DoD Changes UC APL name to DoDIN APL

The Department of Defense has changed the name of the list it uses for the procurement of IT products to be used over the DoD network infrastructures. Previously names the Unified Capabilities Approved Products List (UC APL), the new list is henceforth the Department of Defense Information Network Approved Products List (DoDIN APL). “The Department of Defense Information…

MONTHLY FED ROUNDUP – JUNE 2017

DISA’s June News Assured Compliance Assessment Solution (ACAS) training courses offered globally from July through December DISA moves forward with milCloud 2.0 through IDIQ award to connect DoD networks for use by the community and partners DISA and DMA partner to host Federal Knowledge Management Working Group DISA Executive Deputy Director Tony Montemarano gives annual…

Ivanti Continues to Strengthen Products through Common Criteria

Corsec would like to congratulate our partner Ivanti; the company that helps transform IT operations through patch and asset management and IT service delivery and security, on completing the Common Criteria certification process under an Evaluation Assurance Level (EAL) 2+ for the Shavlik U.S. Federal Protect Standard v9.2 Update 3. Ivanti’s participation in the Common Criteria evaluation process…

Protecting Your Brand

The financial losses associated with damage to your brand can be devastating, sometimes in the millions of dollars. According to an IBM study, 66% of threats impacting brand damage can be attributed to IT system failures and 46% can be attributed to cyber security breaches. Depending on your industry and markets, protecting your brand identity can…

Pivot3 Becomes Only HCI Vendor with CC for Data Protection

Corsec would like to congratulate our partner, Pivot3, on completing the Common Criteria certification process under an Evaluation Assurance Level (EAL) 2+ for its vSTAC OS v7.5 hyperconverged infrastructure software platform. Pivot3’s participation in the Common Criteria evaluation process emphasizes the company’s commitment to product security. “The vSTAC delivers up to 94% usable storage capacity at scale,…

Monthly Fed Roundup – March 2017

DISA’s March News DISA holds Systems Engineering, Technology, and Innovation Pre-Proposal Conference for insights on new Engineering Contract Vehicle Training offered for individuals trying to re-certify, re-accredit, or establish connectivity to the Defense Security Information Security Network (DISN) NIST’s March NewsNIST Final Public Draft: Cybersecurity Framework Manufacturing Profile NIAP’s March News RequestedTechnical Community Participation: The update on…

Upcoming Changes to Common Criteria and Other Security Certifications

The global encryption community will gather at the fifth annual International Cryptographic Module Conference (ICMC) in May to discuss the future of commercial cryptography and the role it plays in security of the world around us. Over 20 countries will be represented, as leaders come together to collaborate on unique challenges faced by those who produce,…

HPE Takes Another Step in Securing Service Desk Solutions

Corsec would like to congratulate our partner, HP Enterprise, on successfully finalizing the Common Criteria certification process for the HPE Service Manager v9.41. The completion of the CC evaluation gives governments and businesses a service desk solution that has been internationally vetted and tested for information assurance. The commitment by HPE to provide secured products to Federal organizations and global…

Monthly Fed Roundup – February 2017

DISA’s February News DISA CTO set to retire Systems Engineering, Technology and Innovation Request for Proposal released by DISA NIST’s February News NIST Draft Releases: Draft Special Publication 1800-7, Situational Awareness for Electric Utilities released for comments SHA-1 Collision NIAP’s February News NIAP has announced an invite to join a technical working group in the development of a Protection…

Dispelling DoDIN APL Listing Myths

The hoops that companies must jump through in order to sell into the Federal government can be difficult to understand and sometimes misleading. As with any government process, misconceptions surrounding what is required begin to evolve and companies can potentially lose revenue as a result. Here are a few of the most common myths and…

Monthly Fed Roundup – January 2017

DISA’s January News DISA focuses on Innovation during the Armed Forces Communications and Electronics Association panel NIST’s January News NIST Draft Releases: Draft Special Publication 800-12, Revision 1, An Introduction to Information Security NIST Interagency Reports: An Introduction to Privacy Engineering and Risk Management in Federal Systems NIAP’s January News The 2016 NIAP Progress Report Has…

Monthly Fed Roundup – December 2016

DISA’s December News No December Updates NIST’s December News NIST Draft Releases: Draft Special Publication 800-188, De-Identification of Government Datasets Special Publications: SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Special Publication 800-184,…

Corsec Named Owler ‘HOT in 2016’ Winner

Owler (a Crowdsourced Competitive Intelligence Platform) recognizes the top trending companies in cities around the world. They filtered through more than 15 million companies and picked 4,500 award winners across 600 cities worldwide. Recipients were chosen based on several different metrics, including number of followers on Owler, insights collected from our community, social media followers,…

IP Protection: Are You Asking The Right Questions?

