24 August, 2004
By John Morris, president and co-founder of Corsec Security
So you’ve heard about people talking about FIPS 140-2 and Common Criteria, but you can’t seem to get a comprehensive explanation of what these things are? Well, this short article attempts to do just that: explain what these programs really are, and what they mean in practical terms. We’ll try to cut through the jargon, and explore what it actually means in real life.
What are they?
FIPS 140-2 and Common Criteria are two security-product certification programs run by government. FIPS 140-2 says the cryptographic parts of a product must be done to the government’s satisfaction. Common Criteria (all the cool kids are saying “CC”) details a range of security related topics (like auditing, or software development practices) and what the government requires for different types of products.
Where are they followed?
While FIPS 140-2 is mandated in the US, it is also strictly enforced in Canada. Other countries (such as Japan), and other industries (such as financial), have begun adopting it as well. Common Criteria, on the other hand, is more of an international standard that is recognized by 19 countries worldwide, with many more following it unofficially, and followed by the ISO community via standard 15408.
Both programs require that the product (with lots of supporting documentation) be examined by an accredited testing laboratory and the government agency that oversees them. If the product achieves certification, then other government’s agencies are free to purchase and use that product. If the product does not have these certifications, the government is not supposed to buy that product.
How are they purchased?
Of course, purchasing requirements vary by agency (DoD enforcement being among the strictest), as well as by country (word has it that Italy won’t even speak to you if you do not have CC). In the U.S., purchasing requirements for these certifications are self policed (meaning purchasing agents are not always forced to follow the mandates). But as soon as someone catches wind of purchasing practices occurring that violate any of the published directives, bid awards can be protested and validated vendors can take business away from ones with no certification, even if they have long enjoyed that agency as a source of steady business.
Who requires FIPS and CC?
Recently, directives (such as FISMA, NSTISSP#11, DoD8500, SP800-23, and the new wireless directive 8100) have given the need for product validations renewed attention and more and more governments and agencies are cracking down on these requirements. The list of vendors who participate on the FIPS and CC programs read like a who’s who of security vendors, which confirms the real and perceived value of pursuing these third party government validations.
Who are the players?
There are four basic groups involved in the standards’ game:
- Participating vendors: As we have said, even though participation is certainly optional for both of these programs, this list continues to grow, especially among companies looking to pursue government customers worldwide.
- Government Customers: These are the folks who would like to buy the security products from their favorite vendors, but they are required to make sure that they have FIPS or CC first. They can help determine how much these certifications will increase a vendors’ sales, and which ones are most valuable within their agency.
- Accredited Testing Laboratories: These are the folks who test the actual security products and the supporting documentation. When they decide that all of the features and documents meet the requirements specified in the standard, they send a report to the overseeing government body attesting to this, and the certificate is issued from there.
- Government Standards Bodies or Schemes: These are the people from NSA and NIST who run the FIPS 140-2 and CC programs. They make the standards, oversee the testing labs, and sign the certificates. Interaction with them is usually mediated by the testing laboratories, and the smoother the validation goes, the less the government is directly involved here.
What does the validation process actually entail?
The process is fairly simple and has four steps:
1. Design (or redesign if needed) the product to meet the standards’ requirements
2. Produce a lot of very specific documentation on how the product meets the standards‘ requirements
3. Have a testing laboratory compare the documentation and product to the requirements it claims to meet
4. Have the government review the lab’s findings and ultimately issue a certificate
These steps are the same for both FIPS 140-2 and CC. The most common problems come when vendors try to jump to step three in order to speed up efforts. It turns out that cutting corners in the first two steps messes up the rest of the process so badly that those kinds of shortcuts wind up taking much longer in the end.
What are the key terms to remember?
Fortunately, out of dozens (hundreds?) of acronyms, there are only five terms we truly need to understand right now:
- FIPS 140-2. This stands for Federal Information Processing Standard Publication number 140, version 3. It’s published by the US and Canadian governments, and although there are many FIPS standards, this is the only one we are referring to in this article.
- Levels (in regards to FIPS). There are four levels to FIPS 140-2, “1, 2, 3 and 4”. Thus, you could get rated as FIPS 140-2 level 1 or FIPS 140-2 level 3. The lowest and easiest is Level 1 and the highest and most stringent is FIPS 140-2 level 4 (Well, that’s confusing enough for this article. In actuality it’s murkier that this because, your product actually get rated 1-4 in eleven different cryptographic security areas. The overall rating is the lowest in all eleven sections).
- CC: Common Criteria. That’s a set of international standards. (Technically CC is just a language for writing standards and a methodology for evaluating against them, but those are the types of details we won’t get into just yet.)
- PP: Protection Profile. That’s a CC standard that is written for a particular type of product. E.g. a Firewall PP or a smart card PP. A vendor will choose which protection profile to follow when pursuing a certification for that product type.
- EAL: This stands for Evaluation Assurance Level – the level for a CC certification. You can pursue EAL 1 – EAL 4 (if you are a glutton for punishment you can actually pursue up to EAL 7. However, the “international” part only applies to the EAL1 through EAL 4 part. If you need higher then EAL 4, you’re in for a real treat!). However, unlike FIPS 140-2 levels, EAL levels aren’t about what the product must do. Instead, EAL levels are about how much work the laboratory does to make sure that product does what it claims.
How do I find out more?
That is all the detail we will provide in today’s article. It is meant to serve as an introduction only, just to give a feel for what these standards are, why we need them, who the players are, and what the process is. In future issues, we will drill down into greater detail for both of these standards. In the mean time, please feel free to visit Corsec’s FIPS 140-2 and Common Criteria Resource Centers located at www.corsec.com.
About the author
John Morris is president and co-founder of Corsec Security, which offers consulting services for Common Criteria and FIPS 140-2 product validations. Mr. Morris is the former manager of a NVLAP-accredited testing laboratory, and has worked for the last decade in cryptography, public key infrastructure and security engineering with a focus on government security validations. You can read a Q/A by Mr. Morris in Corsec’s monthly e-newsletter by visiting www.corsec.com/news.php. Questions can be submitted to [email protected].
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.