Federal Product Certifications
FIPS 140-2 Level II Certification
The Federal Information Processing Standard (FIPS) 140-2 is required by all US Federal agencies for cryptographic modules and cryptographic processing. This standard is also recognized and enforced by the Canadian government, as well as members of other industries such as the financial services industry. The National Institute of Standards and Technology (NIST) is the government agency that oversees the FIPS 140-2 validation process. FIPS 140-2 is a process by which a product is adequately documented and validated by a NIST-certified lab to ensure that our use of cryptography is completely secure.
The focus on FIPS 140-2 is to protect all aspects of Forum Systems cryptographic processing. This gives customers an assurance that the following are secure:
- authentication and access control
- key management and storage
- cryptographic algorithms
- pseudo random number generation
- strength of passwords
- password storage
- error and failure states
- physical security
- power up self-tests
- integrity checks
- design assurance
NIAP Network Device Protection Profile (NDPP) Certification
The NDPP compliant designation builds on Forum Sentry’s FIPS 140-2 certification foundation, reaffirming Forum Systems’ commitment to delivering industry-leading API and cloud security gateway technology for protecting cloud, mobile and on-premise infrastructure traffic.
The creation by National Information Assurance Partnership (NIAP) of technology-specific Protection Profiles with their own set of security assurance requirements offer more targeted assurance with achievable, repeatable and testable requirements. Protection Profile compliance requires assurances and testing more rigorous than the previous EAL schemes. In cooperation with other countries, the United States has initiated an evaluation paradigm where achieving success for certain IT products requires a transition to Protection Profile compliance and a move away from EALs.
While many network devices pursued evaluations at EAL4 in the past, the majority of new evaluations by network device vendors are pursing evaluation against the NIAP Network Device Protection Profile. Forum Systems has completed an evaluation that will be acceptable to the widest range of purchaser and that will comply with the CNSSP #11 purchasing requirements. Forum’s Common Criteria evaluation demonstrates the products conformance to the Network Device Protection Profile and that the product provides all the security features required in the Network Device Protection Profile.
Now “NDPP Compliant,” Forum Sentry is the industry’s only FIPS 140-2 NDPP-certified API Gateway for enabling secure connectivity between mobile application, cloud applications, and on-premise IT components. Forum Sentry is the only API gateway vendor to achieve NDPP security certification, a testament to the security pedigree of the product technology.
Joint Interoperability Test Command -Department of Defense (JITC DoD-PKI)
Many programs supporting the Department of Defense (DOD) missions require security services, such as authentication, confidentiality, non-repudiation, and access control. To help address these security problems, the DOD developed a Public Key Infrastructure (PKI). The DOD PKI provides products and services that enhance the security of networked information systems and facilitate digital signatures. These must be tested to ensure they are enabled correctly, and are interoperable with the DOD PKI.
Following strict compliance testing of the Forum Sentry and requirements defined by Joint Interoperability Test Command -Department of Defense (JITC DoD-PKI), the Forum Systems’ FIA Gateway (Sentry™ 1504G) is currently being deployed by government agencies for secure information sharing and collaboration.
Department of Defense Class 3 Public Key Infrastructure Public Key-Enabled Application Requirements, version 1.0 13 July 2000 in the following areas: Retrieving Certificates, Importing Keys and Certificates, Storing Trust Points, Verifying Communication Protocols, Checking Certificate Status, Path Development and Processing, Application Configuration and Application Documentation.
Federal Government Compliance and Directives
DoD Information Technology Security Certification and Accreditation Process requires Interoperability Certification and Information Assurance (IA) accreditation of all telecommunications products connected to the DSN.
NSTISSP # 11
National Security Telecommunications and Information Systems Security Policy No. 11 http://niap.nist.gov/cc-scheme/nstissp-faqs.html is a National Information Assurance Directorate which requires that systems that enter, process, store, display or transmit national security information must include information assurance products validated against the International Common Criteria for Information Security Technology (NIAP Common Criteria) http://www.niap.nist.gov/cc-scheme/in_evaluation.html#f, and or Federal Information processing Standard 140-2 (FIPS).
CNSS Policy # 15
U.S. Government Departments or Agencies desiring to use security products implementing AES to protect national security systems and/or information (i.e., to provide confidentiality, authentication, non-repudiation, integrity, or to ensure system availability) or other mission critical information related to national security, are subject to review and approval by the National Institute of Standards and Technology (NIST) in accordance with the requirements of Federal Information Processing Standard (FIPS) 140-2.
Net-Centric Enterprise Services program will provide a secure, collaborative information-sharing which enables systems to provide the right information to the right person at the right time.
EGA (E-Government Act)
The E-Government Act of 2002 and the Federal Information Security Management Act (FISMA) permanently establishes the guidelines set forth in the original Gov. Information Security Reform Act (GISRA) that provides significant privacy and security responsibilities for federal information technology system operators, and provides the framework for securing the Federal government’s information technology.
Mandatory under the Federal Information Security Act of 2002, All applications and content, should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information collected or maintained by the agency. Federal agencies have until December 2006 to apply requirements to their existing systems. A recent survey of about 70 federal chief information security officers found that only about 40 percent of them had begun the now-mandatory process of categorizing their major applications and general support systems according to the impact that a serious breach in those systems could have on their agencies’ ability to operate. (Federal Computer Weekly, March 2005) Federal Information Security Management Act of 2002 (Title III of E-Gov)
NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA-enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), 2/1/00. The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or crypto modules that have been validated in accordance with the International Common Criteria for Information Technology Security Evaluation, National Information Assurance Partnership’s (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Crypto module Validation Program (CMVP). Additionally, subject to policy and guidance for non-national security systems, NSTISSP # 11 notes that departments and agencies may wish to consider the acquisition of validated COTS products for use in information systems that may be associated with the operation of critical infrastructures as defined in the Presidential Decision Directive on Critical Infrastructure Protection (PDD-63).