Leveling Up Encryption for U.S. Federal Agencies

With programs like FedRAMP, Common Criteria, and inclusion on the DoD Approved Products List among the biggest requirements for Federal sales and all of them relying on NIST to certify encryption modules, we are working with a very delicate ecosystem predicated on the ability to deliver FIPS 140 validated cryptography.

Guest Editorial by Walter Paley, VP of Communications for SafeLogic

It’s 2020, and for folks working in the cryptography niche, that means it is time to address a convergence of complications.

I don’t want to say that things were simple for the last few years, but certainly more straight-forward.

Our firm SafeLogic, for example, has been planning and revising our strategies for many months in preparation for the variety of hurdles and interdependencies that are currently befuddling vendors in the Public Sector.

With programs like FedRAMP, Common Criteria, and inclusion on the DoD Approved Products List among the biggest requirements for Federal sales and all of them relying on NIST to certify encryption modules, we are working with a very delicate ecosystem predicated on the ability to deliver FIPS 140 validated cryptography.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

That’s our focus for this post – the FIPS 140 program and the pitfalls plaguing efforts to meet the standard.

Without further ado, here’s what you need to know:

FIPS 140 is the publication of NIST (the National Institute of Standards and Technology) that governs cryptographic modules – allowed algorithms, minimum keylengths, and other technological benchmarks – but also the methodology to test for conformance with an independently accredited lab and to receive a validation certificate from NIST’s Cryptographic Module Validation Program (CMVP), operated in conjunction with their Canadian counterpart.

The current standard is FIPS 140-2, the second iteration, and is specified for four levels of security, addressing various items such as software operation at Level 1 and  tamper evident labels for hardware at Level 2.

Flowchart of the validation process for FIPS 140-2 (Courtesy of Wikipedia)
Flowchart of the validation process for FIPS 140-2 (Courtesy of Wikipedia)

A traditional FIPS 140-2 validation for the Public Sector market often takes 12-18 months, extending long after many iterations of the product have been retired on the consumer or Private Sector side, especially in software.

NIST is kicking off testing for FIPS 140-3 standards, the long awaited third generation, in September 2020.

It will co-exist with FIPS 140-2 for one full calendar year before transitioning exclusively to testing for 140-3.

Existing 140-2 validations will continue to be active, although they will still be subject to the normal 5 year automatic sunset and any other security concerns that may render a particular module to be unacceptable. (More on that scenario in a moment.)

FIPS 140-3 is drawing significant resources from the labs as well as CMVP itself as they ramp up training and preparations for testing.

The result is that the existing pipeline and protocols for testing against 140-2 have been slowed and the year ahead will likely see longer queue times than usual.

That waiting game will pale next to the difficulties engineers are experiencing in 2020 with OpenSSL, the world’s most widely used open source cryptographic architecture.

OpenSSL’s current version is 1.1.1, but it does not support FIPS mode operation, leaving vendors reliant on the older 1.0.2 architecture.

1.0.2 does include FIPS mode, but was designated for End of Life as of 12/31/2019 and no further support, security fixes, or patches will be released publicly by OpenSSL.

This created a diabolical Catch-22 for vendors who have already completed certifications like FedRAMP or Common Criteria with OpenSSL included.

If they replace the 1.0.2 stack, the certification is no longer valid. If they leave it in, it must be patched in the event of CVE announcement.

Many Federal agencies are rumored to be requiring evidence of support commitments to ensure continued operability.

Still feeling like things are manageable?

OpenSSL’s current FIPS 140-2 validations, which are only available with compatibility for the 1.0.2 architecture, will be moved to Historical status by NIST in September because of non-compliance with current Digital Signature Standards (FIPS 186-4).

It is the result of the  long overdue deprecation of the old FIPS 186-2 standard.

So that means that even if you’ve successfully patched the OpenSSL 1.0.2 upstream issues as needed, if you claim compliance by pointing to OpenSSL’s validation certificate or if you completed a validation that was based on that same OpenSSL FIPS Object Module 2.0 that fits into 1.0.2 architecture, you only have a few months before it evaporates.

Many consultants borrowed heavily from or simply cloned those OpenSSL validations to save themselves effort at the client’s expense, so many vendors will be affected by this issue and many more compliance checkmarks will be lost as a result.

Federal procurement officers are specifically watching for these issues because they are so common, and this is one of those scenarios mentioned above that interrupt a validation’s 5-year expected lifespan.

So you’ve survived this long, how about some good news? Well, maybe mixed news.

OpenSSL’s next generation 3.0 architecture (the long-promised replacement with FIPS capabilities) is in development! But it has been delayed. Several times.

It’s currently projected for final release in Q4 2020, however the delivery date for FIPS validation is unknown and could be well into 2021, even without any more setbacks.

The expectations are high and the OpenSSL team won’t release it until it’s battle-tested and ready.

Note that there has also been no announcement of FIPS 140-3 support, only for the current 140-2 standard.

Many customers rightfully ask why we are excited about this new version of OpenSSL, when we win so much business helping vendors prop up the old stuff.

It’s because it will truly be a significant step forward and a rising tide lifts all ships.

A stronger, more capable, modernized open source stalwart will help every vendor, not just those seeking FIPS 140-2 (or  soon, FIPS 140-3) validation.

We’ll be ready to help with the certification, and it sure makes it easier when folks are starting from the same place.

(See why SafeLogic is selected by some of the largest and most innovative technology companies in the world to simplify and accelerate the FIPS 140-2 validation process. Courtesy SafeLogic and YouTube.)

Lots of start-ups begin with open source and upgrade later, and this will be the new default choice for many.

Our team knows it inside and out and is focused on building compatible validated crypto modules purpose-built to meet U.S. Federal requirements.

With all of these issues converging this year, it’s a real challenge, so it makes even more sense for vendors to partner with a specialist instead of trying to tackle it in-house.

Why re-invent the wheel, especially when this particular wheel has rapidly changing design requirements?

Walter Paley, SafeLogic Director of Marketing
Walter Paley, SafeLogic Director of Marketing

About the Author:

Walter Paley, serves as the VP of Communications for SafeLogic, responsible for the strategy, outreach, and evangelism of FIPS 140 validated encryption and related solutions.

He has worked with a series of startups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle, and TigerText, among others.

An alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife and kids and enjoys baseball and kayaking.

SafeLogic Takes Platinum in 2019 ‘ASTORS’  Homeland Security Awards Program

2019 'ASTORS' Awards Program Banquet Luncheon
2019 ‘ASTORS’ Awards Program Banquet Luncheon

SafeLogic

  • Best Encryption Solution

  • CryptoComply

  • SafeLogic’s CryptoComply  is a family of standards-based “Drop-in Compliance” cryptographic engines designed for use in servers, workstations, Cloud, appliances, and mobile devices.

  • CryptoComply can provide instant FIPS 140-2 compliance with easy replacement for OpenSSL, Bouncy Castle, BoringSSL, NSS, and Libgcrypt whether it is a mobile app, device, appliance, software or Cloud solution.

  • SafeLogic was recognized with a Win in the 2018 ‘ASTORS’ Homeland Security Awards Program.

AST focuses on Homeland Security and Public Safety Breaking News, the Newest Initiatives and Hottest Technologies in Physical & IT Security, essential to meeting today’s growing security challenges.

The 2020 ‘ASTORS’ Homeland Security Awards Program, is organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, Border Security, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

As an ‘ASTORS’ competitor, Data Theorem will be competing against the industry’s leading providers of Innovative Application Security Solutions.

Enter today to Compete in the 2020 ‘ASTORS’ Homeland SecurityAwards at https://americansecuritytoday.com/ast-awards/.

AST-Image-of-Eagle-and-Flag-resized-2

The Annual ‘ASTORS’ Awards Program is specifically designed to honor distinguished government and vendor solutions that deliver enhanced value, benefit and intelligence to end users in a variety of government, homeland security and public safety vertical markets.

Deanne Criswell
Deanne Criswell the Commissioner of the New York City Emergency Management Department is responsible for oversight of the City’s efforts to plan and prepare for emergencies, educate the public about preparedness, coordinate emergency response and recovery, and disseminate emergency information.

The Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program highlighting the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition, and keep our Nation safe – one facility, street, and city at a time.

American Security Today is pleased to announce that Deann Criswell, the NYC Emergency Management Commissioner will deliver the keynote address at the 2020 ‘ASTORS’ Awards Presentation Luncheon Banquet in New York City.

Early Bird Nominations are now being accepted for the 2020 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

Comprehensive List of Categories Include:

Access Control/ Identification Personal/Protective Equipment Law Enforcement Counter Terrorism
Perimeter Barrier/ Deterrent System Interagency Interdiction Operation Cloud Computing/Storage Solution
Facial/IRIS Recognition Body Worn Video Product Cyber Security
Video Surveillance/VMS Mobile Technology Anti-Malware
Audio Analytics Disaster Preparedness ID Management
Thermal/Infrared Camera Mass Notification System Fire & Safety
Metal/Weapon Detection Rescue Operations Critical Infrastructure
License Plate Recognition Detection Products And Many Others!

Don’t see a Direct Hit for your Product, Agency or Organization?

