28 September - 1 October | Cardo Roma, Italy

Common Criteria Action Plan Day

Turning Common Criteria from a Bottleneck into a Competitive Advantage

For many ICT product and service developers, Common Criteria (CC) certification is where good products go to slow down. Costs escalate, timelines slip, requirements shift, and teams find themselves reacting instead of executing. Yet CC remains a critical gateway to global markets—especially as new frameworks like EUCC and regulations such as the Cyber Resilience Act (CRA) reshape the certification landscape. CC Action Plan Day is a hands-on, pre-conference workshop designed to fix that problem. Held the day before ICCC, this intensive, practitioner-focused program is built specifically for product teams navigating CC certification in the real world. It goes beyond theory and policy to focus on execution: how to scope a certification correctly, how to control costs before they spiral, how to survive evolving Protection Profiles and scheme interpretations, and how to meet rising expectations for vulnerability analysis under AVA_VAN.

ICCC Tue-Thu Agenda

Monday 28 September

08:00-09:00 Registration

Foyer Cosmo/Sala Nebulosa

09:00-11:00 TALKS

Sala Cosmo III

Common Criteria Action Plan Day (W00)
Moderator: TBA

09:00 Scope It Right: TOE Boundaries, PP Strategy, and the Market Path Before You Start (W00a) Sophie Morin, Security Project Leader, Thales, France
How to define the TOE boundary, decide whether the product should follow a cPP, PP, PP-Configuration, or stand-alone ST route, and choose early whether the commercial destination is primarily EUCC, a CCRA-recognized CC route, NIAP, or a dual strategy. That early decision affects evidence structure, certification claims, and later lab/country choice.


09:30 Cost Control for Developers: How to Budget Labs, Evidence, and Maintenance Before the Spend Starts (W00b) Kalaiselvam Suruddaiyan, Product Security Certification Expert, Infineon Technologies, Germany
Where project cost actually comes from: documentation production, internal engineering time, iteration with the lab, rework caused by weak scoping, and post-certification maintenance. It should also explain that documentation quality directly affects evaluator effort, which is exactly why clearer evidence reduces cost and schedule risk.


10:00 Living With Moving Targets: CC:2022, Errata, Supporting Documents, and Interpretation Drift (W00c) Gordon Oliver, Certification Engineer, Securus Consulting Group, Australia
A survival guide for requirement movement. CC:2022 was the first major revision since 2017, the portal now maintains a substantial errata and interpretation package, and the transition policy still allows a CC:2022 ST to claim conformance to a CC v3.1 PP until 31 December 2027, but only with careful rationale work. This talk should show how teams operationalize that in a live project.


10:30 Build Evidence That Evaluators Can Actually Use: STs, Guidance, Design, and Traceability (W00d) Renaud Squelard, Business Line Manager, Serma Safety & Security, France
Translating the developer-documentation burden into something executable: how to structure the Security Target, how to handle PP-configuration complexity, what architecture and implementation detail evaluators really need, and how to avoid traceability gaps that inflate cost late in the project.


11:00-11:30 Networking Break

Foyer Cosmo/Sala Nebulosa

11:30-12:30 Panel Discussion

Sala Cosmo III

Common Criteria Action Plan Day (W01)
Moderator: TBA

11:30 Panel Discussion — Where Evaluations Derail and How Teams Recover (W01a) Leader: Roland Atoui, Security Certifications Advisor, Certification Secretariat, FIDO Alliance, France Panelists: Jaroslav Reznik, Program Manager, Red Hat, Czech Republic; Peter van Swieten, Senior Security Specialist European Cybersecurity Certification, Rijksdienst Digitale Infrastructuur (RDI), Netherlands; Renaud Squelard, Business Line Manager, Serma Safety & Security, France
The points where real projects go off the rails: bad TOE scope, unrealistic timelines, poor ownership of evidence, misunderstandings with labs, and failure to account for country-specific or scheme-specific constraints.


12:30-13:30 Lunch

Foyer Cosmo/Sala Nebulosa

13:30-15:30 Talks

Sala Cosmo III

Common Criteria Action Plan Day (W02)
Moderator: TBA

13:30 AVA_VAN in Practice: Threat Models, Public Vulnerability Research, and Penetration Testing Expectations (W02a) Lars Hanke, Security Analyst and Evaluator, T Systems, Germany
CC:2022 makes clear that AVA_VAN.3, .4, and .5 progressively require public-domain vulnerability searches, independent vulnerability analysis using guidance, design, architecture, and implementation representation, plus penetration testing against Enhanced-Basic, Moderate, or High attack potential. Developers need to know what artifacts and technical debt will be exposed before the evaluator does.


14:00 Keep the Certificate Alive: Assurance Continuity, Delta Evaluation, and Patch Decisions in Fast Release Cycles (W02b) Augusto Velasco, CC Domain Coordinator, Fellow CC Evaluator, Brightsight, a SGS company, Spain
What can change without breaking the certification strategy; when to use assurance continuity, when delta evaluation makes sense; and how to plan patch handling without creating a compliance freeze.


14:30 The CRA Through a Common Criteria Lens: When EUCC Can Support Presumption of Conformity and What Still Requires More (W02c) Irma Rustemi, Regional Operations Manager | Cybersecurity, UL Solutions, Italy
Explaining the CRA conformity-assessment logic, where a CC evaluation and EUCC certificate could help, how ENISA’s mapping study is meant to be used, why presumption of conformity is not automatic today, and what manufacturers, ITSEFs, and CBs should watch as PP updates and pilot work continue.


15:00 Choosing the Right Lab, the Right Country, and the Right Recognition Strategy in Europe and Beyond (W02d) David Nosibor, Vice President of Sales, Red Alert Labs, France
How to choose among EU labs and CABs, why the country decision now matters under EUCC, how to use ENISA’s notified-bodies resources, what it means when a CAB can both evaluate and certify at substantial versus when additional authorization is needed at high, and how to explain the difference between an EUCC certificate, a CC certificate recognized under the CCRA, and a NIAP path. It should also address when combined EUCC/NIAP strategies are realistic.


15:30-16:00 Networking Break

Foyer Cosmo/Sala Nebulosa

16:00-17:00 Panel Discussion

Sala Cosmo III

Common Criteria Action Plan Day (W03)
Moderator: TBA

16:00 Panel Discussion — Europe, the U.S., or Both: A Live Certification-Path Clinic for EUCC, CCRA, and NIAP (W03a) Leader: Ferenc Molnar, CEO, CCLab, Hungary Panelists: Khushmit Kaur, Senior Certifications Specialist, Bureau Veritas Group, Netherlands; Adam Golodner, Managing Partner, AMG Global Cyber Law, PLLC, United States
An expert discussion structured around three anonymized cases: an EU-focused manufacturer targeting CRA efficiency, a globally sold product that needs international recognition, and a vendor trying to avoid duplicative work across Europe and the United States. The panelists will outline a best-practices approach on where to certify, whom to hire, what certificate claim matters in which market, and when dual-route or staged strategies are justified.


17:00 Adjourn