Common Criteria Certification and FIPS 140-2 Validation
If you’re an Information Technology hardware or software vendor and you want to market your products to the US Department of Defense or various Federal government security agencies, you will no doubt encounter the NSTISSP-11 policies required under the Federal Information Security Management Act (FISMA) Implementation Project.
Issued in 2003, these FISMA policies recognized that COTS (Commercial Off-the-Shelf) IT products often can meet the communications security equipment needs of DoD and Federal agencies and organizations. However, they require that such products be validated under the internationally recognized Common Criteria Certification (CCC) program scheme, which has been implemented in the US as the Common Criteria Evaluation and Validation Scheme (CCEVS) administered by the National Information Assurance Partnership (NIAP). In addition, the Ministries of Defence in the UK, Canada, Germany, France, Italy, Australia, the Netherlands, and other countries also require CCC validation for many IT products.
FIPS 140-2 Encryption Validation
If your IT product utilizes any form of encryption, it will likely also require validation of its cryptographic module by NIST under the Federal Information Processing Standards 140-2 security requirements (FIPS 140-2) before it can be sold and installed in a Federal agency or DoD facility. A NIST FIPS 140-2 cryptographic module validation project includes the preparation of a number of required documents such as a Security Policy, Derived Test Requirements (DTR), Finite State Machine (FSM), User Guidance and other documentation to be submitted to your NVLAP test lab of choice in order to achieve a successful FIPS 140-2 Validation.
Validation Testing and Documentation
NOTE: As of 2011-01-01, NetGreen Consulting will no longer be offering consulting services to provide the documentation and test plans needed to obtain a Common Criteria Certificate. We can, however, recommend other companies who can provide test lab or document creation or editing services. We do still provide FIPS 140-2 Validation consulting services to US-based companies on an as-requested basis.
Our previous successful Common Criteria Evaluation or NIST FIPS 140-2 Validation projects include:
- an ATM Firewall device that was co-developed by the NSA
- a family of multiservice switches and switch routers (8 different models in all!)
- a line of service edge routers with B-RAS capabilities
- a high-definition video-conferencing system with AES encryption capabilities (recently validated under FIPS 140-2 by NIST)
We are currently working on a FIPS 140-2 Validation project for a Network Management System (NMS) product line – details coming soon.