ICCC26 Conference Agenda
Turning Common Criteria from a Bottleneck into a Competitive Advantage
For many ICT product and service developers, Common Criteria (CC) certification is where good products go to slow down. Costs escalate, timelines slip, requirements shift, and teams find themselves reacting instead of executing. Yet CC remains a critical gateway to global markets—especially as new frameworks like EUCC and regulations such as the Cyber Resilience Act (CRA) reshape the certification landscape. CC Action Plan Day is a hands-on, pre-conference workshop designed to fix that problem. Held the day before ICCC, this intensive, practitioner-focused program is built specifically for product teams navigating CC certification in the real world. It goes beyond theory and policy to focus on execution: how to scope a certification correctly, how to control costs before they spiral, how to survive evolving Protection Profiles and scheme interpretations, and how to meet rising expectations for vulnerability analysis under AVA_VAN.
Tuesday 29 September
08:00-09:00 Registration
Foyer Cosmo/Sala Nebulosa
09:00-10:10 Plenary Keynote Session
Sala Cosmo II
| Moderator: Wouter Slegers, ICCC Chair, and CEO, TrustCB, Netherlands |
09:00 Introduction & Welcome (P10a) Patrick Campbell-Dunn, CEO & Managing Director, Securus Consulting Group, Australia
09:10 Government Welcome and Keynote (P10b) Speaker TBA, Agenzia per la Cybersicurezza Nazionale (ACN), Italy.
09:40 CCDB Update (P10c) Shri Vellaipandi, CCDB Chair, Indian Common Criteria Certification Scheme (IC3S), STQC Directorate, Ministry of Electronics & IT, India
09:55 CCMC Update (P10d) Lee Shih Yen, CCMC Chair, Cyber Security Agency (CSA), Singapore
10:10 CCRA Member Signing Ceremony (P10e) Lee Shih Yen, CCMC Chair, Cyber Security Agency (CSA), Singapore
10:15-10:55 Networking Break in Exhibits
Foyer Cosmo/Sala Nebulosa
10:55-12:40 Plenary Conference Session
Sala Cosmo II
| Moderator: Wouter Slegers, ICCC Chair, and CEO, TrustCB, Netherlands |
11:00 Industry Keynote (P11a) Matt Fussa, Vice President, Security & Trust, Cisco Systems, United States
11:30 CCUF Update (P11b) Petra Manche, Assurance Manager – CC and EUCC, Cisco Systems, United Kingdom
11:45 Panel : Lessons Learned from Implementing EUCC and Managing an Evolving Environment (P11c) Leader: Monique Bakker, Lead Security Expert European Cybersecurity Certification, Dutch Authority for Digital Infrastructure, Netherlands Panelists: TBA [60MIN]
12:40-13:40 Lunch in Exhibit Area
Foyer Cosmo/Sala Nebulosa
13:40-15:10 Track Sessions
Sala Cosmo I
| Advances in CC Use (A12) |
| Moderator: TBA |
13:45 From DBMS to DBaaS: Applying Common Criteria to Services (A12a) Brandon Harvey, Principal Security Engineer, Oracle, United States
14:15 When Agile Meets Assurance: Adapting Common Criteria for 5G Development Realities (A12b) Irfan Omerovic, IT-Security Expert, TÜV Informationstechnik (TÜVIT), Germany
14:45 Is Mobility More than Just Phones? (A12c) Brian Wood, Program Manager, Google, United States
Sala Cosmo II
| Meeting Customer Requirements (B12) |
| Moderator: TBA |
13:45 Modernizing Security IC Protection Profile: PP0084 V2, Multi-Assurance PP-0125 and Future CRA-readiness (B12a) Carolina Lavatelli, CTO, Internet of Trust, France
14:15 No PP, No Problem: Building ASE_SPD from Risk Management (B12b) Bill Yang, Fellow Security Evaluator, Brightsight, Spain
14:45 When EUCC Over-Delivers: A Pilot Study on CRA Alignment for Class I and II Products (B12c) Enea Zhulati, Fellow Security Evaluator, Brightsight, Spain