Would you buy a house without properly securing all the windows and doors? Would you trust a bank that didn’t require ID and a password before granting access to your account? If we don’t take risks in protecting our personal property, why would we take risks when protecting our company’s Intellectual Property (IP)? World class security companies make strategic investments in…

Your Security Strategy – Are You At Risk?

$7 Million Dollars – According to a recent study by IBM, that’s the average cost of a security breach. The overall brand damage can be catastrophic, huge financial losses and customer abandonment. Companies like Target and JPMorgan are still dealing with the aftermath from breaches. The ramifications can last years, or even worse, put you under. Avoiding these scenarios with proper product certifications is…

Monthly FED Roundup – November 2016

DISA’s November News The annual forecast event to industry was held in Baltimore, MD this month. NIST’s November News NIST Draft Releases: Draft Special Publication (SP) 800-187, Guide to LTE Security for public comment Draft Special Publication 800-181, NICE Cybersecurity Workforce Framework (NCWF) — National Initiative for Cybersecurity Education (NICE) Special Publications: Systems Security Engineering…

Corsec Cares Collects Food During Holiday Season

Every year Corsec Cares collects donations from team members and delivers them to a local organization to help ensure families in the district are able to enjoy and celebrate the Thanksgiving holiday season. For the second year in a row Corsec collected and delivered food donations to Food for Others, a local organization in Fairfax County, VA. Food for…

Are Your Partners Putting Your IP at Risk?

What if your intellectual property was at risk and you weren’t even aware? In today’s highly competitive and often vulnerable world, the companies we choose to partner with play a large role in the security of our products. We take precautionary measures to sign the proper documentation like NDAs and Teaming Agreements, but at the end…

Monthly FED Roundup – October 2016

DISA’s October News Those trying to establish, re-accredit, or re-certify their connections to the Defense Information Systems Network (DISN) will not have access to training provided by DISA’s Risk Adjudication and Connection Division. NIST’s October News NIST Draft Releases: NISTIR 8149, Developing Trust Frameworks to Support Identity Federations NISTIR 8151, Dramatically Reducing Software Vulnerabilities: Report to…

Corsec Cares Assists FIRST LEGO League

As part of Corsec Cares, Corsec’s CEO, Matthew Appler, teamed up with FIRST Lego League (FLL), a local organization to help students expand their engineering enthusiasm and find solutions to real word issues. FLL is a robotics competition for elementary and middle school aged children that runs nationwide every fall. Teams from Washington DC and…

Monthly FED Roundup – September 2016

DISA’s September News The DoD’s tool to detect and counter known cyber attacks, The Host Based Security System (HBSS), will be combined with other solutions to create a holistic approach to protecting our nation’s critical infrastructure and networks. This new solution will be known as Endpoint Security Solutions (ESS). In an attempt to leverage efficiencies,…

Monthly FED Roundup – August 2016

DISA’s August News DISA releases its Three-Tiered Approach to Cloud Computing DISA assists DoD cloud service providers with the Cloud Provisional Authorization (PA) process NIST’s August News A release was published on Post-Quantum Cryptography – for more information on the subject as well as notes from recent Post-Quantum events, please read Corsec’s blog post The…

Update On NIST’S Post-Quantum Cryptography Requirements

After a great discussion in Japan at the 7th Annual Post-Quantum Crypto Conference (PQCrypto 2016) back in February, NIST has taken the next step and announced they are seeking additional input and comments on their draft proposal for “Post-Quantum Cryptography: Proposed Requirements and Evaluation Criteria”. “The National Institute of Standards and Technology (NIST) has published a Federal Register Notice requesting comments on a proposed…

Corsec Discusses Product Security At BlackHat

BlackHat USA is on the horizon and product security enhancement is a huge focal point this year. Modern-day cryptography provides a level of security that was previously unimagined, but how do we ensure that the precautionary steps we are taking are sufficient to protect our products from prevailing attacks and hackers? Evaluate Your Crypto and Protect…

Monthly FED Roundup – July 2016

DISA’s July News DISA receives $9.7M in funds to help the American Warfighter from DOD Rapid Innovation Fund Program DISA PAC has new leadership – Col. Joseph E. Delaney COL Andrew S. McClelland assumes command of DISA Europe NIST’s July News NIST has released two draft publications on the Security Content Automation Protocol (SCAP) NIAP’s July News…

FIPS 140-3: When Can We Expect It?

