Federal Product Certification

FIPS Certification

The Federal Information Processing Standard (FIPS) outlines a consistent set of security requirements for cryptographic modules. FIPS 140-2 is required by all US Federal agencies for cryptographic modules. This standard is also recognized and enforced by the Canadian government, as well as members of other industries such as the financial services industry. The National Institute of Standards and Technology (NIST) is the government agency that oversees the FIPS validation process. FIPS 140-2 is a process by which a product is adequately documented and validated by a NIST-certified lab to ensure that our use of cryptography is completely secure.

The focus on FIPS is to protect all aspects of Forum Systems cryptographic processing. This gives customers an assurance that the following are secure:

• authentication and access control
• key management and storage
• cryptographic algorithms
• pseudo random number generation
• strength of passwords
• password storage
• error and failure states
• physical security
• power up self-tests
• integrity checks
• design assurance

Why does FIPS matter to commercial organizations?

Government and military security regulations are among the strictest in the industry and require that information assurance (IA) products be fully FIPS compliant, thus third party testing of the "end-product" becomes mandatory. We feel that companies who voluntarily undergo such extensive testing are delivering new levels of trust in information assurance. It is great to see that level of commitment being made to product security.

Web Services Security specifications rely on cryptographic processing and products that support these standards should participate in validation programs to publicly certify their level of security. Through FIPS 140-2 certification, NIST (National Institute of Standards and Technology) provides a rigorous framework for testing such security products with a number of levels of validation:

• FIPS 140-2 level I
• FIPS 140-3 level II

Why is Forum's FIPS Certification is superior that products on the market?

Forum products are FIPS 140-2 Level II validated satisfying strict physical security requirements such as tamper-evident physical security or pick-resistant locks. Level II also provides for role-based authentication allowing software cryptography in multi-user time-shared systems when used in conjunction with a C2 or equivalent trusted operating system.

Most other products incorporate FIPS-validated Hardware Security Modules (HSM) just to protect their cryptographic keys. Although this serves as a good first step towards information assurance, it does not take the broader operating environment into consideration.

The Forum FIA™ (Federal Information Assurance) Gateway 1504 version 4.3 is compliant with the Federal Information Processing Standard (FIPS) 140-2 Level II validation. By achieving FIPS validation for the entire system, including its sub-components, the Forum FIA Gateway has become the first and only solution in the market to provide comprehensive information assurance for XML, Web Services and service-orientated architectures (SOA).

Forum's FIA Gateway has completed rigorous independent testing and certification for the FIPS 140-2 level II standards through Domus IT, an IBM subsidiary and the National Institute of Standards and Technology

What is a FIPS-validated HSM and why is it insufficient?

Private keys are central to cryptographic operations that are used in technologies such as Secure Sockets Layer (SSL) and Web Services Security. They are the crown jewels of an organization and their security must be guaranteed against any sort of compromise. Software-based cryptographic toolkits, by their very portable nature, cannot completely protect against private key theft and attacks such as key copying and modification – which can readily result in significant financial loss and business disruption. Imagine the value of a digital signature on a transaction where duplicate private keys exist. There will be no way to assure the authenticity of the transaction. The entire viability of cryptographically-protected transactions relies on the integrity of private keys.

• The Forum FIA Gateway 1504G certificate number is # 511. For more information, please visit http://csrc.nist.gov/cryptval/140-1/140val-all.htm.

Common Criteria EAL 4+ Assurance Level

The Common Criteria are a set of internationally recognized guidelines which provide a consistent standard for evaluating security products. Countries that recognize Common Criteria include the United States, Canada, France, Germany, the United Kingdom, Australia, New Zealand, Italy, Japan, Spain, the Netherlands, Norway, Finland, Greece and Israel, Austria, Sweden, Hungary and Turkey.

The framework provided by the Common Criteria allows government, financial services and other groups to analyze a product based on a defined set of functionality and requirements. In turn, this framework helps security vendors achieve market validation and customer assurance. The Common Criteria validation process is quickly becoming one of the security industry's best practices and we are pleased to see leading companies submit their products for evaluation in this important program.

Dedicated to an efficient process, Forum Systems has partnered with Corsec Security, Inc., a leading consulting firm specializing in government validations in the security space. Leveraging Corsec's vast experience and proven expertise in FIPS 140-2 and Common Criteria, Forum will benefit from their ability to streamline and navigate this comprehensive testing and validation process.

The company has augmented its validation to give customers and partners complete confidence in the overall security of its product offering. Additionally, six assurance requirements from the new Medium Robustness Guidelines have been included as a means to deliver Web services security products that comply with the most current validation and methodology testing available on the market. The augmented assurance requirements, including an enhanced vulnerability assessment and covert channel analysis, will be validated jointly by the National Information Assurance Partnership (NIAP) and the COACT, Inc. Common Criteria Test Lab (CCTL).

Forum Systems is undertaking the highest level of evaluation assurance testing for their type of product to date to include all of the assurance requirements from the NSA-authored Medium Robustness Guidelines for Protection Profiles, six of which are above the EAL4, which is the highest assurance level accepted under the Mutual Recognition Agreement (MRA). Such a rigorous validation effort will give Forum's customers an extremely high level of security assurance.

http://niap.bahialab.com/cc-scheme/in_evaluation.cfm

CNSS Policy #15 and NSTISSP Policy #11

Forum Systems products conform to DODD (Dept of Defense Directives) and CJCSI (Chairman Joint Chiefs of Staff Instructions) which states that all products having to do with Information Assurance (IA) be certified both by NIAP Common Criteria and FIPS 140-2 in order to be used on any national security system.

Joint Interoperability Test Command -Department of Defense (JITC DoD-PKI),

Many programs supporting the Department of Defense (DOD) missions require security services, such as authentication, confidentiality, non-repudiation, and access control. To help address these security problems, the DOD developed a Public Key Infrastructure (PKI). The DOD PKI provides products and services that enhance the security of networked information systems and facilitate digital signatures.These must be tested to ensure they are enabled correctly, and are interoperable with the DOD PKI.

Following strict compliance testing of the Forum Sentry and requirements defined by Joint Interoperability Test Command -Department of Defense (JITC DoD-PKI), the Forum Systems FIA Gateway (Sentry™ 1504G) is currently being deployed by government agencies for secure information sharing and collaboration.

Department of Defense Class 3 Public Key Infrastructure Public Key-Enabled Application Requirements, version 1.0 13 July 2000 in the following areas: Retrieving Certificates, Importing Keys and Certificates, Storing Trust Points, Verifying Communication Protocols, Checking Certificate Status, Path Development and Processing, Application Configuration and Application Documentation.

http://jitc.fhu.disa.mil/pki/vendor/forum_systems_forum_sentry.html.