FIPS 140 / ISO 19790
FIPS 140-2 is the de-facto standard to certify cryptography implemented in ICT products. This certification is “table stakes” to sell into most US Federal accounts. FIPS 140-2 has also proliferated into other verticals, like healthcare (HIPAA) and the financial industry. Over the last few years, FIPS 140-2 validations have become complicated and convoluted. An experienced laboratory can help you understand and navigate the process to ensure a successful validation.
ISO 19790 is an evolution of FIPS 140-2 to reflect advances since FIPS 140-2 was released in 2001, as well as provide an international standard for cryptographic module security requirements and associated testing requirements.
The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements which must be met in order for products to be validated under the Cryptographic Module Validation Program (CMVP). The CMVP is a joint program between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). These two organizations oversee the validation of products and/or cryptographic modules to the FIPS 140-2 standard. ISO 19790 is destined to replace FIPS 140-2 as the basis for CMVP Validation of cryptographic modules.
For vendors, a successful FIPS 140-2 can be validation can be essential to selling their products in US and international markets:
- In the U.S. cryptographic modules shall be FIPS 140-2 validated when cryptography is used by federal government agencies to protect sensitive, but unclassified information (see section 3.2 of the FIPS 140-2 FAQ for details).
- In Canada, the CSEC recommends federal agencies use FIPS 140-2 validated cryptographic modules to secure data designated as Protected A or Protected B.
- In the U.K., the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140 validated cryptographic modules.
FIPS 140 Algorithm Testing
Algorithm testing is an important step for the FIPS module validation process. While it is the most objective part of the validation process, it does not require specialized tools or skills to execute. Our security firm, Acumen has developed an algorithm testing tool that makes it easy to perform these tests. The test harness is designed to support and interface with a wide variety of product types and we are confident we can test any product sent our way.
Working with Intertek
We seek to engage early on and adopt risk mitigating processes whereby non-compliance is identified early on, fixes are discussed and planned, testing methodology is defined in advance to allow your teams to plan accordingly and schedule is tracked religiously to ensure our progress is in step with your development and test plans.
- Gap Analysis & Strategy Workshop
- to educate Developer Short personnel on the Cryptographic Module Validation Program (CMVP) and FIPS 140-2;
- to identify CMVP requirements that need to be addressed by Developer in order to support subsequent testing of the cryptographic module; and
- to provide an opportunity to better understand the product and develop a quotation to carry out cryptographic module testing in support of validation under the CMVP.
- Design Consulting
Usually limited to discussing the requirements to be met and whether the module under consideration is likely to PASS analysis and testing for conformance to those requirements for two reasons: 1. the Developer is more qualified to identify how to implement requirements in their product: and 2. providing design guidance (i.e., identifying how to implement) may jeopardize our ability to act as the test lab for the product.
- Documentation Development
- Usually limited to collating and collecting information already existing at Developer and putting it into documents for our lab to then carry out analysis and testing. If we create original documentation we are disqualified under CMVP rules from acting as test lab.
- Security Policy
- Vendor Evidence Document (VED) – how module meets requirements and where to find the proof / demonstration in the other vendor documentation (e.g., User guides, source code, etc.)
- Evaluation Services
- Analysis and review of the Security Policy and VED
- Provision of cryptographic algorithm test inputs to vendor and analysis of test results returned by vendor
- execute algorithm test on behalf of the vendor where requested
- Development and execution of functional and physical tests of product conformance to FIPS 140-2 requirements
- Create and maintain the record of analysis and testing of the vendor for submission to the CMVP in support of their validation of the module
- Liaison with the CMVP to respond to comments and questions about the module, Security Policy and test report until validation is completed
- Post-Certification Support
- Monitor changes to the validation program requirements that might affect module validation status
- provide updates to vendors on changes to the validation program or standard through Implementation Guidance issued by CMVP
- Follow-on testing of updated versions of modules in order to maintain validation status or receive new validation