Corsec is often asked when the next version of the Federal Information Processing Standard (FIPS 140-3), is expected to be released. It is an important question as product vendors are trying to adapt their certification strategies; either by validating their products prior to any changes that could sidetrack their current efforts, or by validating post release in…

Two New Countries Join CCRA

The CCRA Management Committee Chair has announced that two more countries, Qatar and Singapore, will officially sign the Common Criteria Recognition Agreement (CCRA). The addition of of the two nations brings the total number of participants to 27. The Common Criteria Mutual Recognition Agreement (CCRA) is a pact, which was designed to allow all Common Criteria evaluations up to…

FIPS Inside: Is It Right For Me?

Implementing a FIPS 140-2 validation into your product is a great way to strengthen your solution, enhance your brand, and secure your bottom line. When pursuing FIPS, you will be faced with difficult and often confusing decisions; leaving you with many questions. One such question we are always asked is the difference between being FIPS Validated and FIPS…

CMUF Monthly Update: June

The deadline is approaching for vendors that were moved to the Historical List because of their RNG use.  July 1 is the last day that a lab can submit a no-cost 3Sub to move a module from the Historical List to the Validated list. For more information see our previous posts on who has been affected…

NTIS Appoints Avi Bender as New Director

The Department of Commerce’s National Technical Information Services (NTIS) has announced a few new changes that may very well shake up the way the government uses and shares information. NTIS has announced a new joint venture partnership aimed improve access, analysis, and use of federal data. NTIS serves as the largest central resource for government-funded…

Cybersecurity Acquisition Vehicle Coming

The General Services Administration (GSA) has announced their intentions to add another SIN to the GSA Schedule 70 – “Highly Adaptive Cybersecurity Services (HACS)”. The new SIN will be broken down into three categories for security services — proactive, reactive, and remediation. “We’re not putting together a vehicle for GSA. We’re putting it together for you. Tell us what…

DHS funds Cyber Defense

The Department of Homeland Security (DHS) has approved $1.8 billion in funding to prevent cybersecurity attacks and protect critical infrastructure. The House Appropriations Subcommittee approved the bill last week in order to support the National Protection and Programs Directorate (NPPD), the agency within DHS responsible for cybersecurity. “Hacking and cyberattacks have already cost the federal government billions…

Updates to Canadian Common Criteria Certifications

The Communications Security Establishment (CSE), the governing body of Common Criteria in Canada, has officially stated they will only accept Protection Profile (PP) based evaluations starting in September of 2017. Furthermore, they have stated that they will only be accepting evaluations against CSE-approved PPs; a full list of which can be found here. Additional guidance on…

Event Recovery and PIV Updates from NIST

NIST has released draft Special Publication (SP) 800-184, titled “Guide for Cybersecurity Event Recovery” – This draft is open to public comment until July, 11th, 2016 “The purpose of this document is to support federal agencies in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures. This publication provides tactical and strategic…

Poor Project Management Could Derail Your Certification Efforts

CMVP has new guidelines which went live last month via the release of Implementation Guidance (G.16). This update will affect product vendors that have not taken proper precautions with project management related to their FIPS 140-2 validations. During validation, an accredited Lab can submit a request form (called an IUTA) for a product to be listed on the modules…

FIPS 140-2 Sunset Policy Update!

CMVP; the governing body that oversees U.S. FIPS 140-2 validations, has made drastic changes over the past year to policy governing product certification longevity. This week they went one step further and have now updated their Validation Sunsetting Policy, in a move that will impact a large number of companies and products. Key takeaways from this…

DISA Cloud Migration

In 2013, the Defense Informations Systems Agency (DISA) developed an on-premise cloud solution for the DoD – milCloud 1.0. DISA continues to operate and manage this solution, but since its inception, cloud based services have grown in complexity and functionality. The DoD is now looking for a change. According to a report released by DISA,…

Updates From Around the Globe

Over the past two months Corsec has traveled from Seoul, Korea to Ontario, Canada in order to attend security certification events such as the Common Criteria Users Forum (CCUF), and the International Cryptographic Module Conference (ICMC). The discussions held as these events have given Corsec insight on changes that are coming to certification requirements, updates on the strategic outlook and vision…

