Cyxtera Blog: Appgate

Written by Gregory J. Touhill on August 28, 2019

Common Criteria and AppGate SDP: Protecting National Security and Prosperity

Common Criteria (CC) Certification is a third-party validation accepted by 30 countries for secure IT products. Recently, AppGate SDP became the first Software-Defined Perimeter to be CC certified.


Common Criteria is the international “gold standard” for information technology security. If you are familiar with CC, you might think to yourself, “I know how CC relates to protecting national security, but what does it have to do with protecting national prosperity?”

The CC security certification came about as the result of unifying various international security standards so that companies seeking to sell products to participating governments would have a single standard to be evaluated against. In the national security space, CC is the ‘widest available mutual recognition of secure IT products’. Thirty nations now recognize CC as the IT security evaluation standard, which many governments mandate for any IT solution. Similarly, with the internet enabling and fueling the global marketplace, countless companies around the world recognize the benefit of leveraging nation-grade security to protect critical infrastructure and thus make CC certified products a requirement to protect their businesses and customers.

AppGate SDP is the first Software-Defined Perimeter (SDP) to become CC certified. The following are three examples of how a CC certified SDP can protect both national security and national prosperity.

Standards-Based Third-Party Validation

As a cyber operator, I embrace the Zero Trust security strategy – and you should as well. It is all too easy to accept what a company tells you is true because they advertise all kinds of “built to meet or exceed” type of wording and often over-promise and under-deliver. While marketing statements may prompt interest, true cyber professionals leverage independent third-party validation to identify the “contenders” from the “pretenders.” Cyxtera submitted AppGate SDP through the rigorous independent third-party validation mandated by 30 countries, delivering both credibility and trust through the independent CC testing and attestation process.

Improved Enterprise Risk Management

Cybersecurity is not just a technology issue: it is an enterprise risk management issue involving people, process, and technology. Mature organizations focusing on risk determine how secure a product is and how it enhances their enterprise risk posture. CC certification provides an unambiguous and disciplined process that helps organizations exercise due care and due diligence in managing their cyber risk. A product that has already “gone through the paces” in so many facets of security significantly reduces acquisition timelines, saves resources, and makes expensive organic testing and evaluation overhead redundant.

The Common Criteria Recognition Arrangement (CCRA) lists its number one objective as:

‘To ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles’

Organizations managing risk rely on “high and consistent standards” as they implement their enterprise risk management programs. Those organizations leveraging products certified by CC demonstrate cybersecurity due care and due diligence.  

Ongoing Commitment to Excellence in Security

As the former US Chief Information Security Officer and a retired military general officer, I recognize the investment and commitment needed to achieve a CC certification. When a vendor decides to set out on the CC journey — and just like Zero Trust, it definitely is a journey — one must understand the significant investment required. The CC certification cannot be bought, but rather, it must be earned. Not only must the security of the product be demonstrated but also the security of the company that stands behind it. Examples of areas of demonstrated excellence include leveraging secure coding principles and processes, conducting independent third-party testing of code for every release, and implementing approved secure cryptography modules. Security must be consistent, auditable, and complete in all facets of the production lifecycle, resulting in the highest quality products that secure and protect customers and their vital data.

When you invest in something that is CC certified, you receive more than a secure product: you also gain a partner that demonstrates their commitment to the highest standards of information technology security.

The First Common Criteria Certified SDP

Does your SDP go the extra mile to ensure national security and national prosperity?

You cannot have national security without national prosperity, and vice versa. Regardless of whether you are in the public or private sector, go beyond just a superficial vulnerability scan of a product and select a SDP that meets the international Common Criteria security standard. With so much riding on the confidentiality, integrity, and availability of your information, deploying anything else means not exercising proper due care and due diligence.

It is time to adopt the world’s first Common Criteria Certified Software-Defined Perimeter. It’s time for AppGate SDP.

To learn more, read the Data Sheet