Last week, we eulogized the Private Label program from the OpenSSL Software Foundation, but we promised to explain why we aren’t really upset. Those reasons are led by concerns surrounding timeline.
Traditionally, it has taken a year or more to complete a FIPS 140-2 validation. In fact, we’ve personally seen validations take 16 months. In that time, you could miss out on a lot of potential revenue. When FIPS validation is a requirement, your buyers’ hands are tied and your technical features and competitive advantages are moot. Customers will select another product rather than wait a year.
Why does it take so long? It can take a couple of months to gather the information to document your crypto module. Then, an accredited testing lab takes another few months to check the evidence and run their tests. Their test report is sent to the Cryptographic Module Validation Program (CMVP). Waiting for an available CMVP certifier to review the report can take several more months. Finally, the certifier will ask some questions of the testing lab before finally approving the validation, assuming that the responses are satisfactory. Each step has unique bottlenecks and the process is extremely impacted from end to end. As you can imagine, any issues could easily incur setbacks measured in weeks, not days. To top it all off, that didn’t even factor in the time your team spent installing and testing the crypto module in the first place.
Integrating CryptoComply into your application gives you an instantly compliant solution because CryptoComply already has a FIPS 140-2 validation. Along with the crypto library software, SafeLogic has developed tools and documentation to make integrating CryptoComply into your mobile and server applications easier and quicker.
The net result is that by using SafeLogic’s validated encryption module, your compliance can be verified, so customer responses are extremely positive. Buyers with a FIPS 140-2 requirement can begin a pilot program immediately, opening many sales opportunities while your competitors are waiting in the CMVP queue.
If you choose to pursue a FIPS validation certificate, the initial steps are accelerated thanks to CryptoComply’s ease of installation. Not only that, but customers can proceed in good faith, knowing that your product is already verifiable as compliant. This keeps your sales from grinding to a halt while the CMVP completes the process.
If you are in this category and a FIPS certificate is in your future, be sure to read next week’s post, discussing how RapidCert can slash the timeline even further!