FIPS: Time is Money
16 Jan 2020
Difficulties of Managing Specialized Documentation for Different Certifications
Every vendor required to get some form of certification for a given product must feel under immense pressure. Most certification programs require a vendor to produce copious amounts of evidence documentation to verify any product claims being made. In this fast-paced world, how does a vendor go about obtaining a FIPS certificate quickly?
Each certification program has its own requirements, which typically means that not all the evidence documentation for program X will fit neatly into another validation/evaluation under program Y. Evolutionary changes can also cause this "square peg into a round hole" situation. The transformation from FIPS 140-2 to FIPS 140-3 is such a case. In September 2020, FIPS 140-3 will be available, with updated standards and different documentation requirements. Reusing old FIPS documentation will not suffice; it will need to be re-developed for a successful validation.
Vendors must consider the time it will take for their staff to figure out the differences between the two standards and then rework existing or write new documentation to meet the FIPS 140-3 requirements. Furthermore, other programs such as Common Criteria (CC), Internet of Things (IoT) testing and payment assurance, such as Payment Card Industry (PCI) programs, all have differing requirements. All these programs are in a state of change in one form or another.
The quality of the documentation submitted for evidence drives the time it takes to complete the specific certification. Vendors new to FIPS tend to underestimate the amount of effort required for quality documentation preparation. Hence, the longest delay in any validation/evaluation is the inability of a vendor to produce the documentation at the time it is required.
This is not that they cannot produce the documentation, but rather that they may have other resource constraints to consider. Most vendors tend to be on a tight timeline for product release, and many do not have the expertise or resources available in-house to develop FIPS evidence. Their personnel are already committed to high-priority projects, and projects may be juggled as priorities change.
The best way forward for a vendor is to have an external FIPS expert write the evidence documentation required, making minimal use of the vendor's staff. This will save the vendor time and resources needed elsewhere, and it will speed up FIPS testing of the product. If the FIPS documentation is written correctly the first time, there is little need for iteration and churn (changes to one or more documents to address issues raised by the lab reviewing the documentation). Product testing is expedited by having the appropriate documentation available in a timely manner. This reduces the amount of time a product needs to spend in a FIPS lab. The lab's report can be written using the detailed information in the documentation and the lab does not have to rely on getting an answer from one or more of the vendor's otherwise busy engineering staff.
Well-written FIPS documentation expedites the time spent in the validation authority's queue. Some documents (especially the FIPS Security Policy) must be available to the public upon certification, and are therefore heavily scrutinized. These documents must be correctly formatted, contain the correct information, and at the same time be non-proprietary. This is a difficult balance to achieve at times. With a reduction in the back and forth between the certifying authority and the lab, the validation can be expedited. The product can then be available for immediate sale to customers who require that it has the required validation/evaluation completed and certified, i.e. the time saved is money realized in the form of immediate customer revenue by the vendor. Often, large contracts using a vendor's product can depend on the finalization of the product's validation.
FIPS experts can also provide a gap analysis between current documentation and what is required by the FIPS program. If a vendor has already developed documentation, the FIPS expert can tell them if it is sufficiently detailed or if more detail (and what kind) is needed. This saves time and money. Acting on the recommendations in a gap analysis can leave a vendor well-positioned for product validation.
FIPS experts also help a vendor determine what type of validation/evaluation is best for their product, and what level of validation the product requires. The answer is typically based on the product's target market but can have other aspects to it such as competitors' compliance, customer requirement, etc.
Richard Adams,
Cryptographic and Security Testing Lab Manager
Richard Adams began work for Intertek EWA-Canada in 2009 as a Security Content Automation Protocol (SCAP) Tester and quickly moved into the role of Lead Tester. He trained and assisted in various other areas within the company, such as Cryptographic Module Validation (FIPS 140-2) testing; Common Criteria (CC) testing; Personal Identification Verification (PIV) testing; Visa Ready Program for Mobile Point of Sale (Visa mPOS) testing; and Certificate Authority (CA) Activities during this time. He was later promoted to the role of CST Lab Manager.
Dawn Adams,
Senior IT Security Specialist
Dawn Adams has been with Intertek EWA-Canada for more than 13 years. She has been involved with the FIPS program for 21 years; she was a Lab Manager for 9 years. She has worked in and was a Manager in the Common Criteria, PCI, PIV and SCAP workspaces as well. She is currently an IT Security Specialist working mainly in Common Criteria and auditing.