Recent NIST Releases

NIST Releases “Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access” In response to the Office of Management and Budget (OMB)’s Cybersecurity Strategy and Implementation Plan, NIST has released their best practices guide for Personal Identity Verification (PIV)-enabled privileged access. This guide covers three critical areas: The risks of password-based single-factor authentication The need for multi-factor PIV-based…

Cybersecurity Innovation Forum

Corsec recently attended the Cybersecurity Innovation Summit at George Mason University in Fairfax, VA.  This event created a platform for discussions on the recent advancements in cybersecurity and the evolving challenges security experts face. Among those attending, were members of Academia, Industry and the Federal Government. Corsec’s CEO, Mathew Appler, attended the summit and has commented on the importance of the…

Corsec Speakers and Attendance at ICMC

As previously posted, next week in Ottawa, Ontario, Canada, hundreds of global leaders in the commercial encryption community will gather at the fourth annual International Cryptographic Module Conference (ICMC). Corsec’s President John Morris will be joining the list of Corsec employees speaking this year. John will be taking an in-depth look at the economic costs and rewards of…

CCUF Management Board Election Results

The Common Criteria Users Forum (CCUF), which serves as a voice amongst the Common Criteria community recently held elections for its management board. Corsec’s Matt Keller, who has served as the Vice Chair for the past 4 years, has been re-elected to the board and will continue to contribute to the CC community as well as to…

Corsec’s Matt Keller Attending 2016 ICMC

Next month in Ottawa, Ontario, Canada, hundreds of global leaders in the commercial encryption community will gather at the fourth annual International Cryptographic Module Conference (ICMC). Corsec’s Matt Keller, who also serves as CMUF Management Representative, will be presenting and recently was quoted in a release by the ICMC. “ICMC, presented by the Cryptographic Module User…

DISA Focuses On Mobile Security

In November of 2015, the Defense Information Systems Agency (DISA) announced it was taking steps to make cloud and mobile enabled networks a priority in 2016. It looks like that vision has actually started to take hold. Earlier this month, we discussed the changes to cloud security that DISA revealed when they released an update to the Cloud…

DISA Updates Cloud Computing Security

Last week, the Department of Defense (DOD) released an update to the Cloud Computing Security Requirements Guide (CC SRG) through the Chief Information Office and the Defense Information Systems Agency (DISA). This update provides guidance to a number of components, including: cloud service providers (CSPs), both commercial and DOD, to all DOD components using cloud,…

Pentagon Increases Spending On Cyber Defense

Defense Secretary Ashton Carter announced that the Pentagon would be spending an additional $900 million in 2017 to enhance cyber defense measures. This comes after last years hack of the Office of Personnel Management (OPM), resulting in the loss of personal data for over 20 million federal employees and contractors. “Given the increasing severity and sophistication…

NIAP archives Products with Outdated RNG

NIAP, the governing body over Common Criteria in the U.S., announced last week that it would be removing products from their Product Compliant List (PCL) that do not meet new Random Number Generator (RNG) requirements.  This announcement is directly tied to current U.S. government purchasing policies. In a similar case, CMVP, the organization that oversees FIPS 140-2, implemented changes…

SCAP: New Revision Available

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has released the fourth revision of their Internal Report covering SCAP Version 1.2 Validation Program Test Requirements. SCAP or the “Security Content Automation Protocol” is made up of a suite of specifications developed by the security community for standardizing the way security software communicates and delivers…

OpenSSL Patches: Two New Named Attacks

In addition to the new vulnerabilities identified in January of this year, OpenSSL has once again had to release a slew of patches to correct problematic areas, which could ultimately affect your FIPS validation, Common Criteria evaluation or listing on the DoDIN APL. There are now at least two named attacks as part of the OpenSSL…

NIST’s Draft PUB on Entropy and RNG

Last month NIST released a draft publication on sources of Entropy and randomness in protecting sensitive data. The draft “Special Publication 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation”, is intended to help product vendors gauge if their sources of random numbers are indeed unpredictable. NIST states that “Random numbers are a crucial element in cryptography,…

Corsec at RSA 2016

RSA is on the horizon and everyone is getting excited.  Each year product vendors convene to discuss security and how we will protect our digital world.  But, with so much going on, it becomes difficult to prioritize between developing our pipelines, closing deals, and learning about new innovations to protect and enhance our products. Schedule…

