Decisions In A FIPS 140-2 Validation

Trying to decide whether to perform a FIPS 140-2 validation on your product? It can actually be a pretty black and white decision. If you want to sell any product containing cryptography to any U.S. government agency or department, then the answer is clear cut: you need a FIPS 140-2 validation.

What is a FIPS 140-2 Validation?

FIPS 140-2 validation is required for products that contain cryptography and will be used with systems that process sensitive but unclassified information. The National Institute of Standards for Technology (NIST) and the Communications Security Establishment Canada (CSEC) developed FIPS 140-2 in 2001 specifically to protect sensitive information in computer and telecommunication systems.

The FIPS 140-2 process can be lengthy and expensive, which can be taxing on a company’s internal systems — it’s a huge undertaking. But for many, the end result is worth it: Once your cryptographic module is validated, you can sell it to any agency or department within the U.S. government.

The first five steps in the FIPS 140-2 Process:

1. Prepare/make a good plan for your validation

The time-consuming and potentially costly FIPS 140-2 process will run much more smoothly if you have a good game plan from the beginning. First, figure out how validation will affect other projects and how you can get a strong return on investment. Then decide who will be on your FIPS 140-2 team, which should include members from your marketing, sales, executive management, and quality assurance divisions. Involving team members from across the company will ensure that key members stay are aware of and stay focused on achieving the validation, and remain mindful that a validation can be a drain on other resources in the company, as well. Finally, determine whether your internal staff can provide the appropriate and ample documentation required for certification. Appointing staff members to a documentation team can help streamline this FIPS 140-2 process.

2. Assess your product

Assessing your product in the beginning will help prevent roadblocks along the way. Many products undergoing validation require functionality and code changes before they can be validated against the FIPS 140-2 standard. Since it’s much easier to change a product in the initial stages of the development cycle, it’s important to conduct proper assessments before beginning the FIPS 140-2 process. Consider analyzing your designs against the FIPS 140-2 requirements and making adjustments if needed to meet the FIPS standards.

3. Prepare a budget

Knowing what costs to expect and when will help avoid budget overruns. Prepare a budget in the beginning that includes items such as the fee for your FIPS 140-2 certificate and the testing lab fees. But make sure to take into account both the hard costs and the soft costs associated with the FIPS 140-2 process. For example, choosing a lab with lower testing fees may look like a wise decision early on. But if your team doesn’t have experience preparing documentation for a particular lab, this could end up being a costly setback. This is an area where a consultant can sometimes be a great asset. A consultant will have extensive FIPS 140-2 validation experience with many testing labs in both the U.S. and in other countries—and will know how each lab wants its documentation prepared and will be willing to handle all of the communication with the lab for you (see No. 5).

4. Choose a lab

There are many factors to consider when choosing the right FIPS 140-2 testing lab that go beyond cost alone. First, can you negotiate a fixed price for testing, reports, and the site visit? Doing so can prevent overtime costs if your project takes longer to complete. A lab that has more people assigned to your project can mean a more efficient FIPS 140-2 process. You should also select a lab that can show you that they will provide frequent and detailed communication throughout the entire FIPS 140-2 process so you feel informed during the project. Also find out about the lab’s track record for project completion. They may or may not be equipped to circumvent delays that can occur if you miss milestones or if your documentation is lacking. We recommend getting price quotes from a few labs before making a final decision.

5. Consider a Third Party Vendor

A consultant will prepare and revise all of the documentation and algorithm testing required for validation and communicate with the lab throughout the entire FIPS 140-2 process. This frees up your staff to focus on product development. And, because consultants are familiar with FIPS, they are able to quickly address common problems that may arise during the FIPS 140-2 process, preventing costly and time-consuming delays. That means you’ll be able realize the ROI on your validation and your product even faster.