“The Department of Defense Information Network Approved Products List (DODIN APL) is established in accordance with the UC Requirements (UCR 2013) document and mandated by the DOD Instruction (DODI) 8100.04. Its purpose is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification.”

Notable other changes to the program include:

• The Unified Capabilities Certification Office (UCCO), which managed the UC APL process is now the Approved Products Certification Office (APCO) and will continue to operate as a staff element to oversee the DoDIN APL. “The APCO provides process guidance, coordination, information and support to vendors and government sponsors throughout the entire process, from the registration phase to the attainment of DODIN APL status. Additionally, the APCO manages the DODIN APL Removal List, which consists of products that have been removed from the DODIN APL.”
• Information Assurance (IA) Testing is now Cybersecurity (CS) Testing. There is no change to the process, the same STIG requirements are being tested.
• The findings report that the test center puts out at the completion of testing which was previously called the IA Report is now to be called a Cybersecurity Assessment Report (CAR). Again, the same information will be presented, the change is in name only.
• In suite, the meeting that takes place after the Testing AO receives the vendor’s cybersecurity mitigations is no longer an IA Out-brief, it is now a CS Out-brief. Attendees will remain the same.

DISA’s June News

• Assured Compliance Assessment Solution (ACAS) training courses offered globally from July through December

• DISA moves forward with milCloud 2.0 through IDIQ award to connect DoD networks for use by the community and partners

• DISA and DMA partner to host Federal Knowledge Management Working Group

• DISA Executive Deputy Director Tony Montemarano gives annual talk on 4 things mission and industry partners need to know about DISA

• DOD Information Networks commander Army Lt. Gen. Alan R. Lynn discusses how DISA is reimagining the workplace

NIST’s June News

New PUBs:

Depending on your industry and markets, protecting your brand identity can be as simple as a solid and responsive social media presence or as complex as a series of security measures that will keep your product’s integrity intact. In many industries, specifically those that deal directly with government or regulated industries, brand integrity is a big deal. The same is true for other consumer driven areas, like the automotive and health care industries, in which advances in technology leave organizations open to new threats that can leave consumers questioning their credibility.

Third Party Solutions and the Risk to Your Brand

Since 2013, there have been significant security breaches that impacted companies of various backgrounds, exposing sensitive consumer information and breaking valuable bonds of trust. Healthcare (Anthem, Premera Blue Cross), finance (JP Morgan), retailers (Target), and online entities (Google, Linkedin), as well as their users/customers, have all been the victims of vicious cyber-attacks, and there is no sign that these attacks will stop in the near future.

Perhaps, most notably is the 2014 Heartbleed Bug, which was a catastrophic vulnerability found in the OpenSSL implementation of SSL and TLS. This vulnerability made it possible for anyone on the internet to steal information that was typically protected by encryption.

Since OpenSSL is an open source library, nearly 17% of all secure websites that implemented it became vulnerable. In a “heartbeat”, all companies that utilized OpenSSL became victims, in their own right, and though the Heartbleed Bug became widely known in 2014, it was actually committed to two OpenSSL versions 2 years earlier. For brands that relied on OpenSSL, this represented 2 years where consumer information was in jeopardy.

These brands were left vulnerable at a single fail point that existed for two whole years — one that no one anticipated.

Certification & Validation: The Path to Brand Security

When a client comes to Corsec to begin their journey towards obtaining a Common Criteria certification, a FIPS 140-2 validation, or listing on the DoDIN APL, their reasons may vary, but typically clients want to achieve certification so that they can expand within or access markets that were previously out of reach. And while getting that box checked is a driving reason for many certifications, there is a hidden yet powerful benefit to security certifications – they make your product, and therefore your brand, more secure. When it comes to the relationship between security certifications and brand reputation, it’s important to keep the following points in mind:

• Certifications assure that your product meets rigid security requirements that mitigate the threat of breaches and other security based risks that could cost your brand long term, irreparable damage.

As we guide clients through the certification process, we make sure that their products, and the company as a whole, are meeting or exceeding these requirements. Corsec works with clients to implement changes and updates to secure a product at various entry points, including everything from supply chain management to source code and encryption.

• A fully validated product means your organization is in full control of your brand. As was pointed out above, in the case of Heartbleed, organizations tethered to a single threat outside their means to fix or control could face disastrous circumstances.

When an organization chooses to rely on their own fully validated product, they are securing every single point of entry within their product. This measure mitigates risk more effectively and keeps a product above the curve.

• Security validations require compliance maintenance (learn more here). However, failure to do so can mean your product is no longer up to date and even worse, could be removed from government approved product purchasing lists. This was the case for many products that had gone through FIPS validation but used outdated Random Number Generators (RNG).

