Federal encryption purchasing requirements

Although encryption is subject to import and export guidelines, there's another type of government regulation that impacts what customers buy. Some industrialized nations choose encryption standards and require testing of encryption products before government buyers can purchase them.
 
In the U.S., federal agencies looking to secure sensitive but unclassified data have to buy encryption-based products that have passed the so-called "Federal Information Processing Standard (FIPS) 140-2" certification tests.

Seven test labs, overseen by the Commerce Department's National Institute of Standards and Technology (NIST), examine products to assure that crypto based on the Advanced Encryption Standard, Triple-DES, Skipjack, RSA, or the Digital Signature Algorithm is correctly implemented in products.
 
Randy Easter, director of NIST's cryptographic module program, says 50% of the products that have passed through testing had flaws that got corrected in the process.
 
FIPS 140-2 certification is gaining international appeal, too. The British government is now requiring FIPS 140-2 validation in testing for government purchase.
 
Testing can be expensive. According to Roy Pereira, product manager at encryption vendor Certicom, it took hundreds of thousands of dollars and more than a year to get its Security Builder GSE tool kit through FIPS 140-2 validation.
 
Some companies, including EncryptX, acknowledge they can't sell to U.S. agencies because they haven't gone through FIPS 140-2 testing. Easter says government buyers should require documentation of FIPS 140-2 approval when purchasing products.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Although encryption is subject to import and export guidelines, there's another type of government regulation that impacts what customers buy. Some industrialized nations choose encryption standards and require testing of encryption products before government buyers can purchase them.
 
In the U.S., federal agencies looking to secure sensitive but unclassified data have to buy encryption-based products that have passed the so-called "Federal Information Processing Standard (FIPS) 140-2" certification tests.

Seven test labs, overseen by the Commerce Department's National Institute of Standards and Technology (NIST), examine products to assure that crypto based on the Advanced Encryption Standard, Triple-DES, Skipjack, RSA, or the Digital Signature Algorithm is correctly implemented in products.
 
Randy Easter, director of NIST's cryptographic module program, says 50% of the products that have passed through testing had flaws that got corrected in the process.
 
FIPS 140-2 certification is gaining international appeal, too. The British government is now requiring FIPS 140-2 validation in testing for government purchase.
 
Testing can be expensive. According to Roy Pereira, product manager at encryption vendor Certicom, it took hundreds of thousands of dollars and more than a year to get its Security Builder GSE tool kit through FIPS 140-2 validation.
 
Some companies, including EncryptX, acknowledge they can't sell to U.S. agencies because they haven't gone through FIPS 140-2 testing. Easter says government buyers should require documentation of FIPS 140-2 approval when purchasing products.

Read more about security in Network World's Security section.