FIPS 140 Consulting
Architecture Review and Gap Analysis
The requirement of FIPS 140 are both restrictive, and at time, non-intuitive. If you have a product you would like to take through the FIPS 140 validation process, SSR can help you with the architecture of the product to ensure that the FIPS 140 requirements are properly implemented from the start. It is vastly more difficult to try to modify an existing product to "bolt on" FIPS 140 compliance.
As early in your development cycle as possible, SSR can come on-site to perform a FIPS 140 training seminar and compliance workshop. The entire process takes approximately two days, and should be attended partially or fully by Product leads, Managers, and Engineers.
Topics covered include:
• FIPS history and necessity, government regulations that mandate FIPS 140 and the sales opportunities that are created with a FIPS-validated product.
• Competitive analysis of products in your market space with respect to FIPS 140
•FIPS 140 scope and specific requirements
• Validation process and timelines
During the workshop, your team will be asked to make a presentation on the security architecture of your product so that SSR can become familiar with the inner workings. Then, we'll discuss your architecture with the FIPS 140 requirements in mind, and discover all of the potential compliance gaps in the current design.
A few weeks after the workshop, SSR will provide a Gap Analysis document that outlines all of our findings about your product. Your engineering teams can use this document to create a roadmap for your engineering teams.
Security Architecture and Engineering Consulting
Implementing an architecture that satisfies the FIPS 140 requirements can be challenging. SSR's engineers are experts at finding creative solutions to these types of tough engineering challenges. Many times, we can address issues with documentation or with minimal changes. In some cases, the requirements mean real
change to core functions. We've helped many clients create solutions designed to minimize the disruption to your existing architecture, maintain consistency of your customer's experience, and enhance the product functionality in complementary ways.
SSR can be engaged on a per-project or hourly basis. We can provide consulting at whatever scope is desirable, from overall security architecture consulting to focused cryptographic library integration.
A FIPS 140 validation requires detailed documentation about the security architecture of your product. These documents must address the specific requirements of FIPS 140, and must do so in a way that correctly describes the way your module satisfies the requirements. These documents can be challenging to create, and incorrectly documenting your product can introduce delays in the validation process. In a worst-case scenario, incorrect documentation could lead to a negative review by the lab and a need to re-engineer some portion of your product.
SSR can prepare all of the documentation necessary to satisfy the FIPS documentation requirements, and do so in a way that minimizes the risk during the review stages. We have extensive experience creating these documents, and know how to describe your product in ways that will lead to positive reviews by the validation labs.
Validation Process Management
SSR can assist you in managing the entire FIPS validation process. We have a close working relationships with all the major labs and can work with them to ensure a timely and risk-minimized path through the process.
We begin by assisting you in securing competitive bids for the validation of your module. We'll help you understand the bids so you can make a proper apples-to-apples comparison. Once you've selected your preferred lab, we can assist you in getting them under contract. You can contract the lab directly, or SSR can
engage the lab as a subcontract.
Once engaged, SSR will serve as the Project Manager (PM) for the entire project lifecycle. We'll schedule and hold weekly meetings with you, and the lab when appropriate, to keep you informed on the progress of the project and to keep everyone on task. We'll prepare and maintain a schedule with defined milestones to ensure the project is run smoothly.
Our most important function as PM is to be the main Point of Contact for the lab. We'll field all inquiries from the lab, whether they are general questions about the product or detailed questions about FIPS-related matters. The criteria for FIPS can be esoteric at times, and the language used to describe functionality is not always the same as that which is used in the technology community. We'll ensure that all of the lab's inquiries are answered in a manner that is consistent with both the product capabilities and the specific FIPS requirements and jargon.
Upon completion of the lab review, a test report will be submitted to the Cryptographic Module Validation Program (CMVP) office within NIST, the body that oversees the FIPS 140 program. The CMVP review process is long and opaque, typically taking 6-9 months, and is a often a source of frustration within the vendor community. SSR will monitor the progress of your module through the government review process and keep you informed, as best we can, about the current timeliness of the process. We'll work directly with the lab to address any additional inquiries made by the CMVP during their review.
Once your validation certificate is issued, we can help you work out appropriate press releases and marketing material to immediately begin to maximize your ROI from the process.
CAVP Algorithm Testing
As part of the FIPS 140 process, your module must undergo algorithm testing as administered by the Cryptographic Algorithm Validation Program (CAVP), a companion organization to the CMVP. The completion of testing and issuance of algorithm certificates are necessary for a FIPS 140 validation, and may be necessary for other security programs, such as Common Criteria (CC).
Some cryptographic modules, such as OpenSSL and RSA BSAFE have considered this requirement in their development and include the capability of performing this testing out-of-the-box. Most, however, have never contemplated this type of testing, and likely are missing some key elements from their API that are
necessary for testing. The testing regiment executes the cryptography in ways a typical user would not be allowed to, and requires very precise control over some operations, such as DRBG and RSA Key Generation.
SSR has developed a test harness that is capable of interfacing with an extremely wide variety of cryptographic modules for the purposes of exercising them in accordance with the CAVP testing regiment. We will work with your engineers to develop a custom interface layer to your module, and can assist your engineers in creating a custom "test version" of your module that opens access to the private functions and precise control that testing requires.
We will work directly with the lab to obtain, execute, and validate the tests for any number of platforms you require. Upon completion, we will ensure proper submission to CAVP and issuance of your algorithm certificates.
SSR has extensive experience in performing custom software engineering to meet the specific needs of our clients. We have worked with clients in a number of industry areas, such as Aerospace, Legal, Broadcast Media, and Information Technology. We offer terms both on a licensing model and as a work-for-hire.
We have special experience in developing cryptographic libraries that are conformant with FIPS 140-2, and in modifying existing open source software (OSS) projects to be conformant with FIPS 140-2 requirements. Please see our product page
for details on our "Conformant OpenSSL" product as an example of some of our work.
If you have a specific need for custom software development, please contact us directly to discuss your project and our capabilities to address your needs.