Welcome to the Acumen Security Blog

FIPS validated, but does it support Suite B?

Did you know that you could get your product FIPS 140 validated but NOT support Suite-B? Did you know that, while your product may support Suite-B, not every implemented service may actually have the required support? Have you ever run into this scenario?

Potential Customer:Do you support Suite-B?
You: We just got FIPS validated!” (quickly pulling up your FIPS certificate number)
Potential Customer:That’s great and required but that’s not what I needed to know.
You:Oh, I’ll have to get back to you.” (quickly texting your colleague about support)

This scenario could have been avoided if, as you prepared for your product’s government certifications, you had included Suite-B planning in the process. In addition to the responding to a direct customer request, there are other reasons to consider planning Suite-B support during your next product certification cycle, for example,

  •         Policy, such as, CNSSP-15, require IA and IA-enabled IT products to adhere to Suite-B
  •         Flexibility talking with customers (e.g., you don’t have to say, we don’t support it)
  •         It is the strongest, most effective, and most efficient standards-based commercial cryptography available

So, how do you get started? Do you know what makes a product Suite-B compliant? Or, what kind of information you can protect using Suite-B cryptography?

Acumen Security has put together an introduction to Suite-B cryptography. Not only will you have a high-level understanding of Suite-B, what you can use it to protect, and how it applies to commonly certified protocols, such as, SSH, TLS, and IKE/IPsec, but the paper also provides some recommendations for how to incorporating Suite-B into your next round of government certifications. Check the paper out: here and tell us what you think!

Finally, if you have any questions about Suite-B and how it relates to government certifications (or any other certification related questions), give us a call or drop us an email. We are passionate about certifications and helping you make the choices that are right for both you and your customers.

Also, follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.

New Draft of FIPS 140-4 Posted!

Yesterday, the CMVP posted a new draft of FIPS 140-4. While expected at some point this year, the timing of the posting came as a bit of a surprise (I personally believed that it would be released closer to ICMC). The content was a bit surprising, as well. Rather than provide the requirements for FIPS 140-4, the document simply provided a pointer to ISO/IEC 19790:2012 without modification.

Additionally there is a note providing this warning:

“Vendors are strongly advised not to design to requirements in the draft FIPS 140-4 if they conflict with the requirements of FIPS 140-2 until such time an announcement and transition is published by NIST.”

This warning is apt. However given the lead times to get a certifiable module ready, Acumen believes it would be a good idea to implement at least those requirements of ISO 19790 that are not in conflict with FIPS 140-2. This will ensure the “hump” to be compliant with FIPS 140-4 will be easier to navigate when the standard comes out of draft.

Fortunately, Acumen Security has performed an analysis between the current FIPS 140-2 and the ISO/IEC 19790:2012. Our white paper can be found here. Its a good guide on the salient points of ISO 19790 and identifies requirements that are not in conflict with FIPS 140-2. We would also like to point you to our blog on this topic: https://blog.acumensecurity.net/getting-ready-for-an-iso-19790-based-fips-140-next/

This is an exciting time to be in the government certification world. There are a ton of changes happening not just with FIPS 140 but also with Common Criteria. If you have any questions, not only about FIPS 140 but also other government certifications, give us a call or drop us an email. We are passionate about certifications and help you make the choices that are right for both you and your customers.

Also, follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.

Update 7/8/2014: It appears the draft of FIPS 140-4 and related post has been removed from the CMVP website. We’ll let you know as we hear more.