Overcoming Adversity: Leidos Common Criteria Lab taking on the International Consulting Challenge


Overcoming Adversity: Leidos Common Criteria Lab taking on the International Consulting Challenge


Overcoming Adversity: Leidos Common Criteria Lab taking on the International Consulting Challenge

The ever changing DoD requirement landscape has provided quite a few challenges over the years. The Common Criteria scheme is no different. Common Criteria certification is the international DoD sector’s acquisition requirement of 25 sovereign nations. Although one of a few popular security product certification programs ran by the government, the Common Criteria scheme provides a baseline security standard for vendors to meet. In the United States, Common Criteria is mandated by NSTISPP #11 which in 2014 was updated to CNSSP and dictates that:

 “COTS IA and IA-enabled IT products acquired by the U.S. Government for use in national security systems perform as advertised by their respective manufacturers, or satisfy the security requirements of the intended user. To achieve this objective, the policy requires COTS products be evaluated and validated in accordance with either the International Common Criteria for Information Technology Security Evaluation, or the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2. Supportive of the intent and implementation of NSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validation programs: The National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program and the NIST Federal Information Processing Standard (FIPS) Cryptographic Module Validation Program (CMVP) each which target different, but complementary, areas.

So what does this mean? The US Government Common Criteria oversight policies implemented in 2012 restricting US Common Criteria labs such as Leidos from performing “Evaluation Assurance Level (EAL)” evaluations was detrimental to US Labs and potentially its commercial vendors. At that time EAL evaluations accounted for >60% of Leidos Common Criteria business. Another challenge imposed was to retain the partnership and loyalty of commercial vendors while shepherding them through intentionally accepted EAL evaluations when domestic options were non-existent.

Leidos is the current and historical leader in regards to volume and complexity of leading commercial vendors through Common Criteria certification. To counter such limitations, Leidos scanned the globe for cost conscious technical savvy entities to help meet its commercial vendor’s needs. To this end, Leidos partnered with BAE Systems, who were operating a Common Criteria lab against the Malaysian Common Criteria scheme. The relationship has been quite fruitful for Leidos in shielding incumbent customer base from competitor labs and developing partnerships with new vendors. For example, HPE has been a strong partner of the Leidos Common Criteria lab and chose Leidos from all of its available options to shepherd its never previously certified products through Common Criteria certification. On 30 May 2016, its “Hewlett Packard Enterprise Enterprise Secure Key Manager v4.1” product achieved EAL2+ certification with Leidos providing programmatic and technical consulting. 

Need help navigating the product compliance process? Speak to one of our experts to learn more. 


Amit Sharma

Common Criteria Testing Lab (CCTL) Director
Cryptographic and Security Testing Laboratory (CSTL) Director


Want to know more?
We'll put you in touch with a cyber expert.