Certification ROI Archives - Corsec Security, Inc.®

Teradici Achieves IUT Listing

Jake Nelson — Fri, 21 Feb 2020 20:35:45 +0000

Corsec would like to congratulate our partner, Teradici Corporation, for achieving the Implementation Under Test (IUT) phase of the Federal Information Processing Standard 140-2 (FIPS 140-2) validation process for their PCoIP Zero Client product.

To see Teradici’s full announcement, please visit this link.

About FIPS 140-2

FIPS 140-2 is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency.

FIPS, which is mandated by law in the U.S. and very strictly enforced in Canada, is also currently being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. A FIPS 140-2 validation of a product provides end users with a high degree of product security, assurance, and dependability.

About Teradici Corporation

Teradici is the creator of the PCoIP® remoting protocol technology and Cloud Access Software. The company’s core mission is seamless and secure delivery of workstations and applications for end users. Teradici PCoIP technology and Cloud Access Software offer the most secure remoting solutions for public, private, and multicloud environments, enabling visualization of even the most graphics-intensive applications. The company’s solutions are deployed by Fortune 500 enterprises, government agencies, and service providers around the world.

For further information, please visit www.teradici.com

About Corsec Security, Inc.

For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Certes CFNC Achieves Common Criteria

Jake Nelson — Mon, 15 Apr 2019 16:06:59 +0000

Corsec would like to congratulate our partner, Certes Networks, Inc. (Certes), for completing the Common Criteria (CC) certification process on their CryptoFlow Net Creator (CFNC) with CEP.

To achieve this milestone, Certes partnered with Corsec, completing the certification under the Italian scheme at an EAL4+. For more information on the validation and to find additional details on the CFNC certification, visit the CC Certified Products List.

Their completion of the Common Criteria certification process demonstrates their commitment to strong levels of security, including a government backed product offering and a dedication to providing customers and end users with the most scrutinized and highly tested security solutions.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About Common Criteria

Common Criteria (CC) is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology security products. The standard consists of several predetermined evaluation assurance levels, each one more stringent than the last. Common Criteria allows vendors to have their products tested against a chosen level by an independent third-party testing laboratory. The Common Criteria Mutual Recognition Agreement (CCRA) is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, to be recognized by all participating countries, regardless of where the evaluation was completed. There are currently 30 countries involved in the CCRA, including the United States and Canada, with others that follow unofficially such as the EU.

The U.S. government mandates Common Criteria certification of security products for federal purchases. The National Information Assurance Acquisition Policy, NSTISSP No. 11, requires agencies to purchase only those commercial security products that have met specified third-party assurance requirements and have been tested by an accredited national laboratory.

About the Certes CFNC and CEP

CryptoFlow Net Solutions enable you to set automatic traffic protection policies on any standards-based network, including LAN, WAN, WiFi, Internet, SDN/NFV and others.

CryptoFlow Net Creator is the management solution providing centralized policy definition and control over all CryptoFlow Net Enforcers. CryptoFlow Net Creator enables all keys for all network protection to be generated and managed from one central point of control. It is a web-based GUI that configures and monitors the Certes Enforcement Points (CEP) encryption appliances, stores and deploys policies (or rules), and provides key management and auditing capabilities. CEPs are purpose-built encryption appliances that provide multi-layer data protection and application segmentation.

About Corsec Security, Inc.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

HPE Smart Array Gen10 P-Class RAID Controllers

Jake Nelson — Thu, 14 Mar 2019 20:49:29 +0000

Corsec would like to congratulate the entire HPE Smart Array team on completing the FIPS 140-2 validation process. The completion of the certification process not only opens the doors to new and exciting markets for HPE, but also demonstrates their fervent commitment to product security.

To achieve this milestone, HPE partnered with Corsec, completing the validation at a Level 1 as seen in certificate #3397. For more information on the validation and to find additional details on the security policy, visit NIST’s validated modules site.

