The FIPS 140-2 CM overall rating: What’s [not] in it for me? (U30b)
The CMVP standards page “boldly” states that “It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating.” What does that mean to vendors and users of CMs in acquisition environments that often use the overall rating as the sole driving criteria for IT procurements involving a cryptographic module?
Today’s operational environments present capabilities and risks not fully known or perhaps even considered when the current FIPS 140-2 standard was introduced in November 2001. This presentation goes beyond the FIPS 140-2 overall rating to explore select areas of CM design and implementation that inform risk management and CM selection for “on premise” and “as-a-service” use cases. While the CMVP understands that individual areas “may be more important than the overall rating…,” it is equally and arguably more important that CM vendors and users understand this as well.
This presentation examines:
– Use of software vs hardware-based CMs for cryptographic protection of data at rest in “on premise” and “as-a-service” operational environments
– Implications for cryptographic protection based on data type (e.g., user data, system configuration information, system-generated metadata) and media type (e.g., NVRAM, Flash, SED)
– How frameworks like the Common Criteria and NIST RMF can help inform risk management decisions related to CM selection (hardware vs software)