FIPS policy creates Catch-22

Many commercial virus products can’t meet 140-2 standard

Antivirus vendor McAfee has informed the General Services Administration that it now has an antivirus product that complies with the newest Federal Information Processing Standard for cryptography.

FIPS 140-2 applies to cryptographic modules. Its predecessor, FIPS 140-1, was created in 1994. Compliance with the standard is mandatory, and lawmakers ended the waiver process that allowed agencies to bypass it as part of the Federal Information Security Management Act of 2002, said Randall Easter, who leads the Cryptographic Module Validation Program at the National Institute of Standards and Technology (NIST).

Until recently, no antivirus applications complied with the new cryptographic standard, procurement observers said. Most vendors have only recently begun to redesign their products so that they pass FIPS 140-2 certifications. McAfee is the first to report compliance to GSA. The Office of Management and Budget is now working on guidance, according to an OMB spokeswoman.

Cryptographic modules provide encryption, but they have a broader use in software. They perform services necessary for digital signatures, random number generation, e-authentication and other security functions. A cryptographic module may not offer any encryption services, but it still must receive certification that it meets the standard, Easter said.

He said he doubts that companies have many untested and unapproved products. FIPS 140-2 dates to 2001, according to a NIST Web site. Companies have had time to get their technology certified, he said. FIPS 140-1 is also still acceptable.

Other analysts, however, believe that antivirus vendors in particular, long attuned to consumer and commercial markets, are having difficulty with the newest cryptographic standard. GSA had put out a call for antivirus vendors to enter SmartBuy volume-licensing agreements but found none that could meet the requirements until McAfee did. The news came to GSA earlier this month, GSA spokesman Jon Anderson said.

“This is indeed an issue for us because we’re given the ideal standard we need to purchase to, and industry may be just rolling out products meeting this standard and not many exist,” Anderson said. “Or industry may still be researching or questioning the business viability of such a standard and hasn’t yet provided a product meeting this standard. In other words, we’re directed to provide a product meeting a standard that’s not yet industrywide or may even be beyond industry at the moment.”

McAfee’s news allows GSA to begin the procurement process on behalf of agencies, Anderson said.

The Defense Department signed an enterprise license with Symantec in 2005 under its Enterprise Software Initiative, covering antivirus and other Symantec products. Anderson said he was unsure how DOD was able to do so.

Chip Mather, senior vice president of Acquisition Solutions, said the issue is likely to run much deeper than antivirus software. “[If] you start to peel this onion, you’re going to find a lot of products that have” cryptography modules, he said.

Antivirus products probably struggle to meet the standard because of a lack of awareness, not an inability to meet the criteria, Easter said.

“Your first thought is, ‘It’s antivirus, not cryptography,’ but someone dug a little deeper and found that antivirus [software] does use cryptographic modules and so 140-2 does apply,” he said. John Pescatore, security analyst and a vice president at Gartner, also said a lack of awareness is the likely culprit in the failure to comply.

“The people selling pure cryptography software, they were getting certified years ago,” he said. “But for embedded cryptography you run into this.”

Antivirus vendors try to comply

McAfee may have been the first to tell the General Services Administration that its antivirus application now conforms to Federal Information Processing Standard 140-2, but it may not have been the first to achieve the milestone.

In 2004, Fortinet, based in Sunnyvale, Calif., announced that the cryptography module used in its product line, including its antivirus applications, had passed the test.

Other companies have also made some progress. Symantec announced in 2005 that it had gained FIPS 140-2 certification for a module used in its pcAnywhere product.

In 2004, F-Secure announced compliance with the standard for its Cryptographic Library for Windows module, used in its SSH Server for Windows Version 5.30.

— Michael Hardy

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group