As more and more procurement requirements necessitate the use of FIPS validated cryptography, a popular strategy for meeting those requirements is to leverage an already existing validated cryptographic provider (and get all of the “FIPS-goodness” that comes with using validated modules). This strategy is particularly popular with large product vendors who have multiple product lines for which the level of effort to do a full validation for each product would be prohibitive. There are many benefits to this approach,

  • Time to market of a certified solution (weeks vs months/year)
  • Cost (order of magnitude less)
  • Level of Effort (changing libraries vs multiple bugs + coordinating with labs/gov’t)
  • Maintenance (small crypto boundary means fewer re-certs)
  • Scalability (reduces overall burden on engineering teams)

And the best part about it is it is explicitly allowed by the CMVP. In fact, FIPS 140-2 Implementation Guidance G.5 discusses the specifics about porting/using an already validated module within a product. With that being said, why wouldn’t all companies go and pick up the latest version of their favorite 3rd party module and call it a day? There are some potential draw backs to using an embedded module (meaning it’s not right for everyone), for example,

  • Coverage (some functionality the product needs may simply not be available to the module that works for on the system)
  • Relevance (some modules are not updated regularly and may only support deprecated versions of algorithms)
  • Maintenance (since the code doesn’t necessarily below to the product team, bug fixes may be slow)
  • Marketing (since it’s not the vendor’s product, their name doesn’t go on the list)

As can be seen from the above, developing a FIPS validation strategy for a company’s product(s) takes more consideration than just identifying where product gaps are and coding. If you’re interested in more info about the pros and cons of using an embedded FIPS-module, check out the slides I presented at ICMC this year or drop me an email or call me. I (seriously) like to talk, so, you’ll be doing me a favor 🙂

PS: Follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.