Sala Cosmo III
| Updates from Schemes and iTCs (C12) |
| Moderator: TBA |
13:45 Scheme Update of the Italian Certification Body (C12a) Tiziano Inzerilli, Coordinator of Italian CC certification body, Agenzia per la Cybersicurezza Nazionale (ACN), Italy
14:00 Netherlands Update and Oversight on CCRA-Recognised Certification (C12b) Glenn Wever, Senior Security Specialist EU Cybersecurity Certification, Dutch Authority for Digital Infrastructure, Netherlands; Talitha van Loenhout, Security Specialist EU Cybersecurity Certification, Dutch Authority for Digital Infrastructure, Netherlands
14:15 French Scheme Update (C12c) Franck Sadmi, Head of the Certification Body, ANSSI, France
14:30 Scheme Update (Spain) (C12d) Luis F, Centro Criptológico Nacional (CCN), Spain
14:45 Update of the Activities of the German Certification Body (C12e) Ingo Hahlen, Head of Division S 22, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
15:10-15:40 Networking Break in Exhibits
Foyer Cosmo/Sala Nebulosa
15:40-17:10 Track Sessions
| Advances in CC Use (A13) |
| Moderator: TBA |
15:45 A Protection Profile for Chiplet Systems (A13a) Sylvain Guilley, CTO, Secure-IC, France
16:15 Secure Packaging of Chiplets: Emerging Trends of Silicon Life Cycle in Common Criteria (A13b) Kazuki Monta, CEO, Secafy, Japan
16:45 UWB Digital Car Key SESIP3 Certification Experience and Security Design Trade-offs (A13c) Hyunseok Nam, Security Ceritification Engineer, Samsung, South Korea
| Certification Schemes Landscape (B13) |
| Moderator: Álvaro Ortega Chamorro, Global Head of Common Criteria Services, DEKRA |
Track Sponsor
15:45 Bridging EUCC Certification and CRA Compliance: A Practical Study on MRTD Products (B13a) Christine Crippa Martinez, Security Certification Team Manager, Thales, France; Stefane Mouille, General Director, Cabinet Louis Reynaud Lab, France
16:15 From Bottlenecks to Breakthroughs: Redefining EUCC and CRA Throughout (B13b) Petra Manche, Assurance Manager – CC and EUCC, Cisco Systems, United Kingdom; Ryan Nottingham, Leader, Global Certification Team, Cisco Systems, United Kingdom
16:45 2026 CC Statistics Report: A Market Redefined by Regulation and Innovation (B13c) Jose Manuel Pulido Carrillo, Director, jtsec Beyond IT Security, Spain
| Scheme Updates, Meeting Customer Requirements (C13) |
| Moderator: TBA |
15:45 Canada Scheme Update (C13a) Debra White, Quality Coordinator, Canadian Centre for Cyber Security, Canada
16:00 US Scheme Update (C13b) Angela Soum, National Information Assurance Partnership (NIAP), United States
16:15 Certification Strategy of the Federal Office for Information Security (C13c) Sandro Amendola, Director General, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
16:45 Mapping CRA Requirements to Common Criteria Protection Profiles—An Actual Example (C13d) Alan Sukert, Vice Chair, Hardcopy Device iTC, PWG, United States
17:10-18:30 Welcome Reception in Exhibits
Foyer Cosmo/Sala Nebulosa
Open to everyone. Located in the Exhibit Area. Catch up with your colleagues for a refreshing beverage at the end of the day’s events. Thanks to reception sponsor CCLab.
CC Certificate Presentation Ceremony (P14a)
A free event for conference registrants. During ICCC, CC-certified product developers and certifiers will have the opportunity to receive a commemorative certificate from participating national schemes and receive of photograph of the presentation. Those who wish to participate must respond by 18 August, 2026. More info.
