Companies looking to meet the security requirements of the Marine Corp and sell their solution within the Department of Defense (DoD) will need to evaluate their product for high levels of security. In 2011, the DoD created their Department of Defense’s Information Network Approved Products List (DoDIN APL) to identify solutions that were trusted to address government security concerns. The DoDIN APL represents the agency’s master list of products available for purchase that are secure, trusted and approved for deployment within the technology infrastructure. Only those companies and products listed are available to the Marine Corp for purchase.

Come join Corsec and discuss how you can get listed on the DoDIN APL and sell into the U.S. military. Schedule your time slot today.

More About the Conference:

“Modern Day Marine is co-sponsored by Marine Corps Base, Quantico, the Exposition’s home base. MCB Quantico, home to the Combat Development Command and the Marine Corps Systems Command, is responsible for setting requirements, developing equipment and systems and purchasing the equipment and systems that the Marine Corps will rely on in the years to come. These vital and unique functions play a large part in positioning Modern Day Marine as the premier military equipment, systems, services and technology exposition.”

Evaluate Your Crypto and Protect Your Investments:

Security certifications like FIPS 140-2, Common Criteria and listing on the DoD’s UC APL utilize new mathematical theories and industry-driven computer science practices that safeguard our products and meet the stringent government requirements mandated for product hardening and security by our customers.

In the last year we have seen three new major vulnerabilities, all exploiting weak cryptography. Enhancing the security of your product helps ensure market credibility, future business, and customer confidence.

Learn More About Recent Attacks

Eliminate Competition, Increase Revenue, Improve Customer Confidence, and Secure Your Bottom Line:

Corsec has been helping organizations of all sizes achieve security certification and validation for nearly two decades. With the largest team of engineering experts, and over 425 certifications, Corsec leads the market in security certification validations.

A successful FED strategy starts with understanding the landscape, requirements, and development of a comprehensive security solution that adheres to third party guidelines.

Contact us to better understand security hardening

Corsec now brings you a snapshot of the most important takeaways from each event:

Common Criteria Users Forum (CCUF) – Seoul, Korea

• The National Information Assurance Partnership (NIAP), which governs Common Criteria in the United States, is trying to find ways to increase testing automation in order to reduce time and costs.
• Both the Common Criteria Users Forum and the Common Criteria Development Board (CCDB) have developed working groups focused on international cryptography. There is a new Deterministic Random Bit Generator (DRBG) subgroup in the CCUF Working Group.
• The CCUF Working Group has been discussing what they feel the DRBG information requirements should include. Thus far, the focus has been on DRBG architecture, strength of entropy generated (using published analysis tools), whiting techniques used, how and where entropy is stored, how is entropy pushed to Random Number Generators (RNG), how does reseeding work, and is the entropy source immediately ready or does it need operating time to ensure the pool is random?
• The CCUF Working Group felt that a good entropy solution should have multiple entropy sources that blend together, while making sure that one source does not provide the majority of the entropy. This could affect future entropy claims and documentation in the future.
• The CCDB is working on a Common Criteria Recognition Arrangement (CCRA) wide policy of sunsetting certifications after 5 years.
• A group has been formed to focus on better understanding how the Common Criteria evaluation framework could apply to other bodies and industries such as Automotive, IoT, Financial, Medical, and new nation states.
• The Management Group presented a summary of the CCUF Strategic Plan as well as the Proposal for Incorporation.

