Ray Potter, Chief Executive Officer, SafeLogic
Have you ever gazed up at the stars and asked yourself, “Why isn’t there a universal benchmark for testing and validating cryptographic modules?”
Ok, maybe that’s not a common topic to ponder when you’re having one of those existential moments. But if you have, I’ve got good news– there are indeed awesome certifications for crypto, so you can at least answer that question in life. I’ll explain everything you need to know – the basics, the validation process, and most importantly, why you should love them, regardless of your role.
“NIST administers the Cryptographic Module Validation Program (CMVP), providing validation for encryption modules that meet the FIPS 140-2 standard.”
There are two major benchmarks: FIPS 140 and ISO/IEC 19790. The former, Federal Information Processing Standard (FIPS) Publication 140, waspublished by the U.S. government’s National Institute of Standards and Technology (NIST) in 1994. When revised in 2001, the standard became known as FIPS 140-2. In addition, the International Organization for Standardization (ISO) published the 19790 standard for cryptography in 2006 and updated it in 2012. ISO/IEC 19790has supporters, especially in Asia, but FIPS 140-2 is the key standard that you need to know due to the worldwide influence of the U.S. federal government. (Note: the two standards may soon converge. FIPS 140-3 is long overdue and rumors have been swirling that NIST will adopt the ISO standard, unifying the requirements and eliminating discrepancies.)
NIST (in partnership with their Canadian counterpart) administers the Cryptographic Module Validation Program (CMVP), providing validation for encryption modules that meet the FIPS 140-2 standard. This validation provides the proof U.S. federal agencies need for approved use and procurement. Without the certification, the government cannot deploy the technology, whether it is in the Department of Defense or the Department of Agriculture.
Outside of the government, FIPS validation has gained momentum as well. The healthcare industry has begun to see enforcement of the requirement for NIST certified encryption (in order to qualify for Safe Harbor in the event of a data breach.) The financial sector has begun to rely upon it, as well as utility companies, but consumer and enterprise products have lagged behind.
FIPS 140 validated encryption modules are subjected to a rigorous battery of functional tests by an accredited laboratory, along with a stringent documentation review. NIST’s CMVP staff then reviews the paperwork and approves it for validation when appropriate. Traditionally, it can be a lengthy process, although new advances have streamlined it significantly.
As a vendor, you should love the standard because it is a differentiator. The validation separates legitimate, high-quality solutions from the vaporware of competitors. As a consumer, you should love the standard because it provides peace of mind. It displays an investment of time, effort, and resources on the part of the provider. The FIPS 140-2 certificate, when displayed by your SaaS provider, proves that the vendor took the initiative to meet the standard. They went under review, proved their compliance, and are delivering to their customers the same quality of encryption used by the U.S. government. Consumers shouldn’t have to accept anything less. When NIST certifies the encryption inside a solution, all stakeholders benefit.