Satisfying Seemingly Divergent Requirements—Taking Common Criteria into Consideration When Architecting Products for FIPS 140 Certifiability, What the FIPS Certification Specialist Needs to Know (C30a)
In the alphabet soup that is the landscape of product security certifications today, it is well understood that FIPS is the foundational certificate. Often that means that it gets the first round of attention from security certification specialists while others are put on the back-burner. This can be dangerous if additional certifications or authorizations must follow, though. Common Criteria (CC), for example, has a larger global scope than FIPS, and thus may (does) mandate cryptography that is often overlooked in a FIPS validation. Similarly, FedRAMP has many places that encryption is required that are often not part of FIPS.
The question is then does the security certification specialist need to be an expert in both FIPS 140 and all of these other certifications? In this presentation we argue that although having a multi domain expert would be ideal, it is not often possible to have an available resource with strong expertise in both areas. A FIPS certification specialist who has a knowledge of the key concepts of the CC certification realm, and the ability to knowledgeably leverage the advice of CC or other certification experts as required (whether they be colleagues, consultants, or CSTL employees) can go a long way toward successfully designing and certifying a product which will satisfy the requirements and rules of multiple security certification schemes. Speakers will illustrate what cross domain skills a FIPS certification will need to be able to properly comprehend CC (as well as FedRAMP) certification requirements and we will also show how best to capitalize on the expertise of available certification resources to properly scope your FIPS effort from the beginning.