Dispelling FIPS Certification Myths

There are plenty of myths out there about FIPS 140-2 and what it really takes to achieve validation. During our most recent webinar, “Top 10 Myths about FIPS,” we dispelled some of those myths and gave insight into what it really means to be FIPS 140-2 validated and how your company can navigate the complicated validation process because of the level of detail, time, and cost involved, there is a lot of confusion over what is really required to validate your product to the FIPS certification.

As a quick recap of the topics covered in our webinar we outline the top myths commonly associated with the FIPS certification. To learn more about them, visit our webinars page and view the entire discussion watch the full webinar.

FIPS Certification Myths

Myth #1: Meeting FIPS certification requirements is just about filling in a checkbox.

Myth #2: If you know the “right” people, you can circumvent the CMVP queue.

Myth #3: Attaining FIPS certification validation does not provide any real competitive advantage in either the government or commercial marketplace.

Myth #4: If you have a Common Criteria certification, then you don’t need FIPS certification.

Myth #5: A vendor should begin developing towards FIPS 140-3 now.

Myth #6: Because FIPS certification is not an international standard; it has no applicability in other countries.

Myth #7: Any change to my module at all means I have to go through the entire validation process again.

Myth #8: The CMVP turns a deaf ear to the concerns of the vendor.

Myth #9: If I’m using OpenSSL to provide my crypto, then I’m all set for a FIPS certification.

Myth #10: My product is developed outside the U.S., so it doesn’t qualify for a FIPS certification.

During the webinar, a question regarding the basic relationship between FIPS certification, DoDIN APL and the test requirements for both was asked. We ran out of time during the live webinar, but wanted to make sure we answered every question.

JITC is an Army test center, and performs testing for several programs, most notably IA and IO testing as part of UC APL listing.  Thus JITC is one Test Center of Excellence that can perform this type of testing on a vendor’s product as they seek UC APL listing.  FIPS 140-2 can be a requirement for DoDIN APL listing depending on either the UCR requirements for that product type, or the UCCO and Testing Center of Excellence’s chosen test plan and IA requirements.  Corsec often works with customers and the UCCO to clarify FIPS 140-2 validation requirements for DoDIN APL listing for particular requirements.

Putting your product through the FIPS certification validation process can be a game changer for your company and its revenue plan. Being able to separate fact from fiction when it comes to FIPS certification can help eliminate some of the mystery that might be holding you back from pursuing your validation. With more than 300 completed certifications, Corsec can help demystify the process and guide you towards validation.

Contact us to get started.

Find out how Corsec can help you address not only your FIPS certification needs, but also your Common Criteria certification and DoDIN APL listing goals as well.