NIST standard could curtail agency buys
- By Heather Harreld
- Jul 27, 1997
A federal standard that kicked in June 30 but has been largely ignored by vendors may now prohibit agencies from buying many popular hardware and software security products.
The Federal Information Processing Standard (FIPS) 140-1 requires agencies after June 30 to buy systems called cryptographic modules - which are used for data encryption user authentication digital signatures key management and other services - that have been validated by government-accredited laboratories. The standard applies to all sensitive but unclassified data such as medical records tax information personnel records and other records that may not be deemed classified but that need to be protected during transmission or storage.
But only five companies - Northern Telecom Inc. National Semiconductor Corp. Motorola Inc. Spyrus Inc. and Mykotronx Inc. - have received validation from the government's two accredited laboratories. Most of these vendors provide products to support the Defense Department's Fortezza program.
Notably absent from the list are companies with large federal customer bases for various cryptographic modules such as Microsoft Corp. IBM Corp. AT&T RSA Data Security Novell Inc. and dozens of other vendors that support cryptography in their products. All smart card smart disc and security token vendors also must be validated under the standard.
Some companies still are in the testing phase. Netscape Communications Corp. has completed all the compliance tests for the standard and the company is awaiting final certification according to a Netscape official.
Although given casual treatment so far by many vendors the standard could have major implications for information technology procurement because agencies are required by the Clinger-Cohen Act to comply with FIPS unless a waiver is issued by the president the secretary of Commerce or the head of an agency said Carl Peckinpaugh a procurement attorney at Washington D.C.-based Winston & Strawn and a columnist for FCW.
FIPS "are mandates on the agencies and the agencies are required to enforce them " he said. "If they're not doing it themselves there are other independent entities such as the [General Accounting Office] and the federal courts that will. There are plenty of [procurement protest] cases where people have alleged failure to provide the specification. That's a legitimate protest if you prove it's a requirement. It's a real good issue."
The standard was crafted in 1994 by the National Institute of Standards and Technology which gave vendors about three years - to June 30 - to receive validation for their products a NIST spokeswoman said. Agencies meanwhile have been allowed to purchase products from companies that had provided written affirmation that their encryption products met the standard.
Miles Smid manager of NIST's security technology group said it typically takes some time for vendors and agencies to take notice of a new FIPS. Smid said he expects products of some large companies to be validated soon.The new standard fills an important void for agency information systems security because it not only sets a standard for cryptographic algorithms but it is designed to make sure that products have implemented the algorithms correctly Smid said. Many recent security flaws in federal systems have been caused by the incorrect implementation of an algorithm he said.
Many vendors may have opted not to have their products tested because agencies themselves are unaware of the standard and have not begun to include it in IT procurement requirements said Santosh Chokhani chief executive officer of Cygnacom Solutions an IT security company that operates one of the two laboratories that validate products against the standard.
The testing process usually costs less than $100 000 and takes several months Chokhani said. Several vendors which Chokhani declined to name now are discussing the possibility of submitting their products to Cygnacom for testing against the standard.
David O'Brien director of government markets for Cylink Corp. said his company supports the FIPS program but it thinks the testing process itself needs some tweaking. "Cylink believes that we should be 140-1-certified " O'Brien said. "[But] we are not happy with the [testing] process because it costs too much and it takes too long of a time. We think this process is not yet working and needs some attention."
Some agencies however have been keeping tabs on the standard. Two years ago Strategic Analysis Inc. an Arlington Va.-based concern that specializes in advanced military systems began plans for a secure World Wide Web site for the Air Force.
Thomas Gist the Dayton Ohio-area regional manager with Strategic Analysis said the company found that Netscape was the only Web server vendor that had affirmed that its product conformed to the FIPS standard. The only other choice then would have been to use products approved by the National Security Agency for protecting classified information.
"There is no way that some mom-and-pop contractor is going to get a hold of NSA security gear " he said. "It is not all that hard for them to get a hold of Netscape Navigator. They were the only vendor interested in helping us provide encrypted World Wide Web support to our Air Force customer."