The UC APL Obstacle Course

Here at SafeLogic, many of our customers are focused on opportunities to sell to the US Federal Government.  The large and long-term contracts provide an incentive to jump through hoops and meet additional procurement requirements, which are a costly maze of complicated, expensive, and time-consuming barriers to entry.  But once you have qualified, you are in great position to capture those deals, not to mention opportunities in the private sector.  In some cases, there are multiple layers of requirements that must be met.  One of the most stringent is the placement of a product on the UC APL.

The UC APL, the United States Department of Defense Unified Capabilities Approved Product List, is administered by DISA, the Defense Information Systems Agency.  It was created to centralize the available solutions for the Department of Defense (DoD) and to provide a standardized method for approval.  Before the UC APL, different agencies and branches had to create redundant approval processes.  The establishment of the UC APL was a major positive step for both the DoD and the product vendors, streamlining the process and creating a single resource for qualified solutions.

The advantage of being listed on the UC APL does not begin and end with the DoD.  Federal agencies in other branches prioritize solutions that appear on the UC APL, as they know and respect the vetting process exercised by DISA and the DoD.  In fact, just as FIPS 140-2 has become an internationally recognized standard, products on the UC APL carry the same relative weight.

In order to qualify for the UC APL, products must be tested rigorously by JITC, the Joint Interoperability Test Command.  This testing has two elements – Information Assurance (IA) and Interoperability (IO).  While IO testing has strict requirements in its own right, IA is typically the more challenging of the two.  IA testing adheres to the 2,000+ page Unified Capabilities Requirements document, and the product must meet a series of Security Technical Implementation Guides (STIGs) which outline best practices.  On top of that, Information Assurance demands that if the product includes encryption (and it nearly always does), that a FIPS 140-2 validation exists.  Common Criteria sometimes comes into play as well.  Don’t worry, we can help there, too.

UC APL testing is truly a marathon, not a sprint, and it has many obstacles.  Ok, maybe it’s more like a mud run.  It can definitely get messy.  There is good news, though.  We have identified one way to accelerate the process.  As it turns out, the JITC parameters allow for products to initiate testing upon their addition to the NIST (National Institute of Standards and Technology) CMVP (Cryptographic Module Validation Program) In Process list for FIPS 140-2.  In layman’s terms, this means that products that still need to earn their FIPS 140-2 certificate can go through both the JITC and the NIST CMVP validations simultaneously.  This is huge.  It’s like getting your bachelor’s degree while you’re still in high school.  Completing both certificates in parallel saves significant time and means that you can begin realizing revenue months faster.

CryptoComply and RapidCert, exclusively from SafeLogic, take full advantage of this opportunity.  Even for the folks who are aware of this rule, initiating a FIPS 140-2 validation is difficult.  The inertia is high during the first phase, documentation, which can take a great deal of time if you’re not leveraging RapidCert.  [For more detailed discussion of the accelerated timelines offered by CryptoComply and RapidCert, refer to my blog posts 'Leapfrogging the Competition' and 'If Time Equals Money...'.]  When a JITC certificate is part of the strategy, the opportunity is even bigger.

We will be posting a case study in the near future that illustrates this very strategy.  By implementing CryptoComply and adding the RapidCert option, a customer was able to take a product that had no FIPS 140-2 validation and within a month be in progress with their JITC certificate.  In the past, they would have been looking at approximately a year to get to the same stage.

So don’t hesitate to talk to SafeLogic.  There’s a lot at stake here, so let’s strategize and make things happen.