On Dec 17, 2008, at 4:02 PM, Allan Marcus wrote: The problem is the FIPS 140-2 validation is required by NIST 800-53 SC-13. Basically, if you don't have 140-2 validation, you ain't in the federal space (for those organization that have to follow 800-53) --- Thanks,
Allan Marcus
Allan,
I am not trying to claim that *you* do not need to deal with the requirements relating to FIPS 140-2 validation. All I was clarifying is that Seagate has received National Security Agency Qualification for National Security Systems.
Not every individual and every system in the Federal Government is held to the exact same standards. Also, not everyone on this list and their corresponding organization is under Federal Government mandates such as you are at LANL.
There are far too many issues with the FIPS 140-x process, but I personally agree with the public statement made by Seagate with reference to FIPS 140-2:
.....Development and product cycles are too short for disk drives to acquire FIPS certification; the Seagate Momentus 5400 FDE.2 drive is already on its second generation (the .2 designation). ....
Sometimes things look good on paper, but fail to provided the desired effect in the real world. Rapidly Innovative companies and the enterprise consumers of their products are hurt the most by these kinds of approaches.
The NIST process and the NSA qualification process are clearly at odds. Things will naturally shake out, but for innovation and ensuring products are using best practices and being able to use that technology in a timely manner -- I'll side with the NSA Qualification any day!
Before everyone flames me for these comments, keep in mind I more than realize you are doing your job to meet the requirements you are expected to meet.
/* personal comments - not those of Apple Inc. */ I am just raising questions as to whether the requirements you are under are truly in the best interest of your agency and our government. Choosing between two products because one has already been granted validation and the other has not, can encourage folks to overlook the better and more appropriate products simply because of a "Check-box". Is that what our Federal Government IT Security thinking has come to ? I'll take an NSA letter of Qualification over FIPS any day! /* personal comments - not those of Apple Inc. */
|