Successful Common Criteria Evaluations: A Practical Guide for Vendors

If you're going through your first Common Criteria Evaluation, you NEED this book.The Common Criteria is a difficult process that is easy to get wrong and nearly impossible to do everything right your first time around. I recently joined a company where the entire management has been going through its first Common Criteria evaluation and they were making a few of the mistakes that this book warned about (such as: don't evaluate the product that is currently shipping because it will be obsolete by the time the evaluation is completed). Having studied the book fairly well, I was quick to speak up in these instances. At first my comments didn't weigh much, but after they got similar advice from some consultants, I now see that the management has looked to me more and more for advice on how to proceed. So, because of this book, I am now actually influencing the direction that the company is going with respect to our evaluation, and I feel quite confident that we are on the path to success.I give this book only 4 out of 5 stars for two shortcomings: (1) the index is AWFUL, so it is nearly impossible to quickly look up something you remember having read, and (2) because the Common Criteria is going through major changes right now, not all of the advice still applies. For example, the author warns readers to avoid Protection Profiles if at all possible. That might have been possible in the past, but in the future it will not be. So this book alone is not enough: you really need to keep up with the changes that are happening to make the right decisions for your company.

I've recently received the printed version of Wes Higaki's new book "Successful Common Criteria Evaluations: A Practical Guide for Vendors." Wes was kind enough to ask me to review the draft, and I knew then that he had a winner. I must say that I'm quite impressed with the final version.Wes brings an excellent, informed, and downright successful perspective to the vendor's side of Common Criteria evaluations and running an internal program. I've worked with Wes for many years, both as a colleague when I ran the certifications program for Cisco and as a customer as Apex assisted Symantec through many Common Criteria evaluations and other strategic efforts. Not many folks realize just how well Wes ran the program at Symantec. Of all the customers (from Fortune 50 household name company to a 2-person startup) I've worked with, no one had a better grasp on how to internally manage schedules, resources, budgets, customer requests, and yes, vendors. I'm glad to see that he's put some of that expertise out for the world (but, believe me, there's more!).The book is well organized, taking the reader from understanding Common Criteria and the process to preparing for an evaluation (developing a business case, allocating resources, and managing the scope of the evaluation) to running the project to finalization. His review of evaluation process and evidence deliverables is presented at a comfortable, casual level for product managers planning these efforts. Wes concludes the book with some success stories* and lessons learned from all facets of a Common Criteria evaluation effort.Overall the book is filled with excellent information and valuable, experienced insights. I highly recommend this book to anyone involved in Common Criteria.*By the way, Wes, thank you for the reference in the Success Stories section!

This is the first book that I've ever found that explains the Common Criteria. The author brings a wealth of real experience managing CC evaluations, and is candid with his opinions of where it should go in the future. Recommended for vendors who are looking into CC and as a reference for those involved in the evaluations in any role.