FIPS 140-2 and You

Many companies are realizing the value of FIPS certification, and the new 104-3 standard due out by year's end should raise the profile even higher. Vendors and NIST say there are indications that even the general public is realizing the value in FIPS 140-2. And, even though FIPS 140-2 is a requirement for only sensitive unclassified documents (the encryption standards for classified documents are themselves classified) maintained by the federal government or contractors, its influence extends beyond the United States and Canada, judging by the fact that there are testing laboratories outside of North America.

"It's hard to be critical of a program that makes you [as a company] better, the industry better, and the consumer better off," says Scott Palmquist, senior vice president of product management for CipherOptics, a security overlay provider.

That sentiment is echoed by other vendors, despite the fact that the testing process may well result in higher manufacturing costs as the product is brought up to conformance. There's no way around it: The compliance-testing process for FIPS can be pokey; if a company plans to make FIPS part of its buying criteria, some products that would otherwise be desirable won't make it onto a shortlist because of the amount of time they'd need to gain FIPS certification. And, a product that currently complies with FIPS can still be misconfigured, so FIPS approval alone does not assure that your enterprise absolute adheres to the guidelines.

Still, most vendors agree that the testing process results in more secure products.

"[PGP] considers FIPS 140-2 a reasonable and effective baseline to assess quality of encryption implementations," says Stephan Somogyi, director of products at security software maker PGP. "Unlike many standards that originate in North America and only are considered relevant here, we see demand for FIPS 140-2 validation from customers worldwide." What makes FIPS 140-2 so attractive? Largely the fact that it is periodically revisited to stay abreast of security and technology developments. For example, on May 19, standard DES encryption was finally removed from the FIPS 140-2 documentation as an acceptable encryption method. While DES has long been known as a weak algorithm, the long phase-out period allowed for existing conformant technologies and products to switch to AES or Triple-DES encryption so that federal customers weren't left in the lurch.If there's a weakness to FIPS 140-2, it's in its timing. While CMVP's goal is a six-to-nine week evaluation period from the time a lab finishes testing before certification, Mark Knight, product manager for nCipher, pointed out that while the current wait is about six months, it's been as long as nine months. If anyone would know, it's nCipher—it has received 73 FIPS 140 validation certificates.

Besides timing, another issue to be aware of when comparing different FIPS 140-2-rated products is that they're not all created equal. Besides the various levels of compliance, devices usually can be configured in many different ways. A FIPS 140-2-compliant device might be operated in a non-compliant mode. Fortunately, each validation certificate includes detailed security policy information on how each device should be appropriately used. If you're looking to buy encryption products and know they're effective, don't just look for the label—make sure you're following the directions too.