Re: obtaining FIPS-140a

Mon, 17 May 1999 07:48:36 -0700 

The cost depends greatly on whether you are validating hardware &|
firmware &|
software, what level of validation you are going for (level 1-4 -- which

corresponds to hardware > level 2)
and on how many operating system platforms (secure OS's -- e.g. TCSEC
B1, C2, etc.).

You should try to find a vendor that develops a product similar to
yours and then ask the sales contact for a lead in engineering who did
the
work -- you should review the vendor list at
http://csrc.ncsl.nist.gov/cryptval/140-1/1401val.htm#list1
For Netscape's validation,  you can ask me directly -- assuming you
are validating software only modules across platforms.

http://developer.netscape.com/tech/security/fips/faq.html
- Netscape has a good FAQ on the subject -- see FAQ if you want to seek
out
more technical details -- typically, most people care about the Level of
validation
received.  Netscape has validated security modules on 18 software/OS
platforms,
and has a number of certificates you can review, that are linked to the
NIST site
from the FAQ.   Digital scans are available on request.

http://www.dalsemi.com/News_Center/Press_Releases/1998/pr_fips.html --
offers up some good techical data on their products, and their
validation.

The security policy documents for most vendors implementations are
available by
request from NIST.  Beyond the policy document, other documents are
typically
under non-disclosure between the NVLAP lab and the vendor.   Some
vendors make
a good deal of their technical details available in summary form.

Netscape, IBM, NIST, CSE have some good presentations that are available
in the 1999 RSA
conference proceedings -- see http://www.rsa.com/conf99/.  You might be
able to
order the RSA 99 CD / bound proceedings, since the presentations are not
on-line.
I can make the Netscape one available for those that have a great deal
of interest
in this subject.

John Hines
Engineering Manager
[EMAIL PROTECTED]

bram wrote:

> On Fri, 14 May 1999, Adam Back wrote:
>
> > Anyone who has done this have a feel for how much work and cost is
> > involved in obtaining FIPS-140a?  Are there samples of successful
> > applicant's submitted documentation available?
>
> Is this what you mean?
>
> http://www.itl.nist.gov/div897/pubs/fip140-1.htm
>
> -Bram
>
> (altavista is your friend)

Reply via email to