FIPS 140, CSfC, Common Criteria, UC APL

A Look Back: 2013 for FIPS, Common Criteria and DoDIN APL

The end of the year is a great time to look back at important milestones and use what we’ve learned to plan for the upcoming year. This year, clearing the air where myths and misconceptions were concerned was a theme that we saw come up repeatedly at Corsec, and laying the groundwork for smooth process…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

Dispelling FIPS Certification Myths

There are plenty of myths out there about FIPS and what it really takes to achieve validation. During our most recent webinar, “Top 10 Myths about FIPS,” we dispelled some of those myths and gave insight into what it really means to be FIPS validated and how your company can navigate the complicated validation process because of the level of detail, time, and cost involved, there…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

Decisions In A FIPS 140-2 Validation

Trying to decide whether to perform a FIPS 140-2 validation on your product? It can actually be a pretty black and white decision. If you want to sell any product containing cryptography to any U.S. government agency or department, then the answer is clear cut: you need a FIPS validation. FIPS 140-2 validation is required for products that contain…

CC-Certification-Common-Criteria-Certification

Technical Communities: Creating Common Criteria Protection Profiles

Who is Defining the Criteria That Your Products Will Need to be Evaluated Against? I have been involved in the Common Criteria (CC) community since the first International Common Criteria Conference (ICCC) in 2000. While I spend a lot of my time down in the weeds of Common Criteria issues, it’s refreshing to look at the Common…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

FIPS Certification Process

I have recently read several online articles questioning what it means for a cryptographic module to be FIPS 140-2 validated. While the FIPS 140-2 validation process is very complicated and replete with regulations, some of the information presented in the articles themselves and the comments made by…

RMF and the DoD's UC APL

Planning Leads to Smooth Sailing in DoDIN APL Listing: Webinar Recap

Getting your product listed on the DoD UC APL can seem like a Herculean task. We’ve talked before about the ins and outs of the entire listing process, but anyone who has considered any type of IT security validation knows that making the process as efficient as possible is as key as paying attention to the details. Last week, Corsec Co-Founder…

Corsec-Common-Criteria

Common Criteria Schemes: Tips for Making the Right Choice

So many decisions, so little time. You’ve heard—and likely experienced—this mantra. And if you read this blog regularly, you’ve probably picked up on the fact that security validations involve making a whole host of decisions. When pursuing Common Criteria certification, one often perplexing, yet critical decision I hear people lament…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

New FIPS 140-2 IG Update Released: What You Need to Know

In our recent post we talked about the recent changes to Common Criteria, FIPS, and UC APL, and the importance of putting these changes in context for your business. Today we have another change to tell you about. On July 25, CMVP issued an update to the FIPS 140-2 Implementation Guidance(IG). No matter where your module is in the…

FIPS 140, CSfC, Common Criteria, UC APL

Q&A with Miguel Bañón: A Look at ISO/IEC JTC 1/SC 27’s WG 3

At Corsec, we have the opportunity to work with many industry insiders, partners, and labs as we help our clients through the security validation process. This provides us with a unique perspective when looking at the changes occurring within the IT security space. One group of particular interest right now is the ISO/IEC JTC 1/SC 27’s WG 3…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

The True Cost of FIPS 140-2 Validation

The benefits of getting FIPS 140-2 validation for your product shouldn’t be underestimated. Your FIPS 140-2 validation demonstrates your integrity and commitment to providing your customers with compliant security products and systems. But the validation process can be time consuming, complex and is an investment not to be taken lightly. So, while planning…

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

The FIPS Standard: Do I Revalidate?

In our recent blog post, we talked about the cost and timing you can expect if you pursue FIPS 140-2 revalidation for your product or system. We also touched on five change scenarios that necessitate revalidation. These scenarios were created by the Cryptographic Module Validation Program (CMVP), the same body that published the FIPS standard, which covers…

Corsec-Common-Criteria

Why You Need Common Criteria Certification and How to Get There

In the IT security industry, research and development teams continually race to introduce new products, while at the same time, project teams improve upon existing offerings—all scrambling to ensure that the latest versions meet security functional and assurance requirements. The goal is to bring the strongest and most secure…

Watch A Webinar by Corsec

Webinar Recap: Should You Revalidate or Recertify?

If you have been through the certification or validation process for your security product, I don’t need to tell you that it’s a substantial investment in time, resources and cost. Or that it’s worth that investment when you consider the benefits you’ll realize from your ability to sell into the lucrative government market. We discussed…

blank

Budgeting for Certifications: Avoid Cost Creep

Budgeting for a Common Criteria Certification can be difficult, but it’s not impossible. Understanding how to create your certification budget, and taking the necessary steps to follow through with that budget, can reduce your costs and simplify the certification process. We are frequently asked, “How much does certification cost…

Watch A Webinar by Corsec

Highlights from Corsec’s DoDIN APL Webinar: A Glimpse Into What You Missed

Corsec recently presented a webinar called, DoD UC APL Solutions: Dealing with UCCO, STIGS, JITC, the TIC, Army, and DoD Requirements. Judging from the large number of views and inquiries on this, the Department of Defense’s Unified Capabilities Approved Products List (DoD UC APL) is a very hot topic for many vendors, and…

FIPS 140, CSfC, Common Criteria, UC APL

15 Years Teaches You a Lot: 3 Key Points to Remember

At Corsec, we just celebrated our 15th year of business in the security validation consulting industry. As you might imagine, we spent some time reflecting on the changes we have seen in the industry, the customers we have had the pleasure to work with, and the successes and failures we have seen over the years.

There were a few specific things that kept coming up in these discussions—three factors we could identify that predicted success or failure in security validation projects.

Read more

FIPS 140, CSfC, Common Criteria, UC APL

Starting a Validation—Don’t Make All of Your Decisions up Front

A security validation is a substantial process—getting it started can be daunting. But you don’t need to decide everything up front—in fact, you shouldn’t. There are definitely some important considerations to work through, but there are some decisions you should put off until you are well into the process.

Read more

FIPS 140, CSfC, Common Criteria, UC APL

Is There Value in Maintaining Your Security Validation?

Once you have spent the time and money to pursue a security validation, you’re all done, right? Well, not exactly. However, the good news is that it isn’t hard or expensive to maintain your validation.

For most security validations, the validation applies to a specific version of hardware and software. At the beginning of your evaluation you must choose which versions of your product you are taking through the validation process. 

Read more

FIPS 140-2, FIPS 140-2 validation, FIPS Validation, FIPS 140-2 process, FIPS Inside, FIPS Compliant

What You Need to Know about FIPS 140-2, OpenSSL, and the new IG Requirement

You may have heard about the new interpretation of the mandatory requirement in Section 9.5 of the Implementation Guidance (IG) document, a key component of FIPS 140-2 documentation issued by the Cryptographic Module Validation Program (CMVP). This interpretation is causing conflicts with the architecture of the OpenSSL validations and how OpenSSL’s validation applies to customers using their software.

Read more