Important News:SafeLogic announces PQC Early Adopter Program at RSA Conference 2024 Learn more!

What is the Department of Defense Information Network Approved Products List (DoDIN APL)?

FIPS 140 Validated Cryptography for DoDIN APL

What is the DoDIN APL and What are its Goals?

  • The Department of Defense Information Network Approved Products List (DoDIN APL) is a pivotal component in ensuring the security and reliability of the technology used by the United States military

  • This list encompasses the specific models of network infrastructure devices that have been tested and verified for utilization within the DoD's network infrastructure

  • The purpose of the DoD APL is twofold. Firstly, it provides a measurable level of assurance to the Department of Defense that the products listed have been through meticulous security testing and meet their stringent requirements

  • The second purpose is to streamline the acquisition process by providing a pre-approved list of products that can be used in various network configurations within the DoD

DoDIN approved list

 

Who is Subject to DoDIN APL?

DISA process guide

 

  • All Department of Defense (DoD) components, including the Army, Navy, Air Force, and Marine Corps, are required to purchase only those technology products that are included in the DoD Approved Products List (APL). This requirement extends to any contractors, subcontractors, and other entities directly or indirectly engaged with the DoD

  • Technology products on the DoD APL primarily consist of network infrastructure devices such as routers, switches, firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS). Furthermore, communication systems like Voice over IP (VoIP) and video conferencing tools, cybersecurity products, and software applications that are designed to operate within the DoD's network environment can also be considered for inclusion

  • Inclusion in the DoD APL is a significant achievement for any product. It shows potential customers, particularly those within the Department of Defense, that the product is reliable, secure, and trusted at the highest levels of government. Consequently, it opens up significant business opportunities within the defense sector, where the stakes are high and the need for trusted, reliable products is vital

What is the Relationship Between DoDIN APL and FIPS 140?

  • DoDIN APL and FIPS 140 have a close relationship, particularly in the realm of cybersecurity

  • FIPS 140 is a U.S. government standard that details the security requirements for cryptographic modules — hardware or software components that handle encryption and decryption. It is issued by the National Institute of Standards and Technology (NIST), a unit of the U.S. Department of Commerce

  • Any product that employs cryptographic modules, such as those used for secure data transmission, secure storage, or user authentication, must comply with FIPS 140 to be considered for inclusion on the DoDIN APL

  • Thus, FIPS 140 compliance forms a crucial part of the security assessment carried out during the evaluation process for the DoDIN APL

  • Achieving FIPS 140 certification affirms that a product's cryptographic modules meet the stringent security requirements laid out by the U.S. government, further bolstering its chances of inclusion on the DoDIN APL and demonstrating its commitment to providing the highest level of security

DISA website

 

How Are Companies Seeking DoDIN APL Certification Getting Tripped Up by FIPS 140 Validation?

APLIT user guide

 

  • Being included on the DoD APL is not a simple task. It requires a product to undergo a comprehensive evaluation process. It includes both testing for security vulnerabilities and functionality testing to ensure that the product can perform its intended task without causing disruptions within the DoD's complex network environment

  • Traditionally, companies seeking compliance with the FIPS 140 component of DoDIN APL have had one choice: hire a FIPS 140 consultant who would then orchestrate a long, complex, difficult and expensive process involving the applicant, the consultant, a FIPS 140 testing lab certified by NIST, NIST itself, and possibly the encryption module supplier to document, test and certify the exact cryptographic modules being used in the product being assessed for DoDIN APL certification

  • Often this work would be based on an open-source cryptography module, or one embedded in the product operating system. Given the long queues and limited resources at both the certification labs and NIST itself, this process can literally take years

How Does SafeLogic Overcome the FIPS 140 Problem for the DoDIN APL Ecosystem?

  • Through its breakthrough FIPS 140 Validation-as-a-Service offering, SafeLogic can get your company a FIPS 140 certificate in your own names in just two months, not the 2+ years as is required for traditional FIPS 140 validations

  • SafeLogic also ensures your FIPS 140 certificate remains ‘active’ despite changing requirements or the discovery of security vulnerabilities, so you can continue using it to support procurements

  • Once a technology vendor obtains FIPS 140 validation for its product, they can now sell that product to federal agencies.  In additional, their product now meets the stringent cryptography requirements in DoDIN APL, Common Criteria, FedRAMP, StateRAMP and CMMC 2.0

Safe Logic logo

 

Four Ways Companies Pursuing DoDIN APL Certification Benefit from Working with SafeLogic

1.  SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 consultant AND a FIPS certification lab AND NIST AND possibly open source or operating system vendors, you only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your DoDIN APL initiative.

2.  SafeLogic helps you continue meeting your DoDIN APL cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.

 

3.  Should you need one, RapidCert can get you a FIPS 140 certificate in your own name in two months. In the FIPS 140 world, vendors with their own CMVP certificates can have a distinct competitive advantage over those relying on an open source or operating system CMVP cert from another vendor.

4.  MaintainCert makes sure your underlying FIPS Validated module remains ‘Active’ using a white glove service model for a fixed cost. If a company relies on an open-source module or something that comes with the OS, and that module goes historical, that will put its DoDIN APL status at risk.

Want to know more about how SafeLogic can help with your DoDIN APL strategy? Speak with one of our FIPS 140 experts!