International Cryptographic Module Conference (ICMC) – Ontario, Canada

• This years conference saw a 25% growth in attendance despite holding one almost six months rather than one year after the last.
• This larger attendee list included 23 labs and their staff, government officials, industry experts, and vendors. 
• NIST and NIAP presented an update on their collaboration efforts. NIST and NIAP have a reinvigorated relationship and are working to eliminate duplicative testing requirements, thus Common Criteria will accept FIPS testing from the Cryptographic Module Validation Program (CMVP) and are working towards allowing the reverse. They are also working on remapping Common Criteria and FIPS 140-2 profiles against NIAP-accepted protection profiles.
• NIST, who governs FIPS in the United States, says they are working on FIPS 140-3 wrappers to point to ISO/IEC 19790 and ISO/IEC 24759.
• NIST is working on a license with ANSI to post the standards without fee during the open comment period. They intend to pursue the use and adoption of these international standards wherever possible. They hope to announce the schedule for this by December of this year.
• The Communications Security Establishment (CSE), who oversees Common Criteria in Canada announced a new Medium Assurance program to protect SECRET data in Canada. Similar in goals to the CSfC program in the United States, it will leverage commercial solutions and require FIPS 140-2 and Common Criteria. They will publish Medium Assurance solutions that can meet government needs without needing a Type 1 product.
• The CMVP will move forward with a policy to sunset all certificates that are older than 5 years starting February 2017. The date of the last validation activity will be used to measure the 5 years. Vendors should be motivated to seek a simple FIPS re-certification (1SUB) if they can and their certificate will be valid for another 5 years.

• The CMVP is officially tracking demerit points for each CMVP lab. Labs are given demerit points when they submit a final test report that is not up to the CMVP expectations. The program has been officially under way since October 2015 and several labs have demerit points at this point. When a lab reaches a threshold of points the lab must cease ALL evaluation work until a lab reaccreditation can be performed.

For additional information on either conference or to set up some time to talk to our experts, Contact Us.

To stay up to date on all conference events, industry news, and general security certification information, follow us on Twitter, LinkedIn, Facebook, and Google+.

Corsec’s CEO, Mathew Appler, attended the summit and has commented on the importance of the school systems and the local community as a whole investing in young adults as they further their studies in cybersecurity.

Corsec continues to work with local schools and universities, promoting education for the security field. To learn more about Corsec’s programs and positions open to current students, visit our team openings page.

To learn more about the summit or about other security related events visit here.

Corsec’s President John Morris will be joining the list of Corsec employees speaking this year. John will be taking an in-depth look at the economic costs and rewards of pursuing federal certifications. Additionally, John will be on the panel discussing the value of certifications in industries around the globe. He is joined by his industry colleagues; Steve Weingart, Manager of Public Sector Certifications, Aruba, an HP Enterprise Company; Jon Green, CTO, Aruba Government Solutions, Aruba, a Hewlett Packard Enterprise company; and Shawn Wells, Chief Security Strategist, Public Sector, Red Hat. This group will focus on what it will take for FIPS 140-2, ISO/IEC 19790, and Common Criteria to be a best practices or requirements in health care, automotive, financial, IoT and other industries.

In addition to John, Corsec’s Vice President Matt Keller will be giving an update on the CMUF, and leading a discussion on the future of security.

ICMC is always a great event for coordination of the international standardization of FIPS 140-2 and Common Criteria. There are six leading tracks to be developed:

• Advanced Technology Track
• Certification Programs
• General Technology
• User Experience Track
• Industry Vertical/Embedded Crypto Track
• Common Criteria and Crypto Track

Stay up to date with Corsec as we help to shape the future of validations. You can also follow us on twitter @CorsecSecurity to get live updates from the conference.

“ICMC, presented by the Cryptographic Module User Forum, was established as a forum on encryption standards set by the National Institute of Standards and Technology (NIST), the Communications Security Establishment (CSE) of Canada, the National Information Assurance Partnership (NIAP) managed by the NSA, and other international bodies. These organizations, amongst others, will make presentations at the conference regarding new standards, validation efforts, and perceived threats.

Moving beyond encryption standards, this year’s conference has added sessions on cryptography for mobile applications, connected vehicles, and the expanding internet of things. “Encryption is the foundation of most data security,” said CMUF management representative Matt Keller, “so the conference brings together technology leaders in sectors like semiconductors, telecom, automotive, and electronics OEM. This new content is a natural evolution for the conference.”

Development of the conference agenda is ongoing. “The industry is constantly changing, and we want to make sure content is up-to-the-minute,” said ICMC project director Bill Rutledge. Recently added sessions will cover Enhanced Data Protection on Apple iOS 9 devices leveraging the Secure Enclave Processor, and new hardware security features on Android devices using ARM TrustZone technology. Other announcements are forthcoming. Complete information about ICMC can be found at sitdev.icmconference.org”

Stay connected to Corsec as Matt attends the conference, and stayed tuned to updates on our twitter page.

