Why Should We Get Our Own FIPS Certificate?

After our big announcement with OpenSSL last week, we've had some interesting conversations with possible future SafeLogic clients. Several have asked pointed questions, like "Why should we get our own FIPS certificate, if OpenSSL will get one after all?" and "Why buy the cow when we can get the milk for free with open source?"

I love these questions. It tells me that our potential partners have a healthy dose of skepticism and really understand the need to extract value from their capital expenditures.

In a nutshell, the answer is: because your customers also have a healthy dose of skepticism and need to extract maximum value from their expenditures!

Let's start at the beginning. Building early versions of your product with open source encryption, whether it's OpenSSL or Bouncy Castle, is a smart move. Open source crypto provides functional, widely compatible, peer-reviewed cryptography and leaves your options open for future replacements. Locking into a proprietary module early in the development phase has proven to be problematic when it requires unique architecture. (RSA BSAFE is now defunct, of course.)

The problems begin when you leverage open source for FIPS 140-2. In order to properly deploy an open source FIPS module within conformance standards, you need to follow the exact recipe. That means having to follow the 221 page User Guide for the OpenSSL FIPS Object Module v2.0, for example. That's a lot of work, only to be questioned by your own prospective customers. "Where is your FIPS certificate? Don't you have one with your name on it?"

Luckily, that's exactly what SafeLogic provides. You're not dealing with a DIY effort with directions from the worst Ikea bookshelf you've ever built. You get strong technical support from the SafeLogic team, standing behind our CryptoComply modules. (No, we don't just send you a massive PDF of directions.) And that elusive FIPS 140-2 certificate? RapidCert delivers it in just 8 weeks, explicitly displaying your company name and operating environments. "Just trust me" doesn't belong in your salespeople's vocabulary.

So when you're selling to the federal government, financial institutions, healthcare providers, or other regulated industries, expect your customers to be skeptical of your open source usage. You also need to be cognizant of the competitive landscape. You do not want to be cutting off your nose to spite your face, saving a few bucks by skating on FIPS validation, only to lose deals to rivals carrying certificates. Invest in your product and win those head-to-head opportunities! 

The comic below is a humorous dramatization of a sales call going wrong, but your target customers (in the green cube) really just want confirmation that your company carries a FIPS 140-2 validation. No tricks, no technicalities, just a certificate on the NIST website. Real, valid, honest-to-goodness, easy to cross-reference and confirm.

Open source FIPS validations are important for the community to have. It's a good starting point, and for some small companies it's the best that they can access. Maybe it's enough for you right now. But customers can't nitpick if you have your own certificate, and that's where SafeLogic knocks it out of the park. You won't find an easier or faster way to add that FIPS 140-2 validation to your salespeople's arsenal. We'll be ready when you are.