Corsec Security, Inc.®

Dynatrace’s Java Crypto Module Now FIPS Validated

Jake Nelson — Tue, 03 Aug 2021 20:17:21 +0000

Corsec would like to congratulate our partner, Dynatrace, Inc. on completing the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) validation on their Dynatrace Java Crypto Module.

To achieve this milestone, Dynatrace partnered with Corsec, completing a Level 1 validation as seen in certificate #4004. For more information on the validation and to find additional details on the Crypto Module security policy, visit NIST’s validated modules site.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140

FIPS 140-2 / FIPS 140-3 are a joint effort by the National Institute of Standards and Technology (NIST) in the United States and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency.

FIPS, which is mandated by law in the U.S. and very strictly enforced in Canada, is also currently being reviewed by ISO to become an international standard. FIPS 140 has gained worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140 validation of a product provides end users with a high degree of product security, assurance, and dependability.

About Dynatrace, Inc.

Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation. With automatic and intelligent observability at scale, their all-in-one platform delivers precise answers about the performance of applications, the underlying infrastructure and the experience of all users to enable organizations to innovate faster, collaborate more efficiently, and deliver more value with dramatically less effort. For more, visit the Dynatrace website.

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2 / FIPS 140-3, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Tanium Added to FIPS Validated Website

Jake Nelson — Tue, 03 Aug 2021 19:44:49 +0000

Corsec would like to congratulate our partner, Tanium, Inc., on completing the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) validation on their Tanium FIPS OpenSSL Module.

To achieve this milestone, Tanium partnered with Corsec, completing a Level 1 validation as seen in certificate #4002. For more information on the validation and to find additional details on the Crypto Module security policy, visit NIST’s validated modules site.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140

About Tanium, Inc.

Tanium gives the world’s largest enterprises and government organizations the unique power to secure, control, and manage millions of endpoints across the enterprise within seconds. Serving as the “central nervous system” for enterprises, Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, retrieve data on their current and historical state, and execute change as necessary, all within seconds. For more, visit the Tanium website.

About Corsec Security, Inc.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

CareView Completes FIPS 140 Validation

Jake Nelson — Tue, 03 Aug 2021 19:30:06 +0000

Corsec would like to congratulate our partner, CareView Communications, Inc. on completing the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) validation on their CareView Cryptographic Module.

To achieve this milestone, CareView partnered with Corsec, completing a Level 1 validation as seen in certificate #3998. For more information on the validation and to find additional details on the Crypto Module security policy, visit NIST’s validated modules site.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140

About CareView Communications, Inc.

CareView Communications offers the next generation of patient care monitoring, safety and security products. CareView has developed a variety of clinical products to best serve hospitals, nursing homes, caregivers, patients, families and visitors alike. For more, visit the CareView website.

About Corsec Security, Inc.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED Roundup: July 2021

Jake Nelson — Sun, 01 Aug 2021 22:01:15 +0000

DISA News

DISA is scheduled to sunset the Defense Collaboration Services for non-classified Internet Protocol Router Network on September 1, 2021

STIG Updates

NIST News

Announcements:

Special Publications & Updates:

NIAP News

Updates:

None

Protection Profile Posting:

NIAP is calling for Technical Community (TC) participants to review the VPN Client and VPN Gateway (GW) Protection Profile (PP) Modules

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Dir of Marketing
Jnelson@corsec.com

FED Roundup: June 2021

Jake Nelson — Fri, 02 Jul 2021 17:52:45 +0000

DISA News

None

STIG Updates

NIST News

Announcements:

None

Special Publications & Updates:

NIAP News

Updates:

Policy #5 Frequently Asked Questions & Certificate Reporting Template have been updated

Protection Profile Posting:

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Dir of Marketing
Jnelson@corsec.com

Cybersecurity Executive Order

Jake Nelson — Wed, 02 Jun 2021 13:26:56 +0000

In an effort to improve the United States’ ability to identify, deter, protect against, detect, and respond to malicious actors and attacks, the President of the U.S. has issued a new Executive Order (EO) to ensure all Federal Information Systems react to meet or exceed the standards and requirements outlined for cybersecurity. To accomplish this, the EO identifies the private sector as a major contributor to helping secure the Nation’s cyberspace.

As outlined in the EO, the scope of protection and security will include 1.) Systems that process data (information technology (IT)) and 2.) those that run the vital machinery that ensures our safety (operational technology (OT)).

The President has stated “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. ”

Corsec has outlined high level details associated with the order that could impact future policy, requirements, and operations within the U.S. federal government:

Section 2: Removing Barriers to Sharing Threat Information

Develop a plan to allow further sharing of insights into cyber threat and incident information from Federal Information Systems by removing service provider contractual barriers – A review of the FAR and DFAR contractual language shall be completed within 60 Days
Require information and communication technology (ICT) service providers to promptly report cyber incidents to the government – The government shall recommend such language for contacts with ICT service providers within 45 Days. Within 90 Days, procedures for sharing such reports will be agreed upon.

