FIPS policy creates Catch-22

Many commercial virus products can’t meet 140-2 standard

Antivirus vendor McAfee has informed the General Services Administration that it now has an antivirus product that complies with the newest Federal Information Processing Standard for cryptography.

FIPS 140-2 applies to cryptographic modules. Its predecessor, FIPS 140-1, was created in 1994. Compliance with the standard is mandatory, and lawmakers ended the waiver process that allowed agencies to bypass it as part of the Federal Information Security Management Act of 2002, said Randall Easter, who leads the Cryptographic Module Validation Program at the National Institute of Standards and Technology (NIST).

Until recently, no antivirus applications complied with the new cryptographic standard, procurement observers said. Most vendors have only recently begun to redesign their products so that they pass FIPS 140-2 certifications. McAfee is the first to report compliance to GSA. The Office of Management and Budget is now working on guidance, according to an OMB spokeswoman.

Cryptographic modules provide encryption, but they have a broader use in software. They perform services necessary for digital signatures, random number generation, e-authentication and other security functions. A cryptographic module may not offer any encryption services, but it still must receive certification that it meets the standard, Easter said.

He said he doubts that companies have many untested and unapproved products. FIPS 140-2 dates to 2001, according to a NIST Web site. Companies have had time to get their technology certified, he said. FIPS 140-1 is also still acceptable.

Other analysts, however, believe that antivirus vendors in particular, long attuned to consumer and commercial markets, are having difficulty with the newest cryptographic standard. GSA had put out a call for antivirus vendors to enter SmartBuy volume-licensing agreements but found none that could meet the requirements until McAfee did. The news came to GSA earlier this month, GSA spokesman Jon Anderson said.

“This is indeed an issue for us because we’re given the ideal standard we need to purchase to, and industry may be just rolling out products meeting this standard and not many exist,” Anderson said. “Or industry may still be researching or questioning the business viability of such a standard and hasn’t yet provided a product meeting this standard. In other words, we’re directed to provide a product meeting a standard that’s not yet industrywide or may even be beyond industry at the moment.”

McAfee’s news allows GSA to begin the procurement process on behalf of agencies, Anderson said.

The Defense Department signed an enterprise license with Symantec in 2005 under its Enterprise Software Initiative, covering antivirus and other Symantec products. Anderson said he was unsure how DOD was able to do so.

Chip Mather, senior vice president of Acquisition Solutions, said the issue is likely to run much deeper than antivirus software. “[If] you start to peel this onion, you’re going to find a lot of products that have” cryptography modules, he said.

Antivirus products probably struggle to meet the standard because of a lack of awareness, not an inability to meet the criteria, Easter said.

“Your first thought is, ‘It’s antivirus, not cryptography,’ but someone dug a little deeper and found that antivirus [software] does use cryptographic modules and so 140-2 does apply,” he said. John Pescatore, security analyst and a vice president at Gartner, also said a lack of awareness is the likely culprit in the failure to comply.

“The people selling pure cryptography software, they were getting certified years ago,” he said. “But for embedded cryptography you run into this.”

Antivirus vendors try to comply

McAfee may have been the first to tell the General Services Administration that its antivirus application now conforms to Federal Information Processing Standard 140-2, but it may not have been the first to achieve the milestone.

In 2004, Fortinet, based in Sunnyvale, Calif., announced that the cryptography module used in its product line, including its antivirus applications, had passed the test.

Other companies have also made some progress. Symantec announced in 2005 that it had gained FIPS 140-2 certification for a module used in its pcAnywhere product.

In 2004, F-Secure announced compliance with the standard for its Cryptographic Library for Windows module, used in its SSH Server for Windows Version 5.30.

— Michael Hardy

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group