March 2017 | SafeLogic

Archive for March, 2017

30 Mar 2017

SafeLogic Wins Encryption Trophy at 2017 Govies

SafeLogic won at The Govies 2017!Security Today magazine announced the 2017 winners in “The Govies,” the Government Security Awards competition, honoring outstanding government security products. SafeLogic was selected as the winner in the ‘Encryption’ category for our CryptoComply product, adding another trophy to our case!

“It always feels good to win an award,” said SafeLogic CEO Ray Potter. “Being selected as the winner for encryption in a government-specific competition is even better. It really validates (pun absolutely intended) our strategy for FIPS 140-2!”

1105 Media launched its government security awards program in 2009, although they weren’t known as The Govies until two years later. Starting this year and going forward, 1105 Media’s newly relaunched Security Today magazine (formerly Security Products) will administer the awards program. Winners were selected using criteria including Features, Innovation, User Friendliness, Interoperability, Quality, Design, Market Opportunity, and Impact in the Security Industry, Technical Advances, and Scalability.

“The Govies is an amazing product recognition program whereby companies in the security industry can highlight their technology and solutions that work flawlessly within the government vertical,” said Ralph C. Jensen, editor in chief of Security Today magazine and securitytoday.com. “We received 28% more entries this year, which also corresponds with the need to provide better security options not only at the federal level but also at the state and municipal level of government. I believe these products and solutions only prove that the government relies heavily on the technology advances in the private sector.”

Other selections include SafeLogic customers BlackBerry, chosen for BlackBerry UEM in the ‘Convergence and Integrated Software and Solutions’ category and BlackBerry AtHoc in the ‘Emergency Communication Systems’ category, and Securonix, chosen for SNYPR Security Analytics for Hadoop in the ‘Big Data Analytics’ category.

BlogFooterWalt3

 

23 Mar 2017

FedRAMP Kicks It Up a Notch

FedRAMPHave you been following the evolution of the FedRAMP program lately? They are proving to be as nimble as any other group in federal, and even better – they are putting an emphasis on transparency. Check out their blog Focus on FedRAMP for example. After we gave kudos to the CMVP for their recent renewed efforts, it wouldn’t feel right to forget the folks at FedRAMP.

Last month, FedRAMP rolled out an update to their 3PAO Requirements. 3PAOs, Third Party Assessment Organizations, play a huge role in the process, just like the testing labs certified by NVLAP, the National Voluntary Laboratory Accreditation Program, do for FIPS 140-2. For each certification procedure to move smoothly, the 3PAOs and FIPS labs must meet an ongoing standard of excellence. In this case, FedRAMP worked with A2LA, the American Association for Laboratory Accreditation, and determined that they “need to strengthen the 3PAO accreditation requirements to provide for greater 3PAO oversight to ensure that a FedRAMP Accredited 3PAO provides the highest quality, most technically accurate assessments for the Cloud Service Providers (CSPs) who participate in the FedRAMP Program.”

FedRAMP-RAR-768x806An even bigger step forward was taken when FedRAMP unveiled the FedRAMP Readiness Assessment Report (RAR) Template as part of their FedRAMP Accelerated Process initiative in the summer of 2016. Their primary goal was to give Cloud Service Providers a pre-audit tool to self-assess and prepare themselves for scrutiny. But even more importantly in my opinion, the RAR was created as a living document, intended to be updated as needed to shed light on areas that need further interpretation. (Pro tip – make sure that you download the latest version of the RAR when you are prepping and doing due diligence. 3PAOs must use the most current RAR template that is available on the FedRAMP website at the time of submission.) This has been a huge help for CSPs hoping to secure FedRAMP approval. We have had more than a few frantic phone calls from CSPs that were suddenly faced with a mandate for FIPS 140-2 validation and they didn’t have a strategy. This should assist folks plan ahead and develop a more comprehensive plan in advance.

Despite our efforts to raise awareness about the requirement for FIPS 140 in FedRAMP over the last few years, it had still been a subject of debate. So it’s great that FedRAMP has finally made it more explicit in the RAR. For example, Section 4. Capability Readiness, subsection 4.1 Federal Mandates, bluntly asks “Are FIPS 140-2 Validated or National Security Agency (NSA)-Approved cryptographic modules consistently used where cryptography is required?” This should be no surprise, of course. A federal program requiring the crypto to be federally approved. That makes more sense than many bureaucratic requirements, doesn’t it? More below about the NSA caveat.

Further, check out subsection 4.2.1. Approved Cryptographic Modules [SC-13]:

The 3PAO must ensure FIPS 140-2 Validated or NSA-Approved algorithms are used for all encryption modules. FIPS 140-2 Compliant is not sufficient. The 3PAO may add rows to the table if appropriate, but must not remove the original rows. The 3PAO must identify all non-compliant cryptographic modules in use.

Table 4-2. Cryptographic Modules

  Cryptographic Module Type FIPS 140-2 Validated? NSA Approved? Describe Any Alternative Implementation
(if applicable)
Describe Missing Elements or N/A Justification
Yes No Yes No    
1 Data at Rest [SC-28]
2 Transmission [SC-8 (1), SC-12, SC-12(2, 3) ]
3 Remote Access [AC-17 (2)]
4 Authentication [IA-5 (1), IA-7]
5 Digital Signatures/Hash [CM-5 (3)]

As you can see from the Cryptographic Module planning matrix above in Table 4.2, FedRAMP is taking extra care to highlight the need for a FIPS validated module. They clearly had more than a handful of conversations with CSPs trying to argue for the use of a selection of algorithms from the CAVP list as ‘good enough’ and wanted to nip that in the bud. In fact, those were their bolded terms, not mine! The distinction is very important and the clarification was clearly needed.

I almost forgot. Circling back for those of you eyeballing the ‘NSA Approved’ verbiage as a potential loophole to bypass FIPS 140, I have just two words: Good. Luck.

That ubiquitous AES-256 implementation that you’re hoping will satisfy this requirement, because, after all, it is an included component for NSA Suite B… yes, well, it’s also included in FIPS 140-2 and therefore governed by CMVP/CAVP. So if there’s no CAVP certificate, and it’s not implemented as part of a CMVP validated FIPS 140-2 cryptographic module… well, let’s just say that you already missed St. Patrick’s Day and you’re going to need a whole truckload of four-leaf clovers for that to pass muster.

FedRAMP is taking great steps to take the mystery out of the process, and one of those major clarifications is the explicit reliance on the CMVP and FIPS 140-2 validation. If you’re reading this blog, you probably already know it, but nobody handles FIPS 140-2 requirements as quickly, easily, or effectively as SafeLogic. For more information, please explore our products and services at your leisure. They are designed to work in tandem and remove the hassle for your team. As always, contact us with any questions.

 

BlogFooterWalt3

7 Mar 2017

The CMVP Historical Validation List Is Here with a Vengeance

SunsetEditor’s note: This post was updated on March 14, 2017 to reflect a distinction that came to light in dialogue with CMVP – validations moved to the Historical List have not been revoked outright. The validation still exists, but are not for Federal Agencies to include in a new procurement. Agencies are recommended to conduct a risk determination on whether to continue using existing deployments that include modules on the Historical List.

Over a year ago, our blog featured posts about the RNG issue that was leading to certain FIPS 140-2 validations moving to the Historical List and the 5 year sunset policy that CMVP was adopting. [Geez, was that really more than a year ago? Crazy.]

Now the hammer has dropped, and the industry is seeing modules routinely relegated to the Historical List each month. The sunset policy created a waterfall in January 2017, and as of today, there are 1,914 modules on the Historical List, representing approximately 2/3rds of the total validations completed in the history of the CMVP.

Let me repeat that for emphasis. 1,914 modules.
Approximately 2/3rds of all modules ever validated by NIST to meet the FIPS 140 standard are no longer on the active validation list.

This includes some modules that were updated in 2016, and a few were even just revised in 2017! Many of these are hardware, so they are often more static and harder to update, but certainly not all. Check out the entire Historical Validation List for yourself. It’s a veritable “Who’s Who” of once-proudly validated companies. Big names, hot startups, none are immune. Between the sunset timeline and the active removal of modules that are no longer compliant, the herd has been severely thinned.

The takeaway? Maintaining FIPS 140 validation is really hard! It’s not “just one big push” to get on the list anymore. It requires constant vigilance to stay on top of the updates and to keep up with NIST’s reinvigorated policies. A more active CMVP can seem like a pain in the ass at first glance, but it is ultimately better for the industry. Nobody (except for lazy vendors) benefited from old, insecure, ‘grandfathered’ modules remaining on the active validation list. A stringent, active CMVP has embraced their role as a clearing house and it increases the value of the modules that do satisfy current standards. And I think they’re doing a great job.

This underscores the strategic significance of relying upon SafeLogic to complete and maintain FIPS 140-2 validation. As I tell folks every day, this is our focus. Our business is based upon the proper production of FIPS-compliant modules and their subsequent validation. Our customers reap the benefits of our work, and we succeed by scaling it, replicating our effort and leveraging our niche expertise for each client. CryptoComply is smooth and RapidCert accelerates the initial validation, but our customers have really appreciated the value of offloaded maintenance for the certificate. We talk a lot about the time, money, and effort with the traditional process, and the savings realized when using SafeLogic are growing. The delta is getting wider.

I scratch my head when a product manager boasts that they plan to roll their own crypto and get it validated. There are no bonus points for suffering in-house or for reinventing the wheel. When you hire consultants to complete a validation, you’re paying a premium for a single push, when the maintenance really is a constant effort. Consider those costs in time, money, and effort to complete your initial validation – and then add a multiplier for every revalidation you anticipate. It will be at minimum a quinquennial (every five years) project, and that’s if you’re lucky enough to avoid any other pitfall. The math doesn’t lie – the traditional path to FIPS 140-2 validation has become cost prohibitive. And if you’re pursuing Level 2 or Level 3, you still need a solid crypto module at the heart of the product. Using CryptoComply ensures that component meets the necessary requirements, again saving time, money, and effort.

CryptoComply is proven, again and again, to continually meet standards and retain its validated status with NIST. This is one of those situations where you don’t need to be creative. Choose SafeLogic, let us take care of the crypto, and you can get back to doing what you do best.

Written by Ray Potter