Wednesday 30 September
08:00 - 09:00 Coffee in The Exhibits
Foyer Cosmo/Sala Nebulosa
09:00 - 10:30 Track Sessions
Sala Cosmo I
| Advances in CC Use (A20) |
| Moderator: TBA |
09:00 Operationalising EUCC Article 33: SBOM as a Practical Enabler of Lifecycle Vulnerability Management (A20a) Valerio Magliozzi, Lab Director, atsec information security srl, Italy
09:30 Panel: BOMs—Current State and Strategy (A20b) Leader: Jade Stewart, Portfolio Manager, National Information Assurance Partnership (NIAP), United States Panelists: Cory Clark, Program Coordinator, Canadian Centre for Cyber Security, Canada; Dmitry Raidman, CTO, Cybeats, Canada; Joachim Vandermissen, IT Security Consultant, atsec information security corporation, United States; Petra Manche, Assurance Manager – CC and EUCC, Cisco Systems, United Kingdom [60MIN]
Sala Cosmo II
| Certification Schemes Landscape (B20) |
| Moderator: TBA |
09:00 BSI Scheme for Fixed-Time Certification: Status Quo and Developments (B20a) Michel Montua, Certifier, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
09:30 ESV, 90C AND CC (B20b) James Ramage, CMVP Laboratory Manager, Lightship Security, Canada
10:00 Navigating the Fragmented Certification Landscape (B20c) Alexandre Gavriloff, Certification Manager, Hewlett Packard Enterprise (HPE), France
Ruby Room
| Meeting Customer Requirements (C20) |
| Moderator: TBA |
09:00 Aligning CC Certification with Customer Deployment Realities: Cloud, Hybrid, and Containerized Environments (C20a) Shubham Singh, Lead Engineer, Intertek Acucert Labs, India
09:30 Challenges in Certifying the Mainframe (C20b) Brian Hugenbruch, Senior Software Engineer, IBM, United States
10:00 Real-World Applications of AI in Common Criteria (for Labs and Vendors) (C20c) Marc Le Guin, Head of Evaluation Body for IT Security, TÜV Informationstechnik (TÜVIT), Germany
10:30 - 11:00 Networking Break in Exhibits
Foyer Cosmo/Sala Nebulosa
11:00 - 12:30 Track Sessions
| Advances in CC Use (A21) |
| Moderator: TBA |
11:00 Rethinking the Common Criteria Certifications in the Artificial Intelligence Era: Emerging Challenges and Key Considerations (A21a) Mirko Malacario, Officer, Agenzia per la Cybersicurezza Nazionale (ACN), Italy
11:30 Evolving CC for the AI Era: Enabling Secure Use of Cloud and LLMs in High-Assurance Design Environments (A21b) Dan O’Loughlin, Vice President Engineering, Qualcomm Technologies, United States
12:00 TLS Evaluation Tooling for NDcPP: Lessons from TLS 1.2, TLS 1.3 and the Role of AI in Closing the Gaps (A21c) Katyayini Jha, Software Developer, Acucert Intertek, India
| Certification Schemes Landscape (B21) |
| Moderator: TBA |
11:00 Strategic Integration: EUCC & CRA Roadmap for Manufacturers (B21a) Khushmit Kaur, Senior Certifications Specialist, Bureau Veritas Cybersecurity, Netherlands
11:30 What Are the Ways to Achieve Certified Evaluation Methodology Accepted Under the EUCC Scheme and Mutual Recognition Agreements? (B21b) Ellen Wesselingh, Coordinating Specialist Inspector, Rijksdienst Digitale Infrastructuur – Dutch National Cybersecurity Certification Authority, Netherlands
12:00 Trust at the Edge: Securing Identity and Safety in Regulated Digital Environments (B21c) Maria Palombini, Global Director, Healthcare and Life Sciences, IEEE, United States
| Meeting Customer Requirements (C21) |
| Moderator: TBA |
11:00 Beyond the SBOM: Cryptography, AI, and the API-First Future of Transparency (C21a) Steve Springett, Chair, Global Board of Directors, OWASP Foundation, United States
11:30 The Rise of Flaw Remediation: What ALC_FLR’s Growth Reveals About CC Certifications, and What Vendors Need to Know to Claim It. (C21b) Pasquale Catanzariti, Senior Security Engineer, Teron Labs, Australia
12:00 Bridging the Gap: Vulnerability Management in NIAP CCEVS and the EU CRA (C21c) Trang Huynh, CC Laboratory Manager, atsec information security, United States
12:30 - 13:30 Lunch in Exhibit Area
Foyer Cosmo/Sala Nebulosa
13:30 - 15:00 Track Sessions
| Advances in CC Use (A22) |
| Moderator: TBA |
13:30 Certifying Modern Development Environments Under Common Criteria (A22a) Alireza Rohani, Common Criteria certifier, TrustCB, Netherlands
14:00 Parsing Assurance: Dissecting LLM Vulnerability Reasoning and Building a Graded Evaluation Pipeline (A22b) Chahat Bhatia, Quality Assurance Engineer, Intertek Acucert labs, India
14:30 Quality for CABs as the Foundation of Cyber Trust : Leveraging ISO 17065 Within the Common Criteria Framework (A22c) Bojana Milovanovic, Head of the Quality Team, ANSSI, France
| Select Topics (B22) |
| Moderator: TBA |
13:30 Is It Possible to Use CC to Show CB/ITSEF Security Measures Are Sufficient? (B22a) Peter van Swieten, NCCA, certification auditor, NCCA-NL RDI, Netherlands
14:00 Stackable Certifications: A Proposal for Using SBOMs to Accelerate Evaluation Efforts (B22b) Allen Sant, CCTL Technical Director, Leidos, United States
14:30 Bringing Back the Common in Common Criteria (B22c) Shawn Geddis, Co-founder and Chief Technology Officer, Katalyst, United States
| Updates from Schemes and iTCs (C22) |
| Moderator: TBA |
13:30 Little Brother Is Watching—Post Certification Monitoring in Canada (C22a) Cory Clark, Program Coordinator, Canadian Centre for Cyber Security, Canada
14:00 Common Criteria Certification—Looking at Technical and Legal Requirements and Sustainability (C22b) Fabian Hodouschek, Head of Certification and Labels, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
14:30 A Harmonised Approach to CC Competency: Progress on the CCTQ Framework for Evaluators and Certifiers (C22c) Junhao Wang, Assistant Director, Cyber Security Agency (CSA), Singapore
15:00 - 15:30 Networking Break in Exhibits
Foyer Cosmo/Sala Nebulosa
15:30 - 17:00 Track Sessions
| Advances in CC Use (A23) |
| Moderator: TBA |
15:30 Technical Domain Software‚ Our Activities and Way Forward (A23a) Frank Schönherr, Subject Matter Expert, Certifier, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
16:00 Adapting to the Cyber Resilience Act: Challenges, Opportunities, and Certification Strategies by Using EUCC (A23b) Olivier Van Nieuwenhuyze, Security Standard & Regulations Senior Manager, STMicroelectronics, Belgium
16:30 From EUCC Certification to CRA Conformity: A Resilience-Oriented Path for Network Devices (A23c) Jose Gabriel Marin Martín, Common Criteria & EUCC Certification Principal Consultant, jtsec Beyond IT Security, Spain
| New CC ISO Revision Update/Schemes Landscape (B23) |
| Moderator: TBA |
15:30 Common Criteria (CC)—Maintenance and Development (B23a) Susanne Pingel, Certifier, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany; Kwangwoo Lee, Security Architect, HP, South Korea; Miguel Bañón, Convenor ISO/IEC JTC 1/SC 27/WG 3, Independent Consultant, Spain; Elzbieta Andrukiewicz, ITSEF Manager, National Institute of Telecommunications, Poland; David Martin, Research Fellow, University of Bath, United Kingdom
16:00 The Day after CC/CEM 2026—Start Working Seriously on Terminology (B23b) Elzbieta Andrukiewicz, ITSEF Manager, National Institute of Telecommunications, Poland
16:30 ISCI ISAC 2026 (B23c) Gordon Caffrey, Certifier, Chairman of EUCC ISCI ISAC, TrustCB, United Kingdom
| Updates from Schemes and iTCs (C23) |
| Moderator: TBA |
15:30 Biometric Security iTC Status Update (C23a) Brian Wood, Program Manager, Google, United States
15:45 HCD iTC 2026 Update: Aligning Regulation and Procurement (C23b) Kwangwoo Lee, Security Architect, HP, South Korea
16:00 Updating the DBMS cPP for Tomorrow: Because 2020 Was a While Ago (C23c) Maureen Barry, Senior Principal Security Analyst, Oracle, Canada
16:15 Full Drive Encryption iTC Update (C23d) Joseph Mcdaniels, FDE iTC Chair, CACI, United States
16:30 Network Device iTC Update (C23e) Kristy Knowles, Security Research Engineering Technical Leader, Cisco Systems, United States
18:30-20:30 Esperianza Romana (Dine Out)
Join your ICCC colleagues for an enjoyable and relaxed group dinner at one of Rome’s finest restaurants. Reserve your seat for a prix-fixe dinner at a group table. Reserve early—seating is limited. This is an optional add-on to the conference registration. Shuttle bus transportation will be provided.
Thursday 1 October
08:00 - 09:00 Coffee
Foyer Cosmo/Sala Nebulosa
09:00 - 10:30 Track Sessions
Sala Cosmo I
| Advances in CC Use (A30) |
| Moderator: TBA |
09:00 From “Certify before Patching” to “Risk and Lifecycle Management” (A30a) Gabor Hornyak, Head of Site & Process Certification, NXP Semiconductors, Hungary
09:30 Using the ISO 9569 Patch Management Methodology in Practice. Experience, Expectations, Surprises. (A30b) Michael Meissner, Certifier, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany, and Sebastian Fritsch, Lab Manager/Head of ITSEF, secuvera
10:00 ALC Reuse and Evaluation of Sites (A30c) Thomas Schroeder, Technical Manager Evaluation Facility, Deutsche Telekom Security, Germany
Sala Cosmo II
| Meeting Customer Requirements (B30) |
| Moderator: TBA |
09:00 From Evidence to Intelligence: How AI Can Transform Product Compliance (B30a) Ashit Vora, CEO/Founder, Autonomi, United States
09:30 Panel: Common Criteria and AI (B30b) Leader: Tiziano Inzerilli, Coordinator of Italian CC certification body, Agenzia per la Cybersicurezza Nazionale (ACN), Italy Panelists: TBA [60MIN]
Sala Cosmo III
| CC in New Domains/Schemes Landscape (C30) |
| Moderator: TBA |
09:00 Towards a Protection Profile for Generic Native Platforms in Emerging Secure Domains Under CC:2022 (C30a) Sooyoung Kang, Head of Security Certification, Samsung Electronics, South Korea
09:30 Strategies for CC Compliance for Systems with LLMs (C30b) Seth Nielson, CEO, Crimson Vista, United States
10:00 OSCAL and the Certification Lifecycle: Machine-Readable Compliance for Common Criteria (C30c) Pirooz Javan, Chief Technology Officer, Easy Dynamics, United States
10:30 - 10:45 Networking Break
Foyer Cosmo/Sala Nebulosa
10:45 - 12:15 Track Sessions
| Advances in CC Use (A31) |
| Moderator: TBA |
10:45 The Importance of Entropy Source Validation in Common Criteria: Navigating the New Assurance Landscape (A31a) Marina Ibrishimova, Principal Entropy Consultant, Lightship Security, Canada
11:15 Quantum Resilient CC: The Impact of PQC and QKD on EUCC (A31b) Cansu Yener, Common Criteria Lab Manager, Bureau Veritas Cybersecurity, Netherlands
11:45 Certifiable Random Number Generation in Virtualized Environments According to AIS 20/31 (A31c) Jonas Fiege, Certifier, Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany
| Certification Schemes Landscape (B31) |
| Moderator: TBA |
10:45 The Best Cybersecurity Scheme for Smart Meters (B31a) Ferenc Molnar, CEO, CCLab, Hungary
11:15 Agnostic AI Protection Profile in the Era of the EU AI Act (B31b) Ilyes Azouani, AI Testing Laboratory Director, CLR Labs, France
11:45 To Fuzz or Not to Fuzz: The Quest for Practical Meaning to Fuzzing in Global Certifications (B31c) Pratheek Menon, Lead Engineer, Intertek Acucert Labs, India
| CC in New Domains (C31) |
| Moderator: TBA |
10:45 A New Way (Undiscovered) to Evaluate, Certify and Maintain Products in the Age of Artificial Intelligence (C31a) Gaetano Cavarretta, Public Officer, Agenzia per la Cybersicurezza Nazionale (ACN), Italy
11:15 French Proposal for Evaluating Products Integrating AI (C31b) Julie Chuzel, Policy Officer on European Certification, Agence Nationale de la Securite des Systemes d’Information (ANSSI), France
11:45 Evaluation of AI-Based Technology (C31c) Naruki Kai, ISO/IEC 25959 Project editor, Information-Technology Promotion Agency (IPA), Japan
12:15 - 12:30 Networking Break
Foyer Cosmo/Sala Nebulosa
12:30 - 13:35 Closing Plenary Session
Sala Cosmo II
12:30 Panel: Common Criteria Challenges in Mutual Recognition: Is It Getting Any Better? (P32a) Leader: Jonathan Rolf, Cybersecurity Consultant, Independent, Retired NSA NIAP Director, United States; Panelists: TBA [60MIN]
13:30 Destination Revealed: Announcing ICCC 2027 (P32b) Bill Rutledge, ICCC Project Director, President, Cnxtd Event Media Corp., United States