Re: [Fed-Talk] Re: Seagate FDE Drives
Re: [Fed-Talk] Re: Seagate FDE Drives
- Subject: Re: [Fed-Talk] Re: Seagate FDE Drives
- From: Mark Radleigh <email@hidden>
- Date: Wed, 17 Dec 2008 23:39:49 -0600
- Thread-topic: [Fed-Talk] Re: Seagate FDE Drives
Umm... It's my understanding that for 'Data At Rest' products, FIPS 140-2
Cryptographic *Algorithms* and/or *Modules* are to be used (the *whole* hard
drive need not be certified). For the DoD, the following snippet from
8500.2 provides the guidance (there may be more stringent local or service
policies):
----- BEGIN SNIPPET ---------------
ECCR-1 Encryption for Confidentiality (Data at Rest)
If required by the information owner, NIST-certified cryptography is used to
encrypt stored sensitive information.
----- END SNIPPET ---------------
Being that the Seagate utilizes the AES cryptographic algorithm (which is
FIPS 140-2 certified) *and* apparently has been approved/endorsed by the
NSA, I would imagine Information Assurance Executives (or whatever
'Big-Cheese' title you want to use) would have no problem approving its use
as opposed to NO ENCRYPTION, or buggy software encrypted drives. Remember,
most US Government Approval Authorities *can* approve products and/or
systems that deviate from (or don't *exactly match*) written policies and/or
guidelines.
Of course, for those of you who would like more testing to be done, I would
be *happy* to perform some additional rigorous testing of the Seagates if
someone were to send me about a dozen *new* (fully loaded) MacBook Pros
(feel free to throw in some iMacs, MacBook Air, Mac Pros and iPhones) with
Seagate hard drives. Also, please make sure to send at least one (two
preferred) 30" Apple Cinema HD display. I don't want to strain my eyes when
I'm...um...testing. :)
Mark Radleigh
------ Forwarded Message
Subject: Re: [Fed-Talk] Re: Seagate FDE Drives
From: "Shawn A. Geddis" <email@hidden>
Date: Wed, 17 Dec 2008 16:57:01 -0800
On Dec 17, 2008, at 4:02 PM, Allan Marcus wrote:
The problem is the FIPS 140-2 validation is required by NIST 800-53 SC-13.
Basically, if you don't have 140-2 validation, you ain't in the federal
space (for those organization that have to follow 800-53)
---
Thanks,
Allan Marcus
Allan,
I am not trying to claim that *you* do not need to deal with the
requirements relating to FIPS 140-2 validation. All I was clarifying is
that Seagate has received National Security Agency Qualification for
National Security Systems.
Not every individual and every system in the Federal Government is held to
the exact same standards. Also, not everyone on this list and their
corresponding organization is under Federal Government mandates such as you
are at LANL.
There are far too many issues with the FIPS 140-x process, but I personally
agree with the public statement made by Seagate with reference to FIPS
140-2:
.....Development and product cycles are too short for disk drives to acquire
FIPS certification; the Seagate Momentus 5400 FDE.2 drive is already on its
second generation (the .2 designation). ....
Sometimes things look good on paper, but fail to provided the desired effect
in the real world. Rapidly Innovative companies and the enterprise
consumers of their products are hurt the most by these kinds of approaches.
The NIST process and the NSA qualification process are clearly at odds.
Things will naturally shake out, but for innovation and ensuring products
are using best practices and being able to use that technology in a timely
manner -- I'll side with the NSA Qualification any day!
Before everyone flames me for these comments, keep in mind I more than
realize you are doing your job to meet the requirements you are expected to
meet.
/* personal comments - not those of Apple Inc. */
I am just raising questions as to whether the requirements you are under are
truly in the best interest of your agency and our government. Choosing
between two products because one has already been granted validation and the
other has not, can encourage folks to overlook the better and more
appropriate products simply because of a "Check-box". Is that what our
Federal Government IT Security thinking has come to ? I'll take an NSA
letter of Qualification over FIPS any day!
/* personal comments - not those of Apple Inc. */
- Shawn
------ End of Forwarded Message
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden