FIPS policy creates Catch-22

Antivirus vendor McAfee has informed the General Services Administration that it now has an antivirus product that complies with the newest Federal Information Processing Standard for cryptography.

FIPS 140-2 applies to cryptographic modules. Its predecessor, FIPS 140-1, was created in 1994. Compliance with the standard is mandatory, and lawmakers ended the waiver process that allowed agencies to bypass it as part of the Federal Information Security Management Act of 2002, said Randall Easter, who leads the Cryptographic Module Validation Program at the National Institute of Standards and Technology (NIST).

Until recently, no antivirus applications complied with the new cryptographic standard, procurement observers said. Most vendors have only recently begun to redesign their products so that they pass FIPS 140-2 certifications. McAfee is the first to report compliance to GSA. The Office of Management and Budget is now working on guidance, according to an OMB spokeswoman.

Cryptographic modules provide encryption, but they have a broader use in software. They perform services necessary for digital signatures, random number generation, e-authentication and other security functions. A cryptographic module may not offer any encryption services, but it still must receive certification that it meets the standard, Easter said.

He said he doubts that companies have many untested and unapproved products. FIPS 140-2 dates to 2001, according to a NIST Web site. Companies have had time to get their technology certified, he said. FIPS 140-1 is also still acceptable.

Other analysts, however, believe that antivirus vendors in particular, long attuned to consumer and commercial markets, are having difficulty with the newest cryptographic standard. GSA had put out a call for antivirus vendors to enter SmartBuy volume-licensing agreements but found none that could meet the requirements until McAfee did. The news came to GSA earlier this month, GSA spokesman Jon Anderson said.

“This is indeed an issue for us because we’re given the ideal standard we need to purchase to, and industry may be just rolling out products meeting this standard and not many exist,” Anderson said. “Or industry may still be researching or questioning the business viability of such a standard and hasn’t yet provided a product meeting this standard. In other words, we’re directed to provide a product meeting a standard that’s not yet industrywide or may even be beyond industry at the moment.”

McAfee’s news allows GSA to begin the procurement process on behalf of agencies, Anderson said.

The Defense Department signed an enterprise license with Symantec in 2005 under its Enterprise Software Initiative, covering antivirus and other Symantec products. Anderson said he was unsure how DOD was able to do so.

Chip Mather, senior vice president of Acquisition Solutions, said the issue is likely to run much deeper than antivirus software. “[If] you start to peel this onion, you’re going to find a lot of products that have” cryptography modules, he said.

Antivirus products probably struggle to meet the standard because of a lack of awareness, not an inability to meet the criteria, Easter said.

“Your first thought is, ‘It’s antivirus, not cryptography,’ but someone dug a little deeper and found that antivirus [software] does use cryptographic modules and so 140-2 does apply,” he said. John Pescatore, security analyst and a vice president at Gartner, also said a lack of awareness is the likely culprit in the failure to comply.

“The people selling pure cryptography software, they were getting certified years ago,” he said. “But for embedded cryptography you run into this.”