1, 2009 at 11:18 am #

    Correction: The CCVF website is at

Leave a Reply