A Look Back: 2013 for FIPS, Common Criteria and DoDIN APL

The end of the year is a great time to look back at important milestones and use what we’ve learned to plan for the upcoming year. This year, clearing the air where myths and misconceptions were concerned was a theme that we saw come up repeatedly at Corsec, and laying the groundwork for smooth process was another. Here are some highlights of what we saw in 2013 and some tips for what you might see in the next year:

FIPS

FIPS was a big area of interest this year, and will likely be for 2014 as well. Many people are still very concerned about FIPS 140-3 and whether they should postpone product validations to wait for the new standard to come out instead of validating to FIPS 140-2, or if preparations should be made in order to be ready for FIPS 140-3. The answer is don’t wait, 140-3 is not right around the corner, and while you stall, your competitors are making the sales that could be yours.

There was also much concern this year about simply setting the record straight on FIPS: dispelling common myths, new IG updates and OpenSSL.

In general, we find that FIPS seems to be surrounded by misinformation, myth and mystery. Corsec CEO and Co-Founder Matt Appler cleared up a misconception that U.S. government algorithms have been designed by the NSA. A FIPS 140-2 validation requires that you use algorithms that are approved by the National Institute for Standards and Technology and the Communications Security Establishment Canada, and are listed in Annex A of the FIPS 140-2 standard. A vendor submitting a product for FIPS 140-2 validation does not have the option of using different algorithms. Make sure you have the right information before you start your validation.

We realize that confusion can keep people from moving forward with a FIPS validation, which can be detrimental to the bottom line. The thinking that if you have a Common Criteria certification you don’t need a FIPS validation, that if you know the “right” people you can circumvent the CMVP queue, or that OpenSSL is the final answer for all of your FIPS requirements are all fallacies that we covered in our webinar, “Top 10 Myths About FIPS Validation.” During the presentation, Corsec Lead Engineer Darryl Johnson set the record straight for lots of folks on what is clearly a controversial topic and how critical these answers are to the validation process.

In March, we learned that the CMVP issued an update that included two changes to the FIPS 140-2 Implementation Guidance. The changes affected power-up tests for software module libraries and references to the support of industry protocols. Both changes had an immediate effect on validations and therefore will still be critical for your planning in 2014.

Common Criteria

Common Criteria was also top of mind in 2013. Matt Appler wrote a post that offered a great overview on why your company needs the Common Criteria certification and the steps required to get there.

Corsec Vice President Matt Keller drilled down deeper into Common Criteria later in the year in his two-part post about the Common Criteria User Forum, touching on Technical Communities, Working Groups and how Protection Profiles are created. Also on the subject of CC Working Groups, this year we had the unique opportunity to get a close look at the work of one particular working group in a two-part blog post with the Convenor of the ISO/IEC JTC 1/SC 27’s WG 3, Miguel Bañón. Mr. Bañón gave us an inside look at how Working Groups function, the current focus of the WG3 (ISO/IEC 15408 “Evaluation Criteria for IT Security,” ISO/IEC 19790 “Security Requirements for Cryptographic Modules,” and ISO/IEC 11889 “Trusted Platform Module”), and their plans for the future.

DoDIN APL

The DoDIN APL, the DoD’s list of IT security products that have completed both Information Assurance (IA) and Interoperability (IO) testing and certification, can be a path to new revenue opportunities, but like many other IT security evaluations, it’s not an easy process. Corsec presented a great webinar on planning for your DoDIN APL listing process that can make the whole task more efficient. Seven key tips—from reducing costs through similarity arguments and obtaining testing center buy-in early to having well-prepared documentation—can make planning more efficient. I outlined them in my webinar recap post, but take a look at the whole webinar for the details. And don’t forget the budgeting step. Like other evaluations, UC APL is an expensive endeavor and budgeting carefully can save you in the end.

Regardless of the path they took, in 2013 many of our customers realized that the help of a consultant made the road to achieving certification much more efficient. Corsec has completed hundreds of validations for clients over the past 15 years. We can help facilitate yours so that you can focus on your business. Contact us to get started.