Submit your category recommendation for consideration to Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com.

The 2019 ‘ASTORS’ Awards Program surpassed expectations with a record number of nominations received from industry leaders and government agencies, and drew over 200 attendees to the ‘ASTORS’ Awards Presentation Banquet – an exclusive gourmet luncheon and networking opportunity which filled to capacity, before having to turn away late registrants.

The 2019 ‘ASTORS’ Awards Luncheon featured an impassioned and compelling keynote address by William (Bill) Bratton, former police commissioner of the NYPD twice, the BPD, and former chief of the LAPD, on the history of policing in America and the evolution of critical communication capabilities in our post 9/11 landscape.

Commissioner Bratton, one of the world’s most respected and trusted experts on risk and security issues and Executive Chairman of Teneo Risk a global advisory firm, was recognized as the ‘2019 ‘ASTORS’ Person of the Year’ for his Lifetime of Dedication and Extraordinary Leadership in Homeland Security and Public Safety.The event featured an impassioned and compelling keynote address by William J. Bratton, former police commissioner of the New York Police Department (NYPD) twice, the Boston Police Department (BPD), and former chief of the Los Angeles Police Department (LAPD), as he walked attendees through 50 years of American policing history, the impacts on the communities, and the evolution of critical communication capabilities in our post 9/11 landscape.

Why the ‘ASTORS’ Homeland Security Awards Program?

2019 ‘ASTORS’ Homeland Security Awards Luncheon at ISC East

American Security Today’s comprehensive Annual Homeland Security Awards Program is organized to recognize the most distinguished vendors of physical, IT, port security, law enforcement, and first responders, in acknowledgment of their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

Over 200 distinguished guests representing Federal, State and Local Governments, and Industry Leading Corporate Firms, gathered from across North America, Europe and the Middle East to be honored among their peers in their respective fields which included: 

  • The Drug Enforcement Administration (DEA)
  • National Center for Missing and Exploited Children (NCMEC)
  • United States Marine Corps
  • The Federal Protective Service (FPS)
  • Argonne National Laboratory (ANL)
  • United States Postal Inspection Service
  • DHS S&T 
  • United States Marshals Service (USMS)
  • The Port Authority of New York & New Jersey Police (PAPD)
  • The Department of Justice (DOJ)
  • The New York State Division of Homeland Security & Emergency Services (NYS DHSES)
  • United States Border Patrol
  • AlertMedia, Ameristar Perimeter Security, Attivo Networks, Automatic Systems, Bellevue University, BriefCam, Canon U.S.A., CornellCookson, Drone Aviation, FLIR Systems, Hanwha Techwin, HID Global, IPVideo Corp., Konica Minolta Business Solutions, LenelS2, ManTech, Regroup Mass Notifications, SafeLogic, SolarWinds, Senstar, ShotSpotter, Smiths Detection, TCOM LP, Trackforce, Verint, and More!

Why American Security Today?

The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.

The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.

American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State and local levels of government as well as firms allied to government.

American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers eyes throughout the story with cutting edge editorial that provides solutions to their challenges.

Harness the Power of the Web – with our 100% Mobile Friendly Publications

AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

The AST Digital Publications is distributed to over 75,000 qualified government and homeland security professionals in federal, state and local levels.

‘PROTECTING OUR NATION, ONE CITY AT A TIME’

AST Reaches both Private & Public Experts, essential to meeting these new challenges.

Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

American Security Today

These experts are from Government at the federal, state and local level as well as from private firms allied to government.

AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

To learn more about the 2019 ‘ASTORS’ Homeland Security Award Winners solutions, please go to the 2019 ‘ASTORS’ Championship Edition Fully Interactive Magazine – the Best Products of 2019 ‘A Year in Review’.

The ‘ASTORS’ Champion Edition is published annually and includes a review of the ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firms products and services, includes video interviews and more.

It is your Go-To source throughout the year for ‘The Best of 2019 Products and Services‘ endorsed by American Security Today, and can satisfy your agency’s and organization’s most pressing Homeland Security and Public Safety needs.

From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2019 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitgate today’s real-time threats in our constantly evolving security landscape.

It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2019 ‘ASTORS’ Awards Program.

SafeLogic provides innovative encryption products for applications in mobile, cloud, server, appliance, wearable, IoT, and other constrained environments.

SafeLogic logo

Their flagship product, CryptoComply, provides drop-in FIPS 140-2 compliance with a common API across platforms, and their customers include many of the most influential and innovative companies in technology.

To Learn More, please visit https://www.safelogic.com/.

For information about advertising opportunities with American Security Today, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.

Learn More…

SafeLogic Returns to Compete in 2019 ‘ASTORS’ Awards Program