Their completion of the FIPS 140-2 validation process demonstrates their commitment to strong levels of security, including a government backed product offering and a dedication to providing customers and end users with the most scrutinized and highly tested security solutions.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140-2

About Corsec Security, Inc.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED ROUNDUP: FEBRUARY 2019

Jake Nelson — Tue, 26 Feb 2019 16:09:41 +0000

DISA’s February News

NIST’s February News

Announcements:

None

Releases & Special Publications:

NIAP’s February News

Updates:

None

Protection Profile Posting:

The Full Drive Encryption (FDE) international Technical Community (iTC) has published the following:

FDE Encryption Engine (EE) Collaborative Protection Profile (cPP) v2.0
FDE EE Supporting Document (SD) v2.0
FDE Authorization Acquisition (AA) cPP v2.0
FDE AA SD v2.0

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Virtual Instruments Completes Common Criteria Certification for FED & Regulated Industries

Jake Nelson — Fri, 08 Feb 2019 16:35:07 +0000

Corsec would like to congratulate our partner Virtual Instruments, a leader in hybrid infrastructure management that delivers solutions that help customers ensure their applications and infrastructure perform better together, on announcing that its VirtualWisdom Platform Appliance v5.7 has completed the Common Criteria certification process.

The VirtualWisdom Platform Appliance is a is an IPM appliance that holistically monitors, analyzes and optimizes the health, utilization, capacity and performance of IT infrastructure within the context of the application; the completion of the Common Criteria certification under the NIAP approved collaborative Protection Profile for Network Devices (NDcPP) gives governments and end users confidence that the VirtualWisdom Platform Appliance has passed strenuous documentation and testing requirements.

About Common Criteria

Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology security products. The standard consists of several predetermined evaluation assurance levels, each one more stringent than the last. Common Criteria allows vendors to have their products tested against a chosen level by an independent third-party testing laboratory. The Common Criteria Mutual Recognition Agreement (CCRA) is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, to be recognized by all participating countries, regardless of where the evaluation was completed. There are currently 28 countries involved in the CCRA, including the United States and Canada, with others that follow unofficially such as the EU.

About Virtual Instruments

Virtual Instruments is an exciting, high-growth Silicon Valley technology company. Since their founding in 2008, they have been focused on delivering unparalleled value to our customers through a combination of innovative technology and high-value services. The VirtualWisdom platform provides comprehensive visibility into the performance, health and utilization of the IT infrastructure, empowering customers to guarantee the performance of their mission-critical applications across physical, virtual and cloud computing environments.

For further information, please visit virtualinstruments.com

About Corsec Security, Inc.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

FED IT Spending: Reviewing 2018 & Gauging 2019

Jake Nelson — Fri, 12 Oct 2018 17:48:11 +0000

2018 FEDERAL YEAR IN REVIEW

2018 was a stellar year for companies doing business with U.S. Federal Agencies. Over $95.6 billion dollars were allocated towards the procurement of secured IT products and solutions across Civilian, DoD, and the IC agencies.

2018 DoD IT Spend | $35.7 billion

$42.5 billion originally allocated – not all spending has been recorded*

2018 Civilian IT Spend | $45.5 billion

$53.1 billion originally allocated – not all spending has been recorded*

Top 5 Agencies: Predicted % of Total Spend*

DoD: ~44.4%
HHS: ~14.5%
DHS: ~7.1%
Treasury: ~4.5%
VA: ~4.3%

*Data based on 2018 White House and OMB projected and released findings.

Modernization: Improving the U.S. Critical Infrastructure

According to the President and OMB’s release on Information Technology, “The Administration will work to modernize and improve government operations and service delivery by building modern citizen-facing digital services, buying more like a business, improving cybersecurity, investing in improved data analytics, and generating greater cost efficiencies.”

This further emphasizes the President’s focus on improving the homeland’s IT support system. In May of 2017, he signed an Executive Order to modernize and strengthen our technology infrastructure.

Additional information on the current status of the modernization effort can be found here.

2019 FEDERAL OUTLOOK

The President of the U.S. recently signed the Department of Defense Appropriations Bill that provides over $674 billion dollars to fund military operations in 2019.

This is a $19.8-billion increase from the FY 2018.

Estimated 2019 DoD IT Spend | $46.4 billion

According to the Physical 2019 request, $36.4 billion will be allocated towards unclassified IT, $10 billion to classified, and $8.6 billion to cyberspace activities

Estimated 2019 Civilian IT Spend | $45.8 billion**

This is a decrease from previous years, although the previous IT budget included grants made by Federal agencies to state and local governments for IT systems used to administer Federal benefits.