Medical Devices & Security Guidelines

As cyber security risks continue to grow, a number of industries are starting to take steps to ensure secured protection of products. Health Care has always been an area of concern given the sensitive nature of the data that is transferred and stored among doctor’s offices, hospitals, and insurance carriers. Recently, the Food and Drug Administrations’s…

Targeting the DoD? The Different Paths to Military Sales

With the military’s love of acronyms and the many and varied requirement definitions, understanding how to break into Department of Defense (DoD) sales can be a daunting proposition. How do these DoD and international requirements relate to one another and what does your product need? A few of the requirements we are hearing questions on…

NSA Reorganization

In December of 2015, we heard about the NSA’s proposed reorganization (its biggest in 20 years) and a few of the potential impacts it could have on the agency and industry as a whole.  One critical area that is still somewhat murky is the impact on the IAD (and NIAP) now that the group is being…

Corsec Attending AFCEA WEST

Corsec will be in San Diego, CA for the annual AFCEA WEST conference.  “The premier naval conference and exposition on the West Coast, WEST is now in its 26th year of bringing military and industry leaders together.  Co-sponsored by AFCEA International and the U.S. Naval Institute, WEST is the foremost event in which the makers…

CMVP Has Begun Archiving!

As previously mentioned, CMVP announced that all FIPS 140-2 validations that use Random Number Generators (RNG), as well as certifications that use both the NIST 800-90A DRBG and RNG will be required to re-validate, otherwise, they will be placed on an unprocurable products list, which mandates reaffirmation with CMVP that you can meet new standards. Today, CMVP…

Happy Data Privacy Day

On January 28th; the U.S., Canada, and 47 European countries take time to acknowledge the importance of privacy and data protection best practices. Although this day has its roots in protecting personal data, specifically with attention to social networking, the Internet of Things (IoT) and interconnectivity of our lives has created a new world of vulnerabilities. Businesses…

White House Updates

When the Whitehouse issued its new action plan to prevent security breaches and attacks similar to that of the OPM fiasco, part of the plan was to acknowledge a number of cybersecurity gaps; some of which will ultimately impact security certifications such as FIPS 140-2, Common Criteria, and DoDIN APL: Nov. 13, 2015 All agencies must identify and report to…

Cryptography, FIPS 140-2, and Lab Changes – What You Need to Know

Corsec brings highlights from recent events – offering insight into the future of Cryptographic Validations, Lab Reviews, and a potential new Inter-Agency Agreement. Cryptographic Validations, Quo Vadis? and apropos of FIPS 140-2 Cryptographic validations currently do not have an international acceptance, but the future for cryptographic validations looks promising in terms of mutual recognition. The public…

Sunsetting of FIPS 140-2 Products

Over 1,500 FIPS 140-2 validated products will be facing archival by CMVP by 2017. Recently, CMVP, the governing body which oversees FIPS 140-2 validations, laid out guidelines and new regulations for validations in two distinct areas: Sunsetting of products validated prior to 2012 If your validation took place prior to January 1st 2012, then CMVP could…

The Next Step in FIPS 140-2 and Cryptography

Changes in Security Certifications:  With the extension of the FED budget, companies have begun to plan and develop their 2016 FED sales objectives with an eye on the expanding $70B total addressable market.  These companies are looking for ways to stay abreast to all changes affecting spending at the national level, as well as initiatives…

Changes in Common Criteria and Product Advocacy

As companies look to their 2016 sales objectives, the allure of the FED and it’s $70 billion budget, as well as emerging markets for healthcare, finance, critical infrastructure and the Internet of Things (IoT) is insatiably appealing. As we have all seen, U.S. and international governments as well as the aforementioned industries have stronger restrictions…

Corsec Helps EMC Certify Two More Products Under Common Criteria

Congratulations to our partner EMC, on achieving the Common Criteria Certification for VNXe OE v3.1.1 with Unisphere and VNXe3200 hardware as well as VMAX Series Appliances with HYPERMAX OS 5977. These products were tested and validated under the Canadian Scheme, which underscores EMC’s commitment to helping federal organizations and global enterprises secure products around the world. Corsec…

Corsec helps Varonis reach “In Evaluation” Phase for Common Criteria Certification EAL-2

