We started SafeLogic to bring a strong cryptographic module to market that meets requirements for regulated environments. One of our main goals with CryptoComply is to ensure consistent compliance to evolving standards, including FIPS 140-2 and its Implementation Guidance. Implementation Guidance provides clarifications or refinements to requirements in the FIPS 140-2 standard.
Just before our official launch last week, the OpenSSL Software Foundation (OSF) issued a statement on recent guidance from CMVP that sent a ripple through the community.
The OSF summarized the impact of this guidance rather well:
This new interpretation requires that none of the function calls in our cryptographic library can return useful information until after the POST is performed. It also requires that this restriction must be enforced in the module, that is in the cryptographic library itself, and not merely stated as a condition to be satisfied by the calling application.
The second part is the crux of the issue. In the past, this could be met by procedural guidance and policy. But now, modules must enforce this operation. The OSF memo essentially paints an understandably bleak picture of OSF's current and future plans for addressing FIPS 140, and it's of considerable concern to product vendors implementing OpenSSL and trying to obtain FIPS 140-2 validation.
What's a product developer to do?
There might be procedural work-arounds and creative approaches to defining a new boundary, but frankly, both are met with risks of increased cost, time, and engineering commitment.
I'll offer a simpler solution: SafeLogic's CryptoComply. It meets the requirements of FIPS 140 and this new Implementation Guidance. No risky "creative" approaches, and no larger boundary definition that requires you to revalidate more often. Just out-of-the-box compliance.
If you are running OpenSSL, contact us. We're directly compatible, and our tools and scripts will get you going quickly. Drop it in, and move on to the next critical feature on your product roadmap.