Our conclusion after many years of work is that the key element to a successful FIPS validation or CC evaluation lays in the initial presentation
of the technical argument and then negotiations with FIPS 140-2 and CC validators.
FIPS 140-2 and the Common Criteria are by necessity broadly formulated, generic standards, applicable to a wide spectrum of security technologies.
For almost every new validation or evaluation there are complex technology and product architecture issues. New precedents are constantly created
and new interpretations are issued.
Over the years we had a pleasure to know personally many FIPS and Common Criteria validators. In most cases the validators are positive, highly
professional people. They are willing to carefully listen to an argument and then accept it. if sufficient justification is provided. The argument needs to
be logically sound and based on a reasonable interpretation of the FIPS 140-2 and CC standards.
Therefore the clarify of the argument and ability to negotiate and articulate the issue are critical. In many cases resolution of a particular technology issue
may have far reaching consequences for the vendor in terms
of product modifications and engineering costs.
The validation speed is another dimension which is greatly affected by the competence of the team. Government validators are typically multi-tasking on a n
umber of validation projects. If the argument is not clearly presented the validator needs tp delve into the complexity of the issue. The project then loses its
momentum, incurs delays and additional rounds of review.
It is, therefore, important for the vendor to chose the team that has past experience dealing with complex negotiations with FIPS 140-2 and CC validation teams.