Re: [Fed-Talk] no sensitive data on Macbooks at NIH
Re: [Fed-Talk] no sensitive data on Macbooks at NIH
- Subject: Re: [Fed-Talk] no sensitive data on Macbooks at NIH
- From: Joshua Krage <email@hidden>
- Date: Mon, 7 Apr 2008 18:45:37 -0400
FIPS 140 doesn't certify hard drives. It only certifies
cryptographic modules. So unless the hard drive natively
incorporates cryptography, you won't see it on the list. More
commonly you'll see something that enables an ATA drive to become
fully-encrypted, e.g. Silicon Data Vault. Hard to fit this into the
MacBook's form-factor. A true hardware-only solution on USB or
Firewire bus should work. You won't see too many enterprises
adopting this due to lack of central management such as remote wipe
capabilities.
You probably don't /really/ want to delve deeply in FIPS 140(-1 or
-2) and NIST terminology... unless you have to.
FIPS 140-2 requires cryptographic modules to be certified prior to
use in Federal systems. As previously noted, this is a lengthy and
arduous process. Sometimes multiple rounds are required as the
vendor makes changes, or in some cases where a competitor challenges
the result.
Each FIPS 140 certificate is issued for the _specific_ module/
capability which is authorized. Some modules, e.g. OpenSSL, must be
run in FIPS mode, others always are FIPS-compliant. Mapping the
certified products list to something useful requires detailed
knowledge of that vendor's product line. The listed name is whatever
the vendor submits, and can be a sub-component, e.g. PGP SDK, of a
larger product set.
FIPS compliance is a baseline requirement for all Agencies and all
system security plans. The FIPS waiver process is onerous and few
Agencies are likely to even attempt it. Security plans can
technically accept the risk of operating without a FIPS-approved
cryptographic module, subject to the plan approval and risk
acceptance process.
Personally, when a sensitive data theft happens, I'd prefer to
upgrade the media statements from "the data on the device was not
protected..." to "while the data on the device was protected, the
protection didn't meet the Federal standards...". That said, the
best media statement will be "the data on the device was protected
following Federal standards...", or "no theft happened". :)
--
-----------------------------------------------------------------
email@hidden, CISSP
NASA GSFC Associate CIO for Information Security
On Apr 7, 2008, at 12:37 PM, Michael wrote:
On Apr 7, 2008, at 11:46 AM, Rex Sanders wrote:
According to Federal regulations, it's not encrypted if it's not
validated.
All Federal agencies are required to follow these rules, not just
NIH.
At this time, nothing built-in to Mac OS X has FIPS 140-1 or 140-2
validation. Very few products from any source provide validated
file or
disk encryption for Mac OS X.
Thanks for the correction and links. Mac Books can run Windows and
Linux but I guess that does not help.
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm> is a bit hard to understand, which of those items applies
to Vista's BitLocker and Check Point Software's Pointsec (item
208?). I gather Pointsec is used for Windows XP at NIH, but the
description does not say Windows XP. SafeGuard Easy has FIP 140
but is not good enough for NIH I guess.
What products provide FIPS 140 file or disk encryption for OS X at
this time?
I see lots of modules not end products that I can understand, i.e.
item #765 PGP Software Developer's Kit (SDK) Cryptographic Module.
Item #477 "Silicon Data Vault" is OS independent it says but
requires ATA HD.
Has anyone booted OS X from a FIPS 140 certified internal or
external hard drive, i.e. USB, Firewire, ATA, or SATA?
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40nasa.gov
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden