When it comes to certification not only are there many acronyms, but there are many things to be aware of and to keep in mind when evaluating solutions. The top three things to know are:
1. There are several types of certifications available and each is focused on different use cases and different pieces of equipment or products. Individual products or solutions may have been put through different certification processes with varying outcomes and conclusions that can be drawn.
The two most common types of certification are the National Institute of Standards Technology (NIST) Federal Information Processing Standard (FIPS) for validation of the use of cryptography in security systems and Common Criteria for Information Technology Security Evaluation (Common Criteria), which is focused on the rest of the security functions of an IT project.
Both evaluations are focused on the presence of security features and the correctness of those features.
In addition, there is also the Defense Information Systems Agency (DISA) that manages testing of products to be placed on the Department of Defense Information Network (DoDIN) Approved Products List (APL) which lists products that have completed Interoperability (IO) and cybersecurity certification, including Information Assurance (IA). Joint Interoperability Test Command (JITC) is an approved testing center for IO and IA certification.
2. FIPS is currently at version 140-2, with 140-3 on the horizon and FIPS 140-2 has 4 levels of increasing security (levels 1-4) and may require some level of Common Criteria be met concurrently.
FIPS certification is extremely important as all products sold into the U.S. federal government are required to have completed FIPS 140-2 validation if they use cryptography in security systems that process sensitive information. To learn more about FIPS click here.
3. Common Criteria (CC) involves a wider review process of overall product design and functionality, taking an encompassing look at the hardware, firmware and software, inclusive of use cases. CC uses Evaluation Assurance Levels (EAL) from 1-7. (to learn more about CC and EAL levels click here) The EAL does not measure the security of a system, but simply states at what level the system was tested.
Note: A higher EAL does not indicate a higher level of security than a lower EAL because they may have different functional features in the security target.
In my next blog, you will learn some important tips about encryption certification.
— Scott Barella, CTO