Agencies, vendors comply with security standard

Agencies and vendors slowly are beginning to comply with a federal standard that has been in effect for almost two years and that governs the purchase of hardware and software security products.

A standard that was issued by the National Institute of Standards and Technology required agencies after June 30, 1997, to begin buying systems called cryptographic modules, which encrypt data, authenticate users' identities and rely on digital signatures, private-key management and other services that have been validated by government-accredited laboratories.

The Federal Information Processing Standard (FIPS) 140-1 applies to all sensitive but unclassified data, such as medical records, tax information, personnel records and other data that may not be deemed classified but that needs to be protected during transmission or storage.

But the standard has been slow to catch on in government procurement shops and, therefore, in industry. In July 1997, only five companies— Northern Telecom Inc., National Semiconductor Corp., Motorola Inc., Spyrus Inc. and Mykotronx Inc.— had received validation from the government's accredited labs. Since then, seven more companies have been added to the list of those offering approved products.

The companies that recently have received approval from NIST are Chrysalis-ITS, Cylink Corp., Entrust Technologies, GTE Internetworking, Information Resource Engineering, Netscape Communications Corp. and Transcrypt International.

Twenty other products are undergoing testing. Government officials will not reveal the names of the companies that have submitted products for testing.

Federal agencies also have begun to incorporate FIPS

140-1 requirements in procurement requests, according to Kamy Kavianian, senior product line manager at Cylink, which received approval for its Turbo Cypto card last November.

"[FIPS validation] increased our sales," Kavianian said. "We've sold thousands of these devices into mission-critical applications. It gives the user the ability to choose the level of security...for the application they have in mind."

Miles Smid, manager of the security technology group at NIST, said officials there were pleased with reports last week that agencies such as the Air Force, the National Security Agency and the U.S. Postal Service are requiring vendors to meet the standard.

The General Services Administration also plans to require FIPS 140-1-approved products in a new governmentwide public-key services contract that it is planning, Smid said. In addition to the Air Force, USPS is using approved products inside its newest postal meters, which generate digital signatures.

"We feel that it's really catching on," Smid said. "Our workload in looking at validation reports is increasing significantly. The market on nonclassified products tends to be smaller companies that tend to be less experienced. Validation and testing of cryptographic products is very important."

The Air Force Communications Agency in March 1997 began developing a list of products that had received FIPS 140-1 approval or are now being tested. That list, scheduled to be distributed in July to all bases, also includes vendors, such as Microsoft Corp., that have committed in writing to submit their products for testing, said Melissa Palmer, chief of Air Force computer and network security policy at the Air Force Computer Information Center.

"There are some vendors that are reluctant to come in and get tested," Palmer said. "We think if we let the vendor community know we are serious about this, they will take the time to get tested."

NIST soon will begin working on a next-generation cryptographic module standard, called FIPS 140-2. Smid said NIST will issue a request for comments on the need for a revised standard sometime this fall.