Evaluation of Common Criteria, FIPS 140, INTERAC (SPED), PCI, security and cryptographic products

Time required for Certification

Total time necessary to certify a product depends on a number of factors; compliance with the FIPS 140 standard, complexity, desired security level and vendor timetable. Certification efforts are always measured in months and once begun should take approximately two to three months.

Can a product Fail?

The purpose of the FIPS 140 Standard is to promote good design practices for cryptographic modules. Essentially, a product cannot fail the certification process if the product and supporting documentation were designed with strict adherence to the FIPS 140 standards. The pre-certification assistance offered by DOMUS ITSL is invaluable as many of the potential "problem areas" can be addressed and resolved prior to the certification process. It should be noted, however, that NIST and CSE, as the final authorities for FIPS 140 certification, reserve the right to question certain technical implementations of a certification and request more information or clarification. In this case, DOMUS ITSL works with the client and acts as a liaison with NIST and CSE, to resolve the issue(s) and expedite the certification process. Our primary focus is on obtaining certification for your product. During the entire certification process all work performed by DOMUS ITSL is treated as highly confidential and all proprietary data is protected. We do not release any documentation or results without your permission.

FIPS-140-2 Certification Process

Once the terms of the contract for certification services have been agreed upon and signed by both the vendor and DOMUS ITSL, and the vendor has produced the applicable supporting documentation, the certification process typically follows the steps listed below:
Certification Flow Chart.

Vendor submits documentation and product for certification/testing
DOMUS ITSL reviews and tests the product against the FIPS 140-2 Derived Test Requirements.
DOMUS ITSL prepares and submits a draft certification report to NIST/CSE for review.
NIST/CSE provides DOMUS ITSL with questions/comments on the certification report.
Once these questions have been resolved with NIST/CSE, a FIPS 140 certificate is issued by NIST/CSE.
The new certificate and descriptive information are posted to the CMVP website on the NIST FIPS 140-1 and FIPS 140-2 Cryptographic Modules Certification List web page.

Software Certification

Yes, software products can be certified and a number of software cryptographic have already been certified. Microsoft, Netscape, RSA Data Security, and Entrust have all certified their software cryptographic modules.

Required Vendor Documentation

NIST requires that every vendor supply a non-proprietary security policy document with each certified module.

DOMUS ITSL will require some or all of the following:

A "Finite State Machine" model and transition table;
key management documents, operating manuals;
design specifications, component specifications;
design documents, code listings;
third party documentation, and third party certifications and licenses.

This documentation must give enough information to satisfy all the applicable categories of security requirements listed in the derived test requirements of FIPS Pub 140-2. These categories are: cryptographic module design, module ports and interfaces, roles, services & authentication, finite state machine, physical security, operational environment, cryptographic key management, EMC/EMI, self-tests, design assurance, mitigation of other attacks and cryptographic module security policy. A review of the FIPS PUB 140-2, the Derived Test Requirements, and the Implementation Guidance will clarify the applicability and requirements of each documentation category.

For more information on DOMUS ITSL FIPS 140-2 services please contact us via email (or phone at 613-247-5698).