The benefits of getting FIPS 140-2 validation for your product shouldn’t be underestimated. Your FIPS 140-2 validation demonstrates your integrity and commitment to providing your customers with compliant security products and systems. But the validation process can be time consuming, complex and is an investment not to be taken lightly. So, while planning and staffing are important parts of the process to consider, budgeting for FIPS 140-2 validation is every bit as critical. It may seem like a daunting task, but the planning and due diligence now will help you identify what costs to expect (and when), so you can avoid surprises and budget overruns.
Hard and soft costs of a FIPS 140-2 validation
You’ll have to anticipate both types of costs during your FIPS 140-2 validation process—hard and soft. The line items with a price tag attached are a little easier to list out and get your arms around. It’s important to know that although some labs charge more than others, price should not be your only consideration in choosing a lab. Although one lab may cost less, if you don’t have someone on your team with experience working with that particular lab on FIPS 140-2 requirements, you may end up spending more time communicating with them than anticipated. This means you will ultimately end up spending more in both time and money while your internal resources are tied up for long periods of time. Keep this in mind during the lab selection process.
The National Institute of Standards and Technology (NIST) also charges a fee to issue the FIPS 140-2 certificate due to the backlog caused by the deadline for FIPS 140-1 submissions.
Although you may only be thinking about your FIPS 140-2 validation budget in terms of invoices piling up on your accounts payable desk, the soft costs associated with FIPS 140-2 validation can also be considerable. As mentioned above, there’s time spent on communicating with the lab, and extensive time that must be spent carefully preparing documentation to that lab’s specifications. Again, if someone on your team has experience writing FIPS documentation for a particular lab, you should strongly consider using that lab. But this is an area where a consultant will be an asset to the process. A quality consultant will have extensive FIPS 140-2 validation experience with many testing labs both in the U.S. and in other countries and will know how each wants their documentation prepared. This will save strain on your internal resources, but also potential delay and cost if documentation is rejected, which leads me to…
The truth about documentation preparation
As I mentioned, there’s a great deal of documentation required in conjunction with your FIPS evaluation, some straightforward, some highly complex and downright burdensome. Many organizations make the mistake of thinking they can model their documentation upon the existing documentation of others. Be forewarned: because of its confidential nature, it is difficult to obtain such examples. Be prepared to start from scratch.
Another misconception is that your lab can write your documentation for you. Know that labs are strictly prohibited from doing this as it represents a conflict of interest in their ability to provide unbiased product testing.
If you haven’t yet begun the development phase of your product; it’s important to note that you can produce most of the needed documentation in conjunction with product design and development. (It’s a good idea to talk to your engineers now; it’s never too early to start thinking about FIPS 140-2 validation!). For a legacy product, you can facilitate the documentation process by having your original developers collaborate with someone who understands FIPS 140-2 requirements to produce a minimum set of documentation that meets the FIPS 140-2 standard. Here again, a consultant will be helpful. For a list of documentation required for FIPS 140-2 validation, visit Corsec’s FAQ.
One significant way you can control costs is to avoid incorrect or incomplete document preparation. Even products that contain no security flaws can fail testing if documents are not submitted in a lab-approved format. Avoid this trap by having someone knowledgeable review all documentation prior to submission to the lab.
Be timely for the bottom line
Every minute your team is focused on FIPS-related issues and tasks is time not spent on development of new and other revenue-bearing projects. Staff must stop to attend to questions, redesigns, and deadlines imposed by the lab, which takes their focus away from other initiatives.
Your sales team will also emphatically remind you that there are costs associated with unrealized revenue for every day they are unable to sell your not-yet-validated product. Not only are they not bringing in revenue; they’re losing deals to your competitors. This makes timely FIPS 140-2 validation even more important to your bottom line and is another reason to streamline your FIPS 140-2 validation timeline.
Corsec has completed hundreds of validations for clients over the past 18 years. We can help facilitate yours so that you can focus on your business. The process can move efficiently and stay within budget if planned well. Contact us to get started.