The FY 2019 budget includes funding and investments to support 3 main functions: 1.) mission delivery; 2.) IT infrastructure, IT security, and IT management; and 3.) administrative services and support systems.

**Data based on 2019 White House and OMB projected release.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

Just When You Thought It Was Safe To Shut Down Your Computer

Jake Nelson — Tue, 25 Sep 2018 17:27:58 +0000

Although Cold Boot Attacks are considered to be somewhat of an antiquated method, largely due to the need for an attacker to have physical access to the machine, they still represent a threat to unprotected systems.

By definition, a Cold Boot Attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. Known since 2008, these attacks target data memory remanences, sometimes containing sensitive and personal information, on a CPU’s RAM which can linger anywhere from a few seconds to a few minutes after power has been removed. By utilizing a removable disk, attackers are able to upload sensitive data and viola, you have a security breach.

Many modern systems have security countermeasures to prevent these types of attacks; by memory scrambling or encrypting RAM the ability to steal encryption keys is essentially eliminated, but a new threat could threaten most modern computers according to experts.

Researchers from F-Secure, a Finnish company, have found new methods to disable current cold boot attack firmware security measures. This attack still requires the physical access that previous cold boot attacks utilized, but the threat is still present. The company is positioned to release additional information on their findings at upcoming events and conferences.

In the meantime, companies looking to protect their data can look to modernize security functionality of their systems by following guidelines and requirements laid out within FIPS 140-2. The FIPS requirements for level 3 require, in addition to all security measures from level 1 and 2, identity-based authentication, physical security mechanisms for tamper detection and tamper response, and zeroization of keys to destroy this type of data. Implementing these changes helps to prevent cold boot attacks from ever occurring.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About Corsec Security, Inc.

Connect With Us

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

HPE Smart Array & Smart HBA Solutions Complete FIPS 140-2

Jake Nelson — Fri, 29 Jun 2018 18:34:27 +0000

Corsec would like to congratulate the entire HPE Smart Array team on completing the FIPS 140-2 validation process on the HPE Smart Array Gen9 P-Class RAID Controllers and HPE Gen9 Smart HBA H-Class Adapter.

To achieve this milestone, HPE partnered with Corsec, completing the validation at a Level 1 as seen in certificate #3206. For more information on the validation and to find additional details on the security policy, visit NIST’s validated modules site.

For more information on engineering your product to meet Federal and regulated industry security requirements, schedule time to speak to a Corsec engineer.

About FIPS 140-2

About Corsec Security, Inc.

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

###

Press Contact:

Jake Nelson
Corsec Director of Marketing
jnelson@corsec.com

IoT Expansion Opens The Door to Vulnerabilities

Jake Nelson — Wed, 11 Apr 2018 20:30:25 +0000

The IoT expansion has been innovative, immersive, and impressive; revolutionizing modern day interactions and connectivity.

To meet this demand, companies are deploying products at rapid speed, while lowering prices to promote user adoption; leaving many in the security sector concerned about user data protection and proper product security hardening.

To address these concerns, The UK is taking a proactive approach, outlining a 13-point Code of Practice for manufactures, service providers, mobile application developers, and retailers to follow related to the IoT space – “Secure by Design: Improving the Cyber Security of Consumer Internet of Things Report”.

This concept may be new to the growing IoT space, but it is already the status quo for many products in Regulated Industries, as well as heavily mandated by Federal Governments around the globe. Their requirements for certifications like FIPS 140-2, Common Criteria, and the DoD’s APL address these concerns; ensuring products protect sensitive data and implement proper security architecture frameworks prior to deployment and network integration.

For companies looking to analyze their current security strategy and implement sound product security certification practices, there is help. Corsec Security is the global leader in providing assistance in security certifications and product security hardening. With the largest staff of experts in the industry and a comprehensive end-to-end solution that includes assessment audits, documentation, testing, enterprise lab services, and strategic product roadmap planning, Corsec has helped secure more than 400 unique products for hundreds of organizations on five continents over the last 20 years.