At Corsec, we recognize the importance of certification maintenance and make it our goal to care of our clients long after certifications and validations are achieved. We can work with your organization to make sure your product continues to stay market ready and assist you as you determine which path will keep your product, your consumers, confidence, and your brand secure.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

DISA holds Systems Engineering, Technology, and Innovation Pre-Proposal Conference for insights on new Engineering Contract Vehicle

Training offered for individuals trying to re-certify, re-accredit, or establish connectivity to the Defense Security Information Security Network (DISN)

• Global Cryptographic Module Validation
• Open Source Cryptography
• Embedded Encryption and Industry-Vertical Applications
• Common Criteria
• Quantum Threats and Quantum-Safe Crypto
• End-User Experience and Crypto Policy

Corsec’s team will again be leading discussions on various topics including Corsec’s Matt Keller, who will kick off the conference with an overview on the CMUF and recent changes that affect the community. Later that day, Corsec President John Morris will present on the importance of Third-party security validations, including the role of FIPS 140-2, Common Criteria, and DoDIN APL in securing products. – “When it comes to commercially-viable security assurance, there are few options that address all concerns. Traditional third-party assurance programs are slow to be defined, enforced, and are often costly for vendors to navigate. However, vendors are participating more and more frequently in several government-mandated efforts Mr. Morris will examine three of the most successful third-party assurance programs (FIPS 140-2, Common Criteria, and DoDIN APL) and the benefits and drawbacks of the programs. Mr. Morris will break down the vendor, government, and consumer experience with security accreditations and provide insight into the current and future directions of these programs.”

In addition to Mr. Morris and Mr. Keller, Corsec’s Shashi Karanam will speak on how to keep FIPS 140-2 validations valid, including change within the module and operational environments. – “The goal of this presentation is to help vendors to have a better understanding of the CMVP requirements of maintaining the FIPS certificates and the revalidation requirements in FIPS 140-2.”

Corsec’s continued participation at ICMC demonstrates the importance of global involvement in the cryptographic community. If you can not attend the conference and want to stay up to date with Corsec as we help to shape the future of validations, you can request your annual report after the show.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Corsec Social Media

DISA CTO set to retire

Systems Engineering, Technology and Innovation Request for Proposal released by DISA

NIST’s February News

NIST Draft Releases:

• Draft Special Publication 1800-7, Situational Awareness for Electric Utilities released for comments

SHA-1 Collision

NIAP’s February News

NIAP has announced an invite to join a technical working group in the development of a Protection Profile for TLS Inspection products

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Here are a few of the most common myths and misconception we have encountered over the years as we helped companies navigate the DoD mandated listing process for the DoDIN APL (Department of Defense Information Network Approved Products List):

Myth 1: “I’m already selling into the DoD, I don’t need additional product security hardening.” 

Per DoD guidelines, procurements are restricted to those solutions specifically listed on the DoDIN APL. If your product is not currently on the list, or you are not actively pursuing a listing, the new restrictions will shut you out of any future procurements.

Although your current customers may have purchased your solution in the past, they are in fact not authorized to do so in the future, and could require you to get listed at any time moving forward without prior notice.

Myth 2: “I already completed JITC/STIG Testing and or have a CON, I don’t need to do anything further.”

Previously, each military branch would issue a Certificate of Net-worthiness (CON) on their own to individual contractors. A CON gave you the ability to sell into that specific agency, but that agency alone. Year after year, each branch issued their own CON until finally the DoD collectively agreed to develop one singular list to buy from – and hence the Unified Capabilities Approved Product List was created.

To be listed on the DoDIN APL, your product must go through Interoperability (IO) testing as well as Information Assurance (IA) testing. The Joint Interoperability Test Command (JITC) is the IO certifying authority within The DoD. Any previously certified products tested solely by JITC would need to re-list on the DoDIN APL.

Security Technical Implementation Guide (STIG) testing is part of the initial submission for the DoDIN APL listing process. It includes the completion of a questionnaire on product internals, secure protocols, and access. The results determine which STIGs will be applied to your product. Testing is only one portion of DoDIN APL listing requirements, and while it can help in a quick RFP/RFQ response, it is only a first step. Completing the process ensures access to the total DoD procurement engine.

Myth 3: “The DoD only purchases from U.S. based companies.”

Companies outside the United States that are attempting to develop solutions for the DoD may do so as long as they are listed on the DoDIN APL. In fact, companies from ten different countries outside of the United States have products currently listed on the DoDIN APL.

LEARN MORE about inclusion on the DoDIN APL and how to get started.

Corsec brings you all the most recent updates to the standards, certifications, and requirements – Subscribe

DISA focuses on Innovation during the Armed Forces Communications and Electronics Association panel

NIST’s January News

NIST Draft Releases:

• Draft Special Publication 800-12, Revision 1, An Introduction to Information Security

NIST Interagency Reports:

• An Introduction to Privacy Engineering and Risk Management in Federal Systems

NIAP’s January News

The 2016 NIAP Progress Report Has Been Released, Outlining Changes To:

• Protection Profiles
• Evaluated Products
• The CCRA
• CSfC
• Interagency Collaboration – NIST
• Process Improvements and Outreach

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

No December Updates

NIST’s December News

NIST Draft Releases:

• Draft Special Publication 800-188, De-Identification of Government Datasets

Special Publications:

• SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
• Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Special Publication 800-184, Guide for Cybersecurity Event Recovery
• Special Publication (SP) 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash

NIAP’s December News:

Protection Profile Updates:

• Mobile Device Management Protection Profile v3.0
• Mobile Device Management Agents Extended Package v3.0

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

This year Owler selected Corsec Security, Inc. in Herndon, VA as one of their “Hot In 2016” winners. “We’ve sorted through database of millions of contributions from our community and landed on the top trending companies from around the world,” said Jim Fowler, CEO at Owler.

For 18 years Corsec has assisted companies through the security certification and validation process. We are a privately-owned company that partners with organizations worldwide to strengthen product security, improve brand reputation, and increase financial returns. Our turnkey solution helps our partners complete security certifications the first time through. This approach has helped secure products in all industries, from storage devices to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast and flexible information on security and industry knowledge.