Schedule time now to talk to Corsec about how Product Hardening through security certifications can eliminate competition, increase revenue, improve customer confidence and open new markets.

Protect Your Brand, Protect Your Product, Protect Your Bottom Line

Corsec has been helping organizations of all sizes achieve security certification and validation for nearly two decades.  With the largest team of independent engineering experts, Corsec has worked on over 425 certifications, leading the market in security certification validations.

Calendars are filling up, but it’s not too late to set up a time to talk.  Contact us now to better understand how we can help your company with security hardening.

WEST provides a stage to discuss the threats that face the warfighter as well as a forum to learn more about the most pressing issues surrounding IT security and security certifications.  With speakers, including leadership from the Navy, Marines and more, product vendors will have an amble opportunity to engage directly with their customers.  In order to sell into these lucrative DoD markets, listing on the DoDIN APL is mandatory.  If you are attending the show, come talk to us and learn how to quickly get listed, just like our recent partners, who were able to do so in record breaking time!

If you are not able to make the show, Contact Us to get updates and receive your monthly report on certification news and changes.

Although this day has its roots in protecting personal data, specifically with attention to social networking, the Internet of Things (IoT) and interconnectivity of our lives has created a new world of vulnerabilities. Businesses and individuals are faced with mounting threats and the implementation of sound and trusted security processes is paramount.

Soon, all of our cars, homes, and wearables will be linked (if they aren’t already); sharing and granting access to our sensitive data. Yet, most of the time, we don’t think about how these devices work and how the information is protected. By institutionalizing third party validations and security certifications, we can guarantee this information is protected from those with malicious intent.

Already certain industries have begun to use security certifications such as Common Criteria in order to provide device security hardening. Common Criteria is an internationally recognized set of guidelines for information technology security products. It provides assurance to buyers that the process of specification, implementation and evaluation for any certified computer security product was conducted in a thorough and standard manner.

After two individuals proved that hacking a connected car was not merely feasible, but entirely practicable, industry began to react. Fields like the connected car and IoT have begun to adopt certifications to prevent security breaches that could put our personal data at risk, or even worse, our personal safety.

As technology advances, we have the opportunity to create a world where life is easier and we open lines of communication that were once unfathomable. As this happens, we all need to be more aware and proactive to ensure we are working together to secure our digital world.

Cryptographic Validations, Quo Vadis? and apropos of FIPS 140-2

Cryptographic validations currently do not have an international acceptance, but the future for cryptographic validations looks promising in terms of mutual recognition. The public commenting period on the potential use of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790 for cryptographic validation activities, currently specified by FIPS 140-2 ended on 09/28/2015. 

While the formal acceptance of ISO 19790 is still pending, NIST at recent industry events announced that it is their intention to continue to specify the cryptographic mechanisms used by the U.S. And to that extent, NIST is working towards having multiple US standards in place to support the transition to ISO 19790 for all future cryptographic validations. 

Contact Corsec to find out more about the transition, and how having ISO 19790 in place gives the vendor the choice as to which validating authorities receive test data.

Lab Competency

CMVP in the near future will be tightening lab accreditation requirements, putting in place rigorous competency exams between the established labs to prove competency around entropy analysis, algorithm testing and physical testing. These restrictions come as a result of poor performance by labs and frustration from the schemes.

Uncertain which lab to select for your validation?  Need insight on which labs will remain accredited and how requirement changes will affect your certification efforts?  Corsec’s Advisory and Enterprise Lab Services will help guide you the endeavor and help streamline your validation with a trusted and established lab.

New Inter-Agency Agreement

NIST and National Information Assurance Partnership (NIAP) are now working on reestablishing an inter-agency agreement. The prospects of this agreement will branch the testing responsibilities to both parties in an expedient way. Implications could affect Evaluation Assurance Level 2 (EAL2) validations in the FIPS 140-2 standard and adoption of the General Purpose Operating System (GPOS) Protection Profile (PP).

What does this mean for your product?  Choosing the right path to validation is essential and could not be more complex.  Discuss your approach with our engineers that sit on the technical working groups for each Protection Profile (PP).