Congratulations Varonis Systems, Inc. (Nasdaq:VRNS), for reaching the Common Criteria “In Evaluation” phase on the Data Governance Suite. The certification process underscores Varonis’ commitment to helping federal organizations and global enterprises secure privileged accounts. Corsec is pleased and…

Corsec on the Road – Gartner Security & Risk Management Summit 2015

Ian Wisecarver and Jason Kozak head to Gartner Security & Risk Management Summit 2015. Corsec’s Ian Wisecarver and Jason Kozak will be joining the IT security discussion in our Nation’s Capital next week, as they meet with IT product vendors and industry leaders at the Gartner Security & Risk Management Summit 2015 in

IT Security Certifications at InfoSec 2015

Will you be at InfoSecurity 2015 this year? InfoSecurity 2015, is Europe’s largest free information security event, focused on relevant IT security issues including pressing issues like practical ways to protect information assets, recovering and securing data, and innovative strategies to discuss information security risks. Ian Wisecarver from Corsec will…

RMF: Is It Replacing the DoDIN APL and other Security Certifications?

As companies tap into the growing addressable markets for Commercial and FED, they are confronted with a litany of standards, acronyms and security validations they must overcome in order to stay relevant. The list is daunting, and making sense of this has been our singular focus for the past 18 years. In that time, we…

Corsec Announces Fall 2014 Global Speaking Tour

Industry Experts Selected to Deliver Critical Guidance and Insights at Leading IT Security Conferences Fairfax, VA, September 8, 2014 – Corsec, the world’s leader in providing access to new markets via third-party security validations, recently announced the lineup for its Fall 2014 Global Speaking Tour. Corsec experts will be presenting at key industry conferences on topics…

NIST Successfully Slashes FIPS 140-2 Validation Wait Time Down to Record Lows

Fairfax, VA, May 14, 2011 –  Corsec Security, Inc., the leader in FIPS 140-2 and Common Criteria documentation, project management and consulting services, today announced that NIST’s Cryptographic Module Validation Program (CMVP) queue is down to a record low. This accomplishment marks a major success for the FIPS 140-2 program due to the hard work…

Corsec Completes 200th FIPS 140 & Common Criteria Certification for IT Security Vendors

Corsec Security, Inc., the leading provider of FIPS 140-2 and Common Criteria documentation and consulting services, today announced the completion of the 200th certificate they have achieved for IT Security vendors across the globe. Fairfax, VA, July 22, 2010 – Corsec Security, Inc., the leading provider of FIPS 140-2 and Common Criteria documentation and consulting…

Corsec Launches Global Expansion of The Department of Defense’s Information Network Approved Products List(DoDIN APL) Validation Services

Company Provides Path Towards Successful DoDIN APL Inclusion, Opening United States Department of Defense Market for IT Products Fairfax, VA, February 18, 2014 – Corsec, the world’s leader in providing access to new markets via third party security validations, today announced the global expansion of its DoD’s Information Network Approved Products List (DoDIN APL) certification…

Heartbleed & Your Security Certification

Much has been in the news over the past couple of months about the security vulnerability known as Heartbleed. It is of vital interest to businesses and consumers, but especially so for businesses with products intended to provide security for their users. There are some specific and unique impacts to companies who are planning or are in the midst…

Why a DoDIN APL Means More Than Just DoD Revenue

What is the DoD’s Information Network Approved Products List (DoDIN APL) and why is it important to you? You’ve probably heard that it has to do with the Department of Defense — absolutely true and certainly very important. But there are other reasons that you should be concerned about getting your product onto the DoDIN…

Common Criteria Certification: What Is It?

Do you need to open the door to sell your IT security product to the U.S. government? That seems like it should be a process that is simple to work through, but think again. Any IT security product that will be used by the U.S. government for national security systems, either to handle classified and even some non-classified…

Maximize ROI: Market Your Certification

Taking the time, effort and resources to achieve FIPS or Common Criteria certification or UC APL listing is a big deal. It’s not an insignificant investment, and when it’s finally completed, you want to see a significant return, right? The most obvious solution is just to sell more product. And while this may seem both simple and obvious, we all know…

Entropy Testing: Tips for Meeting Requirements

In the second post of our two-part series, we continue our discussion with panelists from Computer Sciences Corporation: Lachlan Turner, Jason Cunningham, and Maureen Barry. Continuing where we left off with last week’s post, we’ll dive deeper into entropy and answer some of the many questions now arising…

Entropy for FIPS and Common Criteria: What Is It?

