FIPS validated encryption is about to get even more complicated…
2020 is going to be… challenging. If you’re a vendor in the Public Sector, trying to comply with U.S. Federal requirements for cryptographic libraries, it will be a turbulent ride over the next few years.
Among the pitfalls: The OpenSSL 1.0.2 architecture will no longer be supported after 12/31/2019, and there is no existing upgrade path that includes FIPS mode. Not only that, OpenSSL’s existing FIPS validations are expected to be moved to Historical status in mid-2020 because they don’t follow current FIPS 186-4 guidance for Digital Signature Standards.
Somehow dodge all of those bullets? You still won’t have TLS 1.3, and you won’t meet FIPS 140-3, which will begin testing in September 2020.
You have probably have completed long, tedious, and expensive compliance initiatives that depend on OpenSSL 1.0.2, like FedRAMP, Common Criteria, or maybe UC/DoDIN Approved Product Listing, and those are all in danger as a result. You can’t change the architecture of your solution and rip out OpenSSL, because you’ll lose your compliance checkmark, but you can’t leave it in either, since it’s unsupported at EOL.
Don’t worry – we can help.
SafeLogic is now offering Extended Support for OpenSSL 1.0.2.
With a support contract, you will be guaranteed any security patches necessary to maintain compliance, starting on New Year’s Day 2020. There will be no lapse in coverage and no loss of potential revenue. Your existing certifications will be unaffected by the official End of Life, because any vulnerabilities will be addressed by SafeLogic’s Extended Support. Otherwise, vulnerability scanners may immediately flag your solutions for being unsupported. Government CIOs have already cautioned federal agencies about deploying unsupported and unpatched software that has become obsolete, and you can bet that malicious actors are excited for the opportunity to exploit this. Instead, an OpenSSL 1.0.2 Extended Support contract with SafeLogic will ensure that new builds are implemented as needed, incorporating necessary patches and remaining in full compliance with all existing certificates. Because there is no currently-supported OpenSSL open source FIPS-capable stack, this is crucial to bridging the gap.
Now that you’re breathing again, here’s the best part.
SafeLogic also has OpenSSL 1.0.2 compatible modules that will remain validated.
Our CryptoComply module is available as a drop-in replacement for the OpenSSL FIPS Object Module 2.0, with one key differentiator – it will not be subject to the 186-4 sunset, so your validation will not disappear!
Our RapidCert program will deliver a FIPS 140-2 validation in your name in just a few weeks, based upon the CryptoComply module that you select, and SafeLogic can put you on an upgrade path for a new module when the long-rumored, often-delayed OpenSSL 3.0 stack is available, which will add TLS 1.3 to your capabilities. And that upcoming FIPS 140-3 version? We will test and validate for that as well!
With all of the complications in the crypto sector converging, there has never been a better time to work with a specialist. This is what we do best, and we want to be your one-stop shop for encryption.
Request more info on SafeLogic’s solutions using the form below, or just send this link to your team and get back to work. SafeLogic has you covered!