Important News:CryptoComply FIPS 140-3 Early Access Program is now open. Learn more!

The SafeLogic Blog

On the Recent CMVP Implementation Guidance

March 11, 2013 Ray Potter

We started SafeLogic to bring a strong cryptographic module to market that meets requirements for regulated environments. One of our main goals with CryptoComply is to ensure consistent compliance to evolving standards, including FIPS 140-2 and its Implementation Guidance. Implementation Guidance provides clarifications or refinements to requirements in the FIPS 140-2 standard.

Just before our official launch last week, the OpenSSL Software Foundation (OSF) issued a statement on recent guidance from CMVP that sent a ripple through the community.

The OSF summarized the impact of this guidance rather well:

This new interpretation requires that none of the function calls in our cryptographic library can return useful information until after the POST is performed. It also requires that this restriction must be enforced in the module, that is in the cryptographic library itself, and not merely stated as a condition to be satisfied by the calling application.

The second part is the crux of the issue. In the past, this could be met by procedural guidance and policy. But now, modules must enforce this operation. The OSF memo essentially paints an understandably bleak picture of OSF's current and future plans for addressing FIPS 140, and it's of considerable concern to product vendors implementing OpenSSL and trying to obtain FIPS 140-2 validation.

What's a product developer to do?

There might be procedural work-arounds and creative approaches to defining a new boundary, but frankly, both are met with risks of increased cost, time, and engineering commitment.

I'll offer a simpler solution: SafeLogic's CryptoComply. It meets the requirements of FIPS 140 and this new Implementation Guidance. No risky "creative" approaches, and no larger boundary definition that requires you to revalidate more often. Just out-of-the-box compliance.

If you are running OpenSSL, contact us. We're directly compatible, and our tools and scripts will get you going quickly. Drop it in, and move on to the next critical feature on your product roadmap.

Ray Potter

Ray Potter

Ray Potter is the Founder of SafeLogic, which was spun off from his previous venture, the Apex Assurance Group consulting firm. He brings over 20 years of security and compliance experience, including leading teams at Cisco and Ernst & Young, to the operations team at SafeLogic. Ray loves playing guitar and flying airplanes.

Share This:

Back to posts

Popular Posts

Search for posts


See all