OpenSSL-FIPS-Compliance

FIPS Compliance and OpenSSL

Product vendors often rely on OpenSSL to meet FIPS requirements.

However, with the new CMVP requirements and regulations, vendors using certain versions of the OpenSSL cryptographic library to meet FIPS 140-2 requirements are in jeopardy of being out of FIPS compliance.

This update makes it crucial for vendors to understand the implications of FIPS 140-3 certification and how to navigate the FIPS validation process.

FIPS 140-3 Compliance vs. FIPS 140-2 Validation: Key Differences

There is a substantial difference between stating your product meets FIPS compliance and being ‘FIPS 140-2 validated.’

FIPS Compliance

FIPS compliance refers to a product that has incorporated within its design another company’s cryptographic module that went through the complete FIPS validation process. While this may seem sufficient, it does not hold as much weight as achieving full ‘FIPS 140-3 validation.’

FIPS 140-3 Validation

FIPS validation means a vendor has gone through the entire FIPS 140-3 process and has received a certificate issued by the government for their specific product. This certificate signifies that the product meets legal requirements passed by Congress, as well as procurement requirements for the U.S. government and various industries, including healthcare, financial services, and critical infrastructure.

When considering the security of a product, every measure must be taken to ensure all entry and access points are secure and meet full government requirements. Choosing the FIPS compliance route covers only a portion of what truly needs to be protected. Achieving FIPS 140-3 validation means both you and the government are attesting to the security of the entire cryptographic module.

Why FIPS 140-3 Certification Matters

With the introduction of FIPS 140-3, product vendors who previously relied on FIPS 140-2 or FIPS compliance may find themselves out of step with the latest standards. The new set of requirements impacts not only those who have relied on a FIPS inside strategy but also affects other certifications such as Common Criteria and listing on the DoDIN APL.

The Risks of Non-Compliance

Modules that were once thought to have met FIPS compliance will soon be unprocurable and removed from the FIPS validated list. This will significantly impact product vendors who are unaware of these changes.

The FIPS 140-3 Process: Steps to Achieve Certification

Achieving FIPS 140-3 certification involves a comprehensive process, including:

  1. Initial Assessment: Understanding the specific requirements for FIPS 140-3 and how they apply to your product.
  2. Cryptographic Module Validation: Ensuring that your cryptographic module meets all FIPS 140-3 standards.
  3. Documentation and Submission: Preparing and submitting the required documentation to the CMVP.
  4. Government Evaluation: Your product undergoes a thorough evaluation by government bodies to ensure compliance.
  5. Certification Issuance: Once your product passes all evaluations, a FIPS 140-3 certificate is issued, confirming its compliance.

The Role of FIPS 140-3 Validation Experts

Given the complexity of the FIPS validation process, working with FIPS 140-3 validation experts is crucial. These experts can guide you through each step of the process, helping you avoid costly mistakes and ensuring your product meets all necessary standards.

Take Action Now

For help determining if and how your product will be affected by this change, contact us to ensure you avoid timely and costly delays, or worse, de-listing from the CMVP website. Our team of FIPS 140-3 validation experts is ready to assist you.