The NIAP CCEVS website has a new address:

http://www.niap-ccevs.org/cc-scheme/index.cfm

Update your bookmarks accordingly!

One of our customers recently asked the following question:

I have a potential government customer asking me for a copy of our ST. Is this something that I should distribute?

There is nothing wrong with this. I sent draft STs to potential customers quite frequently at Cisco.

Certain departments/agencies are more prolific in their requests of draft documents than others. I actually had a system coordinated with folks at State, NSA, the Army, and several other accounts for releasing draft documents, and it certainly helped in the sales process.

When delivering a draft ST to a customer or potential customer, be sure to state that it’s a draft and may change during the course of the evaluation. I placed huge “DRAFT” watermarks on it just to make it clear. The ST will be publicly available when the evaluation effort is complete.

In this post, I said the following:

I think the Common Criteria evaluation process can be of value to many product vendors. Note the way I said that: can be of value to many product vendors. Is always of value? No. For all vendors? No.

I wanted to share with you an example of a realized benefit: documented configuration management processes.

Every software development team has established processes for version control and development processes. They exist whether or not they’re documented or follow best practices. These tools and processes are rarely succinctly documented. Why? Well, several reasons:

1. It’s relatively elementary. Any developer worth their salt knows the value and concepts of version control. And if they aren’t following a specific process document, they are made aware of the CM process in a relatively short conversation with someone who does know the details before they begin developing.
2. It’s a small team. Maybe it’s only one developer, or a few developers working side by side. Maybe they communicate very well and implicitly follow a set of processes.
3. It’s low priority for developers. See the first two points.

It makes good sense to capture these details whether you’re trying to justify sound processes for increased funding/acquisition or whether you’re trying to manage your growth.

And that’s exactly what one of our customers communicated to us recently: they are happy to go through this development process with us for a couple of reasons. First, they’d like to have these procedures documented to ease growing pains. And second, they’re looking to improve their processes against best practices.

And that’s exactly what we’re going to do.

Fortune recently released its best companies to work for. I’ve worked for two on the list: Cisco at #11 and Ernst & Young at #25.

Where was Apex Assurance? We must have come in around #101 … maybe next year.

I’m sorry for the drought in posts lately. 2007 has really started out with a bang, and we’ve been delivering like mad.

Stay tuned!