This guidance helps companies address security requirements for healthcare, financial services, critical infrastructure, national and international markets, and now IoT. Not only do they secure products, but also foster public trust and reap rewards for security investments, enabling you to overcome competitors in a market valued at over $3.5 trillion.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

FIPS 140-2: Covering the Basics

Jake Nelson — Fri, 15 Dec 2017 16:36:17 +0000

What is FIPS 140-2?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions.

All products sold into the U.S. federal government are required by law to complete FIPS 140-2 validation if they use cryptography in security systems that process Sensitive But Unclassified (SBU) information.

What are the different Levels of FIPS 140-2?

There are four increasing, qualitative security levels for FIPS 140-2. Each one focuses on eleven functional areas of product security related to secure design and implementation. At each level, greater amounts of evidence and engineering are required of the vendor in order to show compliance with the standard. The eleven functional areas that must be addressed are:

Cryptographic Module Specification
Module Ports and Interfaces
Roles, Services, and Authentication
Finite State Model
Physical Security
Operational Environment
Cryptographic Key Management
Electromagnetic Interference / Electromagnetic Compatibility (EMI/EMC)
Self-Tests
Design Assurance
Mitigation of Other Attacks

In order to complete the validation process, all eleven sections must be addressed. The level at which you decide to validate your product will depend upon your objectives, customer requirements, and competitive landscape.

What sort of end users and customers are interested in FIPS 140-2?

All end users looking for a high degree of security, assurance, and dependability within their security systems will seek products possessing a FIPS 140-2 validation. This is not only a product benefit, but mandated by industries and governments around the globe. Section 5131 of the Information Technology Management Reform Act of 1996 mandated the use of FIPS-validated products by all U.S. federal agencies.

Although FIPS is a U.S. and Canadian sponsored standard, it has been heavily adopted by foreign governments (including the European Union, South America, and Asia) and regulated industries (including the intelligence community, financial services, health care, critical infrastructure, the automotive industry, and the Internet of Things (IoT)) around the globe.

What is the relationship between NIST, FIPS 140-2, and Corsec?

There are three key players in the FIPS 140-2 validation process:

The National Institute of Standards and Technology’s (NIST) Cryptographic Module Validation Program (CMVP), which sets information security mandates for products containing cryptography, and is ultimately responsible for issuing certificates;
Third-party laboratories, which are accredited by NVLAP, test products to ensure they adhere to FIPS 140-2 standards; and,
IT product vendors, who must ensure their products conform to the standard, and submit documentation to a third-party lab for testing.

Corsec is a comprehensive product security company that helps vendors go through the hurdles of achieving their FIPS validation. We advocate on behalf of our partners to communicate directly with NIST and the labs to get their product through each stage of the FIPS process.

What other certifications should vendors be aware of?

Depending on your organization’s market goals and objectives, there are a number of certifications and validations that a vendor should investigate:

Common Criteria is an internationally recognized set of guidelines (ISO 15408), which define a common framework for evaluating security features and capabilities of Information Technology (IT) security products. Once completed, it provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security solution was conducted in a thorough and standard manner. Completing your Common Criteria evaluation allows you to sell your solutions to the U.S. Federal Government, International Governments, and other highly regulated industries around the globe. It is not only required for access to government markets, but also serves as a competitive differentiator.

The DoDIN APL (Department of Defense Information Network Approved Products List) was created in 2011 by the Department of Defense to identify solutions that were trusted to address government security concerns. The DoDIN APL represents the agency’s master list of products available for purchase that are secure, trusted, and approved for deployment within the DoD’s technology infrastructure. Only those products listed will be considered for procurement by DoD contracting departments. It has been referred to by many names including: the UC APL (Unified Capabilities Approved Products List), JITC Testing, STIG testing, and others.

What is the process to complete FIPS 140-2 validation? How long does it take? Do you look at source code?

There are five major stages that need to be addressed in order to complete a FIPS 140-2 validation: Certification Strategy, Product Security Hardening, Documentation, Laboratory and Algorithm Testing, and Government Review. At each stage, there are a number of deliverables that need to be accomplished, all helping to streamline your project and ensure a smooth transition from one stage to the next. View a complete list of all the stages, deliverables, and key takeaways for your FIPS validation.

With a sound strategy, expert guidance, and FIPS experience, you can expect to complete your FIPS validation in around 12 to 14 months. This validation will remain valid for up to five years. Of course, every product is different and every company has varying levels of experience with the process, therefore the process could take much longer if not done correctly.

Source code is just one of the many things that is reviewed during your FIPS validation. That is why it is so important to work with a partner that protects your Intellectual Property (IP) and takes security seriously. Make sure to visit your partner’s site and evaluate the security measures they implement to ensure that your project and IP are safe. This guide covers key questions you should ask of your partners to ensure your assets are protected.

How do software updates interplay with FIPS 140-2?

The FIPS evaluation process is intended to review a product as it exists at a single point in time. Thus, the validation (and associated certificate) is specific to the software version or hardware model that underwent the testing. Any updates to that version or changes to that model will represent a different entity than what was tested; thus, it is not covered by the validation.

One of the primary goals of the Certification Strategy stage of the process is to determine a validation approach that will minimize these sorts of issues. With proper planning, selection of the correct boundaries and levels, and knowledge of the available validation maintenance options, strategies can be created that will maximize the life of a validation.

What sort of challenges or roadblocks are typically presented in a FIPS 140-2 validation?

With any large endeavor, there are certain areas that present risk and could potentially derail your validation. Developing a strategy upfront will help to mitigate those risks down the road. With nearly twenty years of experience, Corsec has identified the common roadblocks at each of the five stages in the process:

Certification Strategy: Lack of organizational alignment will hinder your ability to get your validation moving quickly and keep it on track throughout the lifecycle of the project. Additionally, you must have market intelligence on your competition and customer requirements prior to developing your strategy; otherwise you could take a path that limits ROI.

Product Security Hardening: Limited experience and expertise with the FIPS requirements will hinder you from a design engineering perspective. The product must comply with requirements in all eleven sections in order to complete the process. Without this expertise, it will be difficult to design, develop, and test a product that will pass muster.

Documentation: Both the government and labs, have very specific methods of preferred formatting for the submission documentation. If not done correctly, you could produce thousands of pages that actually makes the lab’s job more difficult, and ill-timed re-work could significantly delay your project, as well as your ability to begin seeing any ROI.

Laboratory and Algorithm Testing: The lab will request certificates which you must produce from testing your algorithms. These test results are often fraught with challenges and misunderstanding. Having a system to run lab test vector files will expedite the process significantly.

Government Review: Knowledge on the standard will help avoid re-work/duplicative efforts when the government comes back with questions. Defense of your documentation and testing will help to prevent unneeded work that could be avoided with proper advocacy.

If someone wants to get validated, are there things they should start doing right away?

The earlier you can prepare, the better. If you are currently developing your product, take time to bring someone in that knows the FIPS requirements to ensure the design and implementation of the solution meets all eleven requirements. If you have already developed your solution, perform a gap analysis to determine the delta between where you are and where you need to be in order to meet them. This should be the first step any organization takes, whether it is internally performed or assessed through a partner.

How is “FIPS-validated” different from “FIPS-compliant” or “FIPS-Inside”?

There is a substantial difference between having your product achieve FIPS 140-2 validation and claiming your product is FIPS 140-2 compliant.

“FIPS-compliant” or “FIPS-Inside” is a self-designated term, but has no associated requirements or minimum criteria. Further, it has absolutely no government backing. Vendors may use this term in reference to a product that uses FIPS-Approved algorithms or libraries, but has not actually gone through the necessary steps to verify and test that the product is using them in a FIPS-Approved manner. It does not hold any weight nor can you claim you have completed FIPS 140-2 Validation.

“FIPS-validated” asserts that your specific solution has gone through the rigor of the entire FIPS 140-2 process, resulting in the award of a certificate of your own issued by NIST. Further, this means that your product has been tested by an independent third-party laboratory and will meet the legal requirements passed by Congress, as well as the procurement requirements for the U.S. government and other industries, including: healthcare, financial services, and critical infrastructure. Corsec has developed a white-paper to explore this topic further.

Additional Information:

Subscribe to Corsec emails and get updates on security certifications and validations, product security guidance, InfoSec news, and additional information on how to complete FED and Regulated Industry requirements for security standards and compliance.

Check out our Resources & FAQ Page for even more information and assets to help you with product security and certifications.