Pentagon Releases New Security Policies

Pentagon Releases New Security Policies

Last Friday’s DoD Industry Day on Network Penetration Reporting and Contracting for Cloud Services came with a big announcement from the Pentagon’s head of IT – DoD CIO John Zangardi.

The Pentagon will begin to hold contractors to higher standards of security when it comes to the products that are operating on the network and their systems. As we have seen elsewhere in government, advanced threats have created the need for tighter and stricter regulations on the way products process sensitive information. Mr. Zangardi stated that “with these regulations, we are asking to implement some of the same defenses as we are implementing for the department’s networks.”

As part of this new push, contractors doing business with the DoD must now provide “adequate security” when connecting to the DoD network and its components — which at minimum means compliance with the National Institute of Standards and Technology’s (NIST) Special Publication 800-171. Section 3.13.11 within this Special Publication states product vendors must “employ FIPS-validated cryptography when used to protect the confidentiality of Controlled Unclassified Information (CUI).”

FIPS-validated cryptography is defined within the document as a cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP).

As a result all DoD contractors that deploy products with CUI and which utilize encryption must now at a minimum ensure they are validating cryptographic functionality through FIPS 140-2. Additional regulation from the Pentagon in October of 2016 further define the various levels of security and CUI in the Safeguarding Covered Defense Information and Cyber Incident Reporting. Defense contractors have until the end of calendar year 2017 to comply with the regulation.

If you need help validating your product, Corsec offers a wide range of services to help you complete either CMVP testing or the entire FIPS 140-2 validation process. The process is streamlined with the deployment of Corsec’s patented Ultima solution which eases the burden of algorithm testing and allows for more efficient resource allocation; increasing efficiency and productivity throughout the project.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Previous
Next