Re: [Fed-Talk] The Joys of FIPS
Re: [Fed-Talk] The Joys of FIPS
- Subject: Re: [Fed-Talk] The Joys of FIPS
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 20 Sep 2013 12:18:53 -0700
On Sep 20, 2013, at 11:22 AM, Walls, Bryan K. (MSFC-EO50) < email@hidden> wrote: Perhaps the point is that all of the NSA discussion has moved the "FIPS 140-2 Compliant" label from having the connotation of "this was secure two years ago" that we're all used to into "this may be PWND by the NSA." Which is bad news for those of us who need it, since it makes even less of an attractive investment for companies like Apple.
What's your take on the time table for iOS7 being FIPS 140-2 Compliant? Is the pipeline any shorter now than for iOS 6?
Bryan,
I believe there has been much misunderstanding about FIPS 140 within the federal space for quite sometime. I am continually/daily perplexed at the assumptions/expectations/beliefs people have related to FIPS 140 module validation.
In my opinion, a final version of FIPS 140-3 will probably never see the light of day and will eventually be superseded by ISO/IEC 19790 for a more global focus and hopeful then will we have a reasonable turnaround time in validations. Ten months for a vendor and all of their customers to wait on a validation is simply, well - unacceptable. Another example of the bad Guys get to use whatever they want while the good guys (you all) are forced to stand and wait on the sidelines. Many of you have heard me say this before but, despite the good people in CMVP (and I do mean that), the process is horribly broken and needs to be fixed asap.
FIPS 140-? ==> ISO/IEC 19790 Security requirements for cryptographic modules
The “queue” for products awaiting to be accepted into “In Review” (meaning they appear as “Review Pending”), remains at 6+ months for everyone. At this rate you all will forever be shackled to run older, possibly even deprecated products in your environments - that reality until things change.
- Shawn ________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden