Q&A

Let’s get to know the Acumen team.

How long have you been in the certification business?

Tony: I started as a Common Criteria Evaluator over twelve years ago. I like to call those days the wild west of modernteamtony certifications. I saw that some certifications took a matter of months to complete and others took as long as four years. I participated in an EAL7 evaluation and a pseudo-Common Criteria evaluation against a multi-site system. I added FIPS testing to my resume and eventually became the Lab Manager of the test lab I worked for. Then, six years ago, I went to work for Cisco and my eyes were opened even wider. It was only then that I understood the true impact of the testing I had been doing for years. And now, I’m embarking on my latest and greatest adventure here at Acumen Security.

teamashitAshit: My foray into certifications was about eleven years ago when I joined a young laboratory as a FIPS 140-2 certification engineer. Tony calls those days the wild west of certification, I call them simple times. FIPS 140-2 had only 5-6 approved algorithms and the implementation guidance document wasn’t the monstrosity it is right now. The new laboratory grew fast and pretty soon we were amongst top 3 FIPS labs. By the time I joined Cisco, I was the Lab Manager, managing some of our biggest accounts. Joining Cisco was a completely different experience. As Tony mentioned, it hit like a breath of fresh air to understand what it actually means having to navigate and meet these sometimes-obscure requirements. It gave me a new perspective on efficacy of certifications and how best to leverage them to improve products and not just get a certification checkbox. Within a year of joining Cisco I was made the manager of the FIPS and CC teams. It was an interesting time to take over because CC was going through huge changes (and it still is). In addition to managing all of Cisco’s certifications, I was also working on building relationships with global schemes and labs. Not only did I have a front seat to the changes in the CC world but was a key participant and catalyst of the change. It was fun times!

Why did you decide to start Acumen?

teamashitAshit: Starting a lab had been something I had thought about for years. It was always in the back of my head but the timing was never right. That is until Tony and I really began to talk and realized many of our views and opinions were very similar. We saw a niche that we knew we could fill. And most importantly, we knew that we could really make life easier for companies that have to go through the certification process. After much thought and consulting with my wife and family, I finally decided the time to take the plunge was now or never. So, here we are at Acumen.

teamtonyTony: Exactly. Given our roles at Cisco, we had a chance to interact with a number of laboratories. While many of them were good at what they did, their perspective, worldview if you will, was from the lab side only. There wasn’t an understanding of what certifying a product means to vendors. For example, as a lab there is little understanding of what it takes to get certification above the “priority line” (we called it development priority line) for product teams when competition is tough and budget available is shrinking. Once the priority has been established any changes in perceived requirements severely impacts the project plan. Such realization isn’t there in the lab world.

 

What makes Acumen different from other certification labs?

Ashit: We started Acumen on the premise that we would be different from what currently exists. So that has been our teamashitfoundational thought and strategy since the beginning. And you will see this permeate throughout our engagement, right from simple contract negotiation, to deciding what to certify (only what sales needs!), the certification process and even post certification support. A good example is how we approach the certification process;let’s say you are coming in to do certification for FIPS 140-2 and Common Criteria, you will not be working with two different teams. Our evaluators are trained in both and we will leverage efficiencies by testing once to satisfy both requirements. This is a big cost curbing and time savingsmethod to our customers, who are always fighting time to market, to ensure their investment in certification stay relevant.

teamtonyTony: The biggest differentiator for Acumen is that we have been on both sides of the coin, both as former testers, test lab managers, and product vendors. We understand the impact a non-conformance can have on a vendor who is just trying to meet procurement requirements. We have used this unique set of experiences to develop the best practices that can make the certification process as smooth and dare I say, easy as possible. It is this perspective that really makes Acumen stand out from the crowd.

 

What is the most rewarding part of working in government certifications?

Tony: I love knowing that what I’m doing makes a difference in both product improvement and business performance. A couple teamtonyof years ago, a very large product sale was dependent on both FIPS and Common Criteria certifications. Now, this is a fairly standard situation. What made this one unique, however, was that the deal was VERY time sensitive. We had to complete both certifications in less than a summer from start to finish. I remember working around the clock and coordinating with both the development team, finding solutions as non-compliances were found and the certification test lab to find inventive ways of meeting requirements. By the end of the summer, we had completed both certifications in record time and enabled millions and millions of dollars in business. Even though it was a lot of work, I look back at that time and am very proud of what we accomplished. I have numerous stories like this. It is these accomplishments that are the most rewarding part of working in certifications.

teamashitAshit: Yep, I remember that. I believe it is still the record for fastest completed certification! For me, the most rewarding part is giving value back to our customers. At the end of the day, we realize that while certifications help product security, customers want an ROI on the investment that they make. While external fees (paid to labs, consultants etc.) are significant, the biggest costs are internal. These costs are tangible (in the form of head count, equipment etc.) as well as intangible opportunity costs (deciding to certify a product means that something was pushed down the priority line). So, if a customer does not realize gains from certifications, there is no point. The best way we can provide a good ROI to the customer is ensuring a smoothly run certification that results in a successful final certificate in a timely manner. When all of that comes together, it is nirvana!

What, in your opinion, is the biggest challenge in government certifications?

Tony: The landscape of government certifications is constantly changing. A behavior that was compliant and certifiable teamtonyyesterday may not be certifiable today. Things like new key strength requirements, FIPS Implementation Guidance, new Protection Profiles, and scheme policies make it difficult for a product vendor who is focused on getting products and new features into their customers’ hands. At Cisco, we were very fortunate to have a team dedicated to certifications. Most vendors don’t have that luxury. In fact, many are lucky to have one person part-time dedicated. To me, keeping up with the ever changing requirements is the biggest challenge facing a lot of product vendors. This, by the way, is where Acumen excels. We absolutely understand what it takes for a vendor to take a product through certification from start to finish.

teamashitAshit: I would agree. It has become more and more difficult to navigate the ever changing world of certification. What you thought was compliant last year is no longer this year. Keeping track of these changes is a drain on companies that would much rather dedicate resources to innovate. So we make it our business to keep track and message out via blogs, white papers, information sessions etc. I would say the other challenge, and this is specific to FIPS, is the time to complete government review which now stands at 6-8 months. This is just unacceptable when product refresh cycles are contracting and time to market makes or breaks a product. Unfortunately, Acumen does not have a control over this but we have been pushing CMVP to do better and credit to them, they have listened. Hopefully the steps they are taking right now will have a direct result in reducing the review times.

What would you be doing if you weren’t in certifications?

Ashit: Bumming around the world? Ha! Well I would likely have been in the construction business with my dad.teamashit

teamtonyTony: Well, I couldn’t imagine a different career. But if I had to try, I’d likely be doing something health related. Perhaps I’d be a nutritionist or a physical therapist. Mostly, I know I’d be helping people with whatever I did.

 

 

What do you like to do in your spare time?

Tony:teamtony The most important things in my life are my family and children. I love to watch my girls grow. It seems like yesterday, my oldest was born. I’ve been very fortunate and have been able to experience many of their major milestones, like taking their first steps or saying their first words (I saw both of those for each of my two girls). Most of my spare time is spent with them and I wouldn’t have it any other way. I do also love my home town Orioles and get out to the park whenever I can.

teamashitAshit: Tony you have spare time??? (Note: Tony is better at time management than I) Ever since deciding to start Acumen and changing the world of certification in that process, spare time has been hard to come by. But when I do get some free time, I am doing some work around the home, playing with my three year old or watching TV; I just completed watching House of Cards. I try to catch up on reading and sports as well.

 

How about them Orioles?

Tony:teamtony From the time I was little, watching the O’s has been one of my favorite past times. I remember driving down town when I was very young with my dad and my brother to Memorial Stadium and then riding the light rail as I got older to Camden Yards to watch the birds play. I was there for the game Cal tied the record for most consecutive games played. It is great they are finally good again. I just hope they can take that next step. I can’t wait!

teamashitAshit: Orioles who?:-)

 

 

 

Any final thoughts?

Ashit:teamashit Tony and I started Acumen to change the way certifications are done. We are on our way to doing that and are hoping we can take the industry along with us. In the end we want to make sure that certifications are efficacious to our customers. They see value in certifications not just as a tool to sell their products but also to better them. We can do this only if we work with our government partners to make requirements more relevant than ivory tower commandments.

teamtonyTony: Sure. As effective as Acumen is at helping vendors with government certification, the certifications are only as good as revenue it has enabled or protected. We aren’t going to recommend certifying a product if it is not going to meet your strategic needs. Coming from a product vendor, we can help a potential customer really figure out what certifications they really need to make their sale. It doesn’t do anyone any good to certify a product for the heck of certifying a product. So, if we see that it doesn’t make sense to certify, we’ll let the customer know. That’s what Acumen believes being a good partner means.Oh, and we love to chat, if you have any questions, give us a call. Let us impress you with our knowledge and skill.