Section 3: Modernizing Federal Government Cybersecurity

An overview of the steps and solutions needed to help prevent modern and sophisticated attacks on the U.S. federal government; including, Zero Trust Architecture, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) solutions – The Government shall create a plan to utilize these technologies within 60 Days while creating a cloud-services governance Framework. Within 90 days the Government shall create a report on the sensitivity of their data with respect to unclassified information. Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit.

Section 4: Enhancing Software Supply Chain Security

The Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software – Within 90 Days the Government will implement best practices and other policy standards to improve the software supply chain. Such guidance will include, among other criteria, “employing encryption for data”, and “establishing multi-factor, risk-based authentication and conditional access across the enterprise”. Within 1 year the Government will produce language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to this section (this will apply to renewals of contracts as well).

Section 5: Establishing a Cyber Safety Review Board

The Board shall review and assess, with respect to significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.

Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

Align agency cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting systems – the Government shall develop a set of operational procedures (a playbook) for government wide use within 120 Days. Part of this will be to “incorporate all appropriate NIST standards”

Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

Increase the effort to increase detection of cybersecurity vulnerabilities and threats to agency networks and gain visibility into incidents through deployment of an Endpoint Detection and Response (EDR) initiative – Within 90 Days the Government will issue requirements for such a system. Among other requirements, “ensure alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives”

Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities

Agencies and their IT service providers shall improve collection of information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) and, when necessary to address a cyber incident on FCEB Information Systems. “Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention” – Within 90 Days, agencies must establish requirements for logging, log retention, and log management.

Section 9: National Security Systems

Within 60 Days, the Government “shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements shall be codified in a National Security Memorandum (NSM).”

Need Support?

Contact Corsec to ask questions, discuss a project, or gain more insight on this post.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Further Automation Within The CMVP

Jake Nelson — Thu, 29 Apr 2021 15:03:39 +0000

The Cryptographic Module Validation Program (CMVP) is a part of the National Institute of Standards and Technology (NIST) which operates under the Department of Commerce. The CMVP’s role is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules, this primarily occurs through management and oversight of the testing required as part of the FIPS 140-2 / FIPS 140-3 validation standards.

The CMVP is currently experiencing longer than usual evaluation periods within the FIPS 140 programs. To rectify and hopefully assist in shortening those wait times, the CMVP is looking to automate processes and procedures related to the evaluation and testing of these cryptographic modules.

To support this newly identified objective, the CMVP has developed a draft document which outlines assumptions, challenges, current architectures, requirements, and guidance. The ultimate goal is to identify ideas and recommendations on how to automate some of the more tedious and manual elements of the FIPS 140 evaluation process. Specifically stating they hope to improve efficiencies and timelines within CMVP operations.

Some of the current challenges outlined include:

An increase in complex modules being evaluated
A lack of human resources to address the influx in evaluations
Insufficient information/documentation submissions
Operating Environment Updates

This is not the first time the CMVP has turned to automation, as they recently implemented a change to the methods for testing algorithms within the Cryptographic Algorithm Validation Program (CAVP). Read more about that transition here.

Although the effects of such an effort are not expected to make an impact in the near term, it is a positive sign that the CMVP is actively trying to improve things in the long run.

Need Support?

Contact Corsec to ask questions, discuss a project, or gain more insight on this post.

###

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED Roundup: January 2021

Jake Nelson — Mon, 01 Feb 2021 17:57:11 +0000

DISA News

STIG Updates

NIST News

Announcements:

(None)

Special Publications & Updates:

NIAP News

Updates:

(None)

Protection Profile Posting:

PP-Module for VPN Clients (VPN), Version 2.2

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Dell Completes FIPS 140 Validation

Jake Nelson — Thu, 28 Jan 2021 19:06:48 +0000

Corsec would like to congratulate our partner, Dell Technologies Inc., on completing the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) validation on their VNX 6 Gb/s SAS I/O Module with Encryption.

To achieve this milestone, Dell partnered with Corsec, completing a Level 1 validation as seen in certificate #3800. For more information on the validation and to find additional details on the Crypto Module security policy, visit NIST’s validated modules site.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140-2

About the Dell EMC VNX 6

The Dell EMC VNX 6 Gb/s SAS I/O Module with Encryption is a high-density SAS controller executing specialized firmware that provides Data At Rest Encryption (D@RE) for Dell EMC VNX Storage Arrays. D@RE provides data security and offers a convenient means to decommission all drives in the system at once. Information is protected from unauthorized access even when drives are physically removed from the system. The VNX 6 Gb/s SAS I/O Module with Encryption is an optimized solution for native SAS/SATA5 HBA6 applications.