In the world of cryptography, data is only safe as long as the keys used to protect that data are kept secure. While, on one hand, this means that keys must be protected against unauthorized access, it also means that keys must be created in a way that makes them difficult for an attacker to guess. To produce cryptographically strong…

A Look Back: 2013 for FIPS, Common Criteria and DoDIN APL

The end of the year is a great time to look back at important milestones and use what we’ve learned to plan for the upcoming year. This year, clearing the air where myths and misconceptions were concerned was a theme that we saw come up repeatedly at Corsec, and laying the groundwork for smooth process…

Dispelling FIPS Certification Myths

There are plenty of myths out there about FIPS and what it really takes to achieve validation. During our most recent webinar, “Top 10 Myths about FIPS,” we dispelled some of those myths and gave insight into what it really means to be FIPS validated and how your company can navigate the complicated validation process because of the level of detail, time, and cost involved, there…

The First Five Steps in Your FIPS 140-2 Validation

Trying to decide whether to perform a FIPS 140-2 validation on your product? It can actually be a pretty black and white decision. If you want to sell any product containing cryptography to any U.S. government agency or department, then the answer is clear cut: you need a FIPS validation. FIPS 140-2 validation is required for products that contain…

Understanding Common Criteria Technical Working Groups

I recently had a conversation with a product vendor who was new to the Common Criteria community and it was refreshing to talk about and look at the Common Criteria “machine” from an outside perspective. One of the interesting parts of that machine is the Common Criteria User Forum (CCUF). It provides a voice and communications…

The Last Details on ICMC 2013 and What to Look for Next Year

Is it too late to talk about the International Cryptographic Modules Conference (ICMC)? Well, it really depends on how you look at it. If you were looking for a timely recap of the conference, then yes, I guess it is. But if you missed any of the details, this might be your last chance to catch up. And planning has just begun for next year’s conference…

Technical Communities: Creating Common Criteria Protection Profiles

Who is Defining the Criteria That Your Products Will Need to be Evaluated Against? I have been involved in the Common Criteria (CC) community since the first International Common Criteria Conference (ICCC) in 2000. While I spend a lot of my time down in the weeds of Common Criteria issues, it’s refreshing to look at the Common…

U.S. Government Shutdown Impacts FIPS Validations

As you know, the U.S. federal government officially shut down many of its operations. This shutdown directly affects NIST and, as a result, impacts its FIPS validation activities. We are sending you this e-mail to let you know what resources Corsec has available and how this situation will impact your validation efforts.

Updates from ICCC Include CCRA Revisions

Some of us from Corsec recently attended the 14th International Common Criteria Conference (ICCC) in Orlando, Florida, and we came away feeling that the Common Criteria (CC) community is finally coming together in many positive ways. After several years of difficult transition into defining the new CC paradigm of collaborative Protection Profiles (cPPs) and international Technical Communities (iTCs),…

Updates from the Joint CCDB/CCUF Workshop

It’s always great to get together with others from our industry to discuss advances and collaborate on moving processes forward for Common Criteria. Last month, several of us had the opportunity to work with colleagues from around the world at two separate events in Orlando, Florida. A group of us spent the first two weeks of September in Orlando, as Corsec sent multiple…

Planning Leads to Smooth Sailing in DoDIN APL Listing: Webinar Recap

Getting your product listed on the DoD UC APL can seem like a Herculean task. We’ve talked before about the ins and outs of the entire listing process, but anyone who has considered any type of IT security validation knows that making the process as efficient as possible is as key as paying attention to the details. Last week, Corsec Co-Founder…

Common Criteria Schemes: Tips for Making the Right Choice

So many decisions, so little time. You’ve heard—and likely experienced—this mantra. And if you read this blog regularly, you’ve probably picked up on the fact that security validations involve making a whole host of decisions. When pursuing Common Criteria certification, one often perplexing, yet critical decision I hear people lament…

New FIPS 140-2 IG Update Released: What You Need to Know

In our recent post we talked about the recent changes to Common Criteria, FIPS, and UC APL, and the importance of putting these changes in context for your business. Today we have another change to tell you about. On July 25, CMVP issued an update to the FIPS 140-2 Implementation Guidance(IG). No matter where your module is in the…

Hot Topics for ISO/IEC JTC 1/SC 27’s WG 3: Q & A with Miguel Bañón

Last week, I shared a conversation I had with Miguel Bañón, Convenor of ISO/IEC JTC 1/SC 27’s WG 3 (work group 3), that offered an overview of the current work of the WG 3, as well as some great insight into planned changes in the areas of evaluation, testing and specification for the IT security industry. Today, we’ll…

Q&A with Miguel Bañón: A Look at ISO/IEC JTC 1/SC 27’s WG 3

At Corsec, we have the opportunity to work with many industry insiders, partners, and labs as we help our clients through the security validation process. This provides us with a unique perspective when looking at the changes occurring within the IT security space. One group of particular interest right now is the ISO/IEC JTC 1/SC 27’s WG 3…

But the Rules are Changing!

According to the ancient Greek philosopher Heraclitus, “There is nothing permanent except change.” As anyone following security certifications lately can tell you, there is a lot of truth in this statement. We have entered another period of profound change in security certifications. Putting these changes in the proper context is essential if you wish to…

The FIPS Standard: Do I Revalidate?

In our recent blog post, we talked about the cost and timing you can expect if you pursue FIPS 140-2 revalidation for your product or system. We also touched on five change scenarios that necessitate revalidation. These scenarios were created by the Cryptographic Module Validation Program (CMVP), the same body that published the FIPS standard, which covers…

Why You Need Common Criteria Certification and How to Get There

In the IT security industry, research and development teams continually race to introduce new products, while at the same time, project teams improve upon existing offerings—all scrambling to ensure that the latest versions meet security functional and assurance requirements. The goal is to bring the strongest and most secure…

Webinar Recap: Should You Revalidate or Recertify?

If you have been through the certification or validation process for your security product, I don’t need to tell you that it’s a substantial investment in time, resources and cost. Or that it’s worth that investment when you consider the benefits you’ll realize from your ability to sell into the lucrative government market. We discussed…

Budgeting for Common Criteria: Avoid Cost Creep

Budgeting for a Common Criteria Certification can be difficult, but it’s not impossible. Understanding how to create your certification budget, and taking the necessary steps to follow through with that budget, can reduce your costs and simplify the certification process. We are frequently asked, “How much does certification cost…

You Have Your Validation, Now Use It To Sell

Where is the most money lost in a validation? I know this is a question my customers ask themselves while making a decision on how to achieve validation. A) Is it the consultant? B) Is it in the testing laboratory? C) Is it the scope of the process? I’ll let you in on an insider secret—the correct answer is “none of the above.” You won’t lose big in validations, or in any direct expense…

Starting a Validation—Don’t Make All of Your Decisions up Front

A security validation is a substantial process—getting it started can be daunting. But you don’t need to decide everything up front—in fact, you shouldn’t. There are definitely some important considerations to work through, but there are some decisions you should put off until you are well into the process.If you have been tasked with…

Is There Value in Maintaining Your Security Validation?

Once you have spent the time and money to pursue a security validation, you’re all done, right? Well, not exactly. However, the good news is that it isn’t hard or expensive to maintain your validation. For most security validations, the validation applies to a specific version of hardware and software. At the beginning…

What You Need to Know about FIPS 140-2, OpenSSL, and the new IG Requirement

You may have heard about the new interpretation of the mandatory requirement in Section 9.5 of the Implementation Guidance (IG) document, a key component of FIPS 140-2 documentation issued by the Cryptographic Module Validation Program (CMVP). This interpretation is causing conflicts with the architecture of the OpenSSL…

FIPS 140-2 Validated: Top 10 Myths

If you’re thinking about pursuing FIPS 140-2 validation for your system or component, you know the benefits that validation provides. But along with the considerable perks you’ve heard about, there is lots of erroneous information floating around. Unless you do your homework, you may fall into a minefield or two that could result in major setbacks in time and cost.

Which FIPS Validation Is Right? 140-2 or 140-3?

This is a very frequently asked question, and we have been fielding questions from clients on how to deal with FIPS 140-3 for years now. But, for years the advice has uniformly been: “Don’t worry about FIPS 140-3; you only need to deal with FIPS 140-2 right now.” But that’s a very unsatisfying answer, especially when there have been folks actively proclaiming “Woe betide ye

Webinar: Moving Through DoDIN APL Testing Efficiently

If you’ve heard of DoDIN APL, you probably have a list of questions. DoDIN APL (which stands for The Department of Defense Information Network Approved Products List) is a directory of IT security products that have completed both Information Assurance (IA) and Interoperability (IO) testing and certification. Attaining inclusion in the APL can be an…