Do FIPS 140-2 and Common Criteria matter?

Home Forums Acquisitions Do FIPS 140-2 and Common Criteria matter?

This topic contains 4 replies, has 2 voices, and was last updated by  Basant Elhady 6 years, 3 months ago.

  • Author
    Posts
  • #139430

    Scott Swigart
    Participant

    I understand that FIPS or Common Criteria certifications are required for certain scenarios, but if you’re evaluating something like routers and switches, and these certs are not required, how important are they to a buying decision? How would you rank them against cost, features, etc?

  • #139438

    Basant Elhady
    Participant

    The US Gov’t issued CC Protection Profiles for Routers and Switches in the past, and recognized early on the importance of these devices to perimeter security. Any use of Crytography, especially that which would split Secret/Classified traffic from unclassified traffic will require the prerequisite FIPS 140-2 or other cryptographic validations from NSA. Without these, and certification to the latest NIAP Protection Profile for Network Devices, a non-validated and uncertified Switch-Router will not be considered over tested and certified products, and cannot be considered for the DISA JITC UC-APL until such time as the vendor fully partners with Government requirements, including FIPS 140-2 and the Common Criteria to an approved Protection Profile.

  • #139436

    Basant Elhady
    Participant

    I would also like to add that Routers and Switches are considered IA-enabled IT products and directives such as NSTISSP #11 along with NIST SP 800-23 specifically call out both FIPS 140-2 and Common Criteria as prerequisites to being purchased by government agencies. These directives address government agencies and mandate them to purchase only COTS products that have been FIPS 140-2 validated or Common Criteria certified.

    Corsec Security provides consulting specifically for FIPS 140-2 and Common Criteria evaluations to help vendors achieve their security certification needs for US federal government sales. If you would like to discuss this in further detail, please feel free to contact Corsec – http://www.corsec.com.

  • #139434

    Scott Swigart
    Participant

    Thanks for the detailed reply – so if I may paraphrase – there simply are not a lot of (any?) federal scenarios for routers and switches that don’t require FIPS 140-2 and CC.

  • #139432

    Basant Elhady
    Participant

    You are correct. The two directives I referenced apply to the entire umbrella of federal agencies and US departments, not just DoD.

You must be logged in to reply to this topic.