Validation is an interesting concept requiring a set of agreed upon benchmarks to accomplish. For a validation to carry any weight the benchmarks will typically be rigorous, costing taking time and energy to accomplish. In education, if someone wants to earn a degree from a particular school, they will be required to apply, enroll, and complete an agreed upon curriculum before they will earn their validation, in the form of a diploma.
The same principles hold true for security validations in IT. Let’s take a look at the FIPS 140-2 Standard, as popularly defined:
The Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to accredit cryptographic modules…. for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information
Like the educational process, FIPS validation requires the proper credentials, submission to the NIST accredited NVLAP lab, and completion of the testing process before the equipment will be stamped with the title, “FIPS 140-2 Validation”. The output of this process is a certification number that the supplier can readily share with the client. The data is specific, empirical, and public.
Validation processes are important and created to differentiate; they produce black and white results. A product either has been validated or it has not. As a buyer, if you are adopting a product touting a specific standard, ask for the proof. Validation is a big deal; make sure that the name on the certificate matches the name of the product you are looking to buy. There is a lot of wordplay that companies will employ to appear FIPS 140-2 product validated.
Remember, just because you went to the bookstore and bought the sweatshirt, doesn’t mean you graduated from the school…
About Communication Devices, Inc.
Several Communication Devices products have been validated by a NIST accredited NVLAP lab to be in compliance with either FIPS 140-1 or FIPS 140-2. The process requires significant investment in time and resources to ensure the products are designed and built to the proper standards. Note that FISMA requires the product itself to be submitted to NIST and will not accept a third party “module” solution.
If your business, department, or division requires FIPS 140-2 for Out-of-Band Management to connect to remote sites over dial-up; CDI holds the only FIPS 140-2 Validated product, period. www.commdevices.com