The mainframe computing systems (now called IBM Z and LinuxONE) have a long history of security certifications, going back decades, and their users expect nothing... Read More

An expert discussion structured around three anonymized cases: an EU-focused manufacturer targeting CRA efficiency, a globally sold product that needs international recognition, and a vendor... Read More

How to choose among EU labs and CABs, why the country decision now matters under EUCC, how to use ENISA’s notified-bodies resources, what it means... Read More

What can change without breaking the certification strategy; when to use assurance continuity, when delta evaluation makes sense; and how to plan patch handling without... Read More

CC:2022 makes clear that AVA_VAN.3, .4, and .5 progressively require public-domain vulnerability searches, independent vulnerability analysis using guidance, design, architecture, and implementation representation, plus penetration... Read More

How to structure the Security Target, handle PP-configuration complexity, identify what architecture and implementation detail evaluators need, and avoid traceability gaps that inflate cost late... Read More

Sitting in the hardware assessor’s chair, we’ve watched CC:2022, its errata, and the JIL/JHAS attack-potential methodology — now moving from SOG-IS into EUCC — continually... Read More

Where project cost actually comes from: documentation production, internal engineering time, iteration with the lab, rework caused by weak scoping, and post-certification maintenance. Documentation quality... Read More

How to define the TOE boundary, decide whether the product should follow a cPP, PP, PP-Configuration, or stand-alone ST route, and choose early whether the... Read More