CC-Certification-Common-Criteria-Certification

NSA Reorganization

In December of 2015, we heard about the NSA’s proposed reorganization (its biggest in 20 years) and a few of the potential impacts it could have on the agency and industry as a whole.  One critical …

Read more

CMVP

CMVP Has Begun Archiving!

As previously mentioned, CMVP announced that all FIPS 140-2 validations that use Random Number Generators (RNG), as well as certifications that use both the NIST 800-90A DRBG and RNG will be required to re-validate, otherwise, they will …

Read more

How-Heartbleed-Affects-Your-Security-Certifications

How Heartbleed Affects Your Security Certifications

Much has been in the news over the past couple of months about the security vulnerability known as Heartbleed. It is of vital interest to businesses and consumers, but especially so for businesses with products intended to provide security for their users. There are some specific and unique impacts to companies who are planning or are in the midst…

Corsec-Common-Criteria

Common Criteria Certification: What Is It?

Do you need to open the door to sell your IT security product to the U.S. government? That seems like it should be a process that is simple to work through, but think again. Any IT security product that will be used by the U.S. government for national security systems, either to handle classified and even some non-classified…

ESV Header

Entropy Testing: Tips for Meeting Requirements

In the second post of our two-part series, we continue our discussion with panelists from Computer Sciences Corporation: Lachlan Turner, Jason Cunningham, and Maureen Barry. Continuing where we left off with last week’s post, we’ll dive deeper into entropy and answer some of the many questions now arising…

ESV Header

Entropy for FIPS and Common Criteria: What Is It?

In the world of cryptography, data is only safe as long as the keys used to protect that data are kept secure. While, on one hand, this means that keys must be protected against unauthorized access, it also means that keys must be created in a way that makes them difficult for an attacker to guess. To produce cryptographically strong…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

Dispelling FIPS Certification Myths

There are plenty of myths out there about FIPS and what it really takes to achieve validation. During our most recent webinar, “Top 10 Myths about FIPS,” we dispelled some of those myths and gave insight into what it really means to be FIPS validated and how your company can navigate the complicated validation process because of the level of detail, time, and cost involved, there…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

Decisions In A FIPS 140-2 Validation

Trying to decide whether to perform a FIPS 140-2 validation on your product? It can actually be a pretty black and white decision. If you want to sell any product containing cryptography to any U.S. government agency or department, then the answer is clear cut: you need a FIPS validation. FIPS 140-2 validation is required for products that contain…

CC-Certification-Common-Criteria-Certification

Understanding Common Criteria Technical Working Groups

I recently had a conversation with a product vendor who was new to the Common Criteria community and it was refreshing to talk about and look at the Common Criteria “machine” from an outside perspective. One of the interesting parts of that machine is the Common Criteria User Forum (CCUF). It provides a voice and communications…

CC-Certification-Common-Criteria-Certification

Technical Communities: Creating Common Criteria Protection Profiles

Who is Defining the Criteria That Your Products Will Need to be Evaluated Against? I have been involved in the Common Criteria (CC) community since the first International Common Criteria Conference (ICCC) in 2000. While I spend a lot of my time down in the weeds of Common Criteria issues, it’s refreshing to look at the Common…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

FIPS Certification Process

I have recently read several online articles questioning what it means for a cryptographic module to be FIPS 140-2 validated. While the FIPS 140-2 validation process is very complicated and replete with regulations, some of the information presented in the articles themselves and the comments made by…

RMF and the DoD's UC APL

Planning Leads to Smooth Sailing in DoDIN APL Listing: Webinar Recap

Getting your product listed on the DoD UC APL can seem like a Herculean task. We’ve talked before about the ins and outs of the entire listing process, but anyone who has considered any type of IT security validation knows that making the process as efficient as possible is as key as paying attention to the details. Last week, Corsec Co-Founder…

Corsec-Common-Criteria

Common Criteria Schemes: Tips for Making the Right Choice

So many decisions, so little time. You’ve heard—and likely experienced—this mantra. And if you read this blog regularly, you’ve probably picked up on the fact that security validations involve making a whole host of decisions. When pursuing Common Criteria certification, one often perplexing, yet critical decision I hear people lament…

FIPS 140, CSfC, Common Criteria, UC APL

CSfC and Your Product Evaluation

We have recently seen an increase in the number of clients who are asking about CSfC and how to get on the CSfC Components List maintained by the National Security Agency (NSA) Information Assurance Directorate (IAD). CSfC is the acronym for the IAD’s Commercial Solutions for